MakerDAO, the decentralized organization that runs on Ethereum, has disclosed an enormously dangerous security flaw that could’ve allowed an attacker to steal collateral powering its Dai stablecoin with a single transaction.
The bug, if exploited, would’ve resulted in a complete loss of funds for all Dai users making use of its upcoming Multi-Collateral Dai system, and was likely to have brought the entire MakerDAO ecosystem to its knees.
“The cost of performing the attack is almost zero — just the minimal denomination of each type of gem stolen plus gas,” wrote the researcher who discovered the flaw.
MakerDAO’s smart contract had almost zero access control
A HackerOne disclosure report reveals the attack was to be possible due to a complete lack of access control in a MakerDAO smart contract — specifically, the contract that was to allow the system to auction collateral in exchange for DAI cryptocurrency when loans are liquidated.
“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value,” reads the disclosure. “Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”
Liquidation phases exist due to Dai being an “over-collateralized” asset, which means that all circulating Dai cryptocurrency is backed by a surplus of collateral tokens stored in smart contracts on the Ethereum blockchain.
Give an autonomous organization Ethereum to receive crypto loans
MakerDAO documentation explains that Dai loans can be liquidated when they’re deemed unsafe. These measures are in place to ensure there’s enough collateral in the system to guarantee the value of all outstanding Dai tokens, which are meant to have a value of $1.
This collateral is what hackers could have stolen, which could have led to the complete collapse of the DAI once the MCD system was implemented.
According to MakerScan, there’s currently 40,673.89 ETH ($7.2 million) locked as collateral in just one MakerDAO loan, and $270 million worth of Ethereum housed in MakerDAO in total – so the stakes were certain to be very high.
The bug was originally submitted for review on August 29th. Seven days ago, MakerDAO devs announced they had patched the code, and awarded the researcher $50,000 for their efforts.
That bounty may very well be a lot of money, but certainly pales in comparison to the potentially huge stash of Ethereum cryptocurrency that could’ve been stolen at any time, if it wasn’t for this one researcher.
Thank Satoshi for white-hat hackers.
Update 13:49 UTC, October 3: This article has been updated to clarify the collateral at risk were those related to MakerDAO’s upcoming Multi-Collateral Dai system, which is currently not live on the Ethereum mainnet.
Amounts of collateral backing MakerDAO’s Dai stablecoin have also been corrected. We apologize for these mistakes.
Want more Hard Fork? Join us in Amsterdam on October 15-17 to discuss blockchain and cryptocurrency with leading experts.