Rescuing 10% of asset security, MakerDAO fixes important vulnerabilities in multi-collateral systems

MakerDAO has patched an important vulnerability in its unlaunched multi-collateral Dai (MCD) upgrade that could put more than 10% of the system's collateral at risk.


The vulnerability was discovered by HackerOne user Lucash-dev, who reported the vulnerability through the HackerOne forum and received a $50,000 bonus for discovering this highly destructive vulnerability.

Chris Smith, senior software engineer at MakerDAO, said:

“Our auction system allows potential attackers to create a fake auction. Simply put a small amount of collateral to get a lot of DAI. The system will trust this number and use it as a credit for the collateral in the system, allowing hackers Take other collateral from the system."

This vulnerability could damage the MCD in the MakerDAO program. Lucash-dev said in his report that it "allows an attacker to steal all collateral stored in the MCD system during the liquidation phase – and may only need one transaction."

Lucash-dev said:

"If this happens in a formal environment, it will be catastrophic."

Fortunately, this MCD upgrade did not go live on the main network – it was discovered during the testing phase, users can not access the system.

Engineers at lucash-dev and MakerDAO have said that there is no risk of user funds.

According to the new MCD upgrade, users will be able to use the cryptocurrency outside Taifang as a collateral to issue a new Dai. The value of these “debt-backed bond positions” must match the Dai in circulation, because Dai is a representative currency – just as the dollar is supported by gold. A specific user can trigger a clearing mode to balance the system.

Lucash-dev said that the system has an error:

“The new multi-collateral DAI contract can enter the 'clearing mode' – this means that all DAI holders will only hold collateral corresponding to their pledge of DAI shares. This vulnerability allows attackers to trick the system into giving them arbitrarily The number of tokens (only in clearing mode), these tokens can be traded through all tokens that are collateral!"

The vulnerability exploits MCD's kick contract deployment, allowing users to post fake auctions, issue DAIs, and then redeem collateral.

Wouter Kampmann, director of engineering at MakerDAO, said that vulnerability tracking events like this are common.

“Through a process like this, you can check the system to make sure it is absolutely safe before starting.”

The vulnerability was released on August 28th and was fixed on September 26. Lucash-dev publicly disclosed the news on October 1.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!


Was this article helpful?

93 out of 132 found this helpful

Discover more


The Core Seed Abstraction Innovation: Wallets Without the Hassle!

Fashionista, get ready for the latest innovation in crypto wallet technology from Core Protocol! They are revolutioni...


Binance Exchange: Playing Nice with Regulators and Clearing the Air

Fashion-forward Binance announces major strides in regulatory partnerships.


The 54th World Economic Forum in Davos: Rebuilding Trust

The Davos 2024 World Economic Forum brings together influential leaders from around the world to address a wide range...


Dominance of Stablecoin Issuance: USDT and USDC Surge 📈💸

KuCoin Research has released its March report, showcasing the significant role of Tether (USDT) stablecoin issuance i...


The Dencun Upgrade: Revolutionizing Ethereum’s Efficiency and Reducing Gas Fees

The Ethereum ecosystem is taking a positive step towards boosting transaction speeds with the impending release of th...


Reddit IPO: All You Need to Know About the Popular Social Media Platform’s Public Offering

Exciting news for investors and social media enthusiasts, as Reddit, one of the top platforms in the United States, p...