Rescuing 10% of asset security, MakerDAO fixes important vulnerabilities in multi-collateral systems

MakerDAO has patched an important vulnerability in its unlaunched multi-collateral Dai (MCD) upgrade that could put more than 10% of the system's collateral at risk.

Makerdao

The vulnerability was discovered by HackerOne user Lucash-dev, who reported the vulnerability through the HackerOne forum and received a $50,000 bonus for discovering this highly destructive vulnerability.

Chris Smith, senior software engineer at MakerDAO, said:

“Our auction system allows potential attackers to create a fake auction. Simply put a small amount of collateral to get a lot of DAI. The system will trust this number and use it as a credit for the collateral in the system, allowing hackers Take other collateral from the system."

This vulnerability could damage the MCD in the MakerDAO program. Lucash-dev said in his report that it "allows an attacker to steal all collateral stored in the MCD system during the liquidation phase – and may only need one transaction."

Lucash-dev said:

"If this happens in a formal environment, it will be catastrophic."

Fortunately, this MCD upgrade did not go live on the main network – it was discovered during the testing phase, users can not access the system.

Engineers at lucash-dev and MakerDAO have said that there is no risk of user funds.

According to the new MCD upgrade, users will be able to use the cryptocurrency outside Taifang as a collateral to issue a new Dai. The value of these “debt-backed bond positions” must match the Dai in circulation, because Dai is a representative currency – just as the dollar is supported by gold. A specific user can trigger a clearing mode to balance the system.

Lucash-dev said that the system has an error:

“The new multi-collateral DAI contract can enter the 'clearing mode' – this means that all DAI holders will only hold collateral corresponding to their pledge of DAI shares. This vulnerability allows attackers to trick the system into giving them arbitrarily The number of tokens (only in clearing mode), these tokens can be traded through all tokens that are collateral!"

The vulnerability exploits MCD's kick contract deployment, allowing users to post fake auctions, issue DAIs, and then redeem collateral.

Wouter Kampmann, director of engineering at MakerDAO, said that vulnerability tracking events like this are common.

“Through a process like this, you can check the system to make sure it is absolutely safe before starting.”

The vulnerability was released on August 28th and was fixed on September 26. Lucash-dev publicly disclosed the news on October 1.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Blockchain

How to "shock reduction" The risk control method of the head digital currency institution

Text | Editing by Li Zheweng | Produced by Bi Tongtong | PANews Risk is a word derived from the Italian word "RI...

Blockchain

Hackers are getting smarter, with the largest number of exchange attacks ever in 2019

Source | bitcoinmagazine Translation | Huohuo Sauce Production | Blockchain Camp (ID: blockchain_camp) Currently, maj...

Blockchain

In-depth explanation of Web3 game engine: Origins and development status of racing tracks, as well as network effects.

We are pleased to see the development process at every level, the release of new games, and the emergence of new engi...

Blockchain

Interpretation | FCoin Shutdown: A Quick Look at the Exchange's Death Stance

The content of today's interpretation is mainly divided into three aspects: The first aspect is the beginning an...

Blockchain

Lose user trust? "Black Thursday" has reduced BitMEX bitcoin holdings by nearly 40%

This article Source: Cointelegraph Chinese , Author: MICHAEL KAPILKOV, the original title "from the black since ...

Opinion

LianGuairadigm, the top cryptocurrency institution, is facing community resistance and significant changes in its leadership. What is happening?

Fred, co-founder of LianGuairadigm, has stepped down from his role as managing partner and will continue on as a gene...