340 million USD ETH collateral risks increase, MakerDAO may need urgent upgrade

The Maker Foundation has added a new poll to its governance portal aimed at introducing a 24-hour governance delay proposal into its agreement, after a community member discovered a loophole that could compromise the value of the system 3.4 Billion USD ETH Collateral.

Image source: Theblock

On Monday, free developer Micah Zoltu published a blog post warning the public about a security breach in MakerDAO, the protocol behind ERC20 synthetic stable coin Dai. According to Zoltu, since there are currently no safeguards regarding emergency shutdowns and governance delays, anyone with a large amount of MKR tokens can simply create an execution contract that is programmed to transfer all collateral from Maker to their Account, vote immediately and activate the contract, and can effectively steal all Maker's collateral.

• Ethereum upgrade travel map: a review of upgrade history and future planning
• Explore the Stratum V2 (Stratum V2), how to achieve the decentralization of Bitcoin mining?
• A week's observation: the trend of digital currencies, Chinese and foreign central banks grab the lead

In response to Zoltu's queries, MakerDAO published an official blog post claiming that Zoltu's article increased the likelihood that hackers could exploit this vulnerability. As a result, they added an additional poll to determine if a Governance Security Module (GSM) was introduced. If the proposal is passed, the governance security module (GSM) delay will increase from 0 hours to 24 hours.

Funds are no longer safe

In his blog post, Zoltu elaborated on how vulnerabilities can lead to serious attacks, "how to turn $ 20 million into $ 340 million in 15 seconds", and he claims that any "good-level script kid Scholars "can be easily implemented.

He explained that currently, about 80,000 MKR is pledged on the current execution contract, which means that anyone holding more than this token can pass any proposal of their choice. To make matters worse, he said, because these tokens are likely to be split into two contracts, each of which contains 40,000 MKR, so an attacker can find the right time to steal the system with only about $ 20 million All collateral.

Generally, to mitigate such malicious attacks, there will be a delay before a new execution contract is activated, giving community members the ability and time to mark and close the contract. However, because the delay is currently set to 0 seconds, this type of theft cannot be prevented.

He said:

"This is not #DeFi, but #CeFi." "Unlike only one person can steal all your money (bank), a bank or many large holders or a group of small holders can decide to steal all your money at any time . "

New poll

On November 18, MakerDao launched the Multi-Mortgage DAI (MCD) MakerDAO protocol, an upgrade of its single mortgage system, which allows almost all tokenized assets with appropriate risk parameters to act as collateral in its system.

According to Wouter Kampmann, its engineering director, MakerDAO has always planned to implement such governance delays. However, as the system is still very new, the community needs to first agree on what regular governance can avoid delays. The team has been waiting for consensus to roll out a delay mechanism.

Kampmann says:

"The MakerDAO multi-collateral system has only been launched for three weeks. We are still looking for the required governance model, especially because the migration of single-collateral DAI is still continuing. I think it is not reasonable to resolve this issue immediately after the new system goes live . "

However, after Zoltu's article received widespread attention, the MakerDAO team decided that the risk of hacking had increased and therefore decided to increase the implementation priority of the proposal.

MakerDAO's blog post says:

"The community has previously considered the possibility of hackers exploiting this vulnerability, and believes that this is not a direct problem. However, the potential of hackers to exploit this vulnerability has increased due to the potential publicity of this vulnerability by the aforementioned blog. Prior to the regular debate and consensus-seeking process, a poll is now available to the community to ease the use of this hypothetical loophole. "

We will continue to update Blocking; if you have any questions or suggestions, please contact us!