Rescuing 10% of asset security, MakerDAO fixes important vulnerabilities in multi-collateral systems

MakerDAO has patched an important vulnerability in its unlaunched multi-collateral Dai (MCD) upgrade that could put more than 10% of the system's collateral at risk.

Makerdao

The vulnerability was discovered by HackerOne user Lucash-dev, who reported the vulnerability through the HackerOne forum and received a $50,000 bonus for discovering this highly destructive vulnerability.

Chris Smith, senior software engineer at MakerDAO, said:

“Our auction system allows potential attackers to create a fake auction. Simply put a small amount of collateral to get a lot of DAI. The system will trust this number and use it as a credit for the collateral in the system, allowing hackers Take other collateral from the system."

This vulnerability could damage the MCD in the MakerDAO program. Lucash-dev said in his report that it "allows an attacker to steal all collateral stored in the MCD system during the liquidation phase – and may only need one transaction."

Lucash-dev said:

"If this happens in a formal environment, it will be catastrophic."

Fortunately, this MCD upgrade did not go live on the main network – it was discovered during the testing phase, users can not access the system.

Engineers at lucash-dev and MakerDAO have said that there is no risk of user funds.

According to the new MCD upgrade, users will be able to use the cryptocurrency outside Taifang as a collateral to issue a new Dai. The value of these “debt-backed bond positions” must match the Dai in circulation, because Dai is a representative currency – just as the dollar is supported by gold. A specific user can trigger a clearing mode to balance the system.

Lucash-dev said that the system has an error:

“The new multi-collateral DAI contract can enter the 'clearing mode' – this means that all DAI holders will only hold collateral corresponding to their pledge of DAI shares. This vulnerability allows attackers to trick the system into giving them arbitrarily The number of tokens (only in clearing mode), these tokens can be traded through all tokens that are collateral!"

The vulnerability exploits MCD's kick contract deployment, allowing users to post fake auctions, issue DAIs, and then redeem collateral.

Wouter Kampmann, director of engineering at MakerDAO, said that vulnerability tracking events like this are common.

“Through a process like this, you can check the system to make sure it is absolutely safe before starting.”

The vulnerability was released on August 28th and was fixed on September 26. Lucash-dev publicly disclosed the news on October 1.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Blockchain

Get Ready for a Jaw-Dropping 90% Asset Return by Q2 2024 FTX Customers in for a Thrilling Ride with New Amended Proposal!

Exciting news for customers of defunct cryptocurrency exchanges FTX and FTX.US - an updated proposal offers hope of r...

Policy

Jurors buckle up as Sam Bankman-Fried's criminal trial takes off with riveting jury directions

SBF faces seven charges of financial fraud in connection with FTX's downfall in November.

News

Inventory of Seven Bills that Could Determine the Future of Cryptocurrency in the United States

Author | DL NEWS compilation | Garyma Wu said the original link of the blockchain https//www.dlnews.com/articles/defi...

Blockchain

Behind 106 market cases, we discovered the impact of the BTC spot market structure on price discovery

(Onion Note: "Price Discovery refers to the process by which buyers and sellers reach a transaction price for th...

Blockchain

Bloomberg: The currency stability exchange's own stable currency will be issued in "weeks to one or two months"

According to Bloomberg News, Wei Zhou, chief financial officer of Binance, the main cryptocurrency exchange, said in ...

Blockchain

The real life of the owner of the exchange: the horror of the thief, the night can not linger

Xu Mingxing once dreamed that someone had kidnapped him and asked him to hand over Bitcoin. Awakened in his dream, he...