PeckShield: MakerDAO governance contract upgrades new version, potential threats have been excluded

On May 7, PeckShield, a blockchain security company, found that MakerDAO's old governance contract had security holes. Once exploited, the MKR tokens that the user voted would be locked by the contract. Specifically: due to a flaw in the voting mechanism (vote(bytes32)) implemented by the governance contract, voting is allowed for a slate that does not yet exist (but contains a proposal that is voting). After the user votes, the attacker can maliciously call free() to exit, to reduce the legitimate votes of the valid proposal, and simultaneously lock the voter's MKR token. The next day, PeckShield Emergency and Maker Company synchronized the vulnerability details. In the early morning of May 10, MakerDAO announced a new version of the contract. Zeppelin and PeckShield also independently completed their own audit of the new contract and determined that the new version fixes the vulnerability. To date, 2,463 MKR tokens (worth approximately $1.28 million) have not been transferred in the old governance contract. It is reminded that DeFi contracts manage a large number of financial assets. The contract security is related to each investment user. DeFi project parties should make a contract security audit to avoid unnecessary loss of digital assets.