Rescuing 10% of asset security, MakerDAO fixes important vulnerabilities in multi-collateral systems

MakerDAO has patched an important vulnerability in its unlaunched multi-collateral Dai (MCD) upgrade that could put more than 10% of the system's collateral at risk.


The vulnerability was discovered by HackerOne user Lucash-dev, who reported the vulnerability through the HackerOne forum and received a $50,000 bonus for discovering this highly destructive vulnerability.

Chris Smith, senior software engineer at MakerDAO, said:

“Our auction system allows potential attackers to create a fake auction. Simply put a small amount of collateral to get a lot of DAI. The system will trust this number and use it as a credit for the collateral in the system, allowing hackers Take other collateral from the system."

This vulnerability could damage the MCD in the MakerDAO program. Lucash-dev said in his report that it "allows an attacker to steal all collateral stored in the MCD system during the liquidation phase – and may only need one transaction."

Lucash-dev said:

"If this happens in a formal environment, it will be catastrophic."

Fortunately, this MCD upgrade did not go live on the main network – it was discovered during the testing phase, users can not access the system.

Engineers at lucash-dev and MakerDAO have said that there is no risk of user funds.

According to the new MCD upgrade, users will be able to use the cryptocurrency outside Taifang as a collateral to issue a new Dai. The value of these “debt-backed bond positions” must match the Dai in circulation, because Dai is a representative currency – just as the dollar is supported by gold. A specific user can trigger a clearing mode to balance the system.

Lucash-dev said that the system has an error:

“The new multi-collateral DAI contract can enter the 'clearing mode' – this means that all DAI holders will only hold collateral corresponding to their pledge of DAI shares. This vulnerability allows attackers to trick the system into giving them arbitrarily The number of tokens (only in clearing mode), these tokens can be traded through all tokens that are collateral!"

The vulnerability exploits MCD's kick contract deployment, allowing users to post fake auctions, issue DAIs, and then redeem collateral.

Wouter Kampmann, director of engineering at MakerDAO, said that vulnerability tracking events like this are common.

“Through a process like this, you can check the system to make sure it is absolutely safe before starting.”

The vulnerability was released on August 28th and was fixed on September 26. Lucash-dev publicly disclosed the news on October 1.