Maker DAO Had a Critical Flaw That Could Have Led to the Theft of $340 Million of Ethereum (ETH) and Billions of Dollars of Additional Damage, Maker Foundation Reluctantly Patches This Security Flaw After Vulnerability Goes Public

December 11, 2019 / by Zachary Mashiach

The co-author of the Augur whitepaper, Micah Zoltu, publicly announced that up until Dec. 9 Maker DAO had a potentially catastrophic security flaw that could have led to the theft of $340 million of Ethereum (ETH) from the Maker DAO smart contract. Now, the Maker Foundation has patched this critical flaw and seems to point the finger at Zoltu for publicly posting the information about this security flaw, even though Zoltu may have prevented a catastrophe. In this article, we will explore this security flaw in-depth and how it was patched.

The Maker decentralized autonomous organization (DAO) is a decentralized blockchain-based governance protocol, and it is the backbone of the decentralized finance (DeFi) sector. Maker DAO itself is the top platform for lending money via collecting crypto collateral. Specifically, users can receive loans in the form of Dai stablecoins for putting up Ethereum (ETH) as collateral.

The problem up until now has been that anyone with enough Maker (MKR) could vote for a new governance protocol and instantly bring that new governance protocol into effect. An attacker could literally make a governance protocol that erases the entire Maker DAO system and simply transfer all of the Ethereum (ETH) held in the Maker DAO smart contract to their own wallet.

There is supposed to be a governance delay that delays the implementation of a new governance protocol by a certain time. However, this governance delay has been set to zero to facilitate instant changes in governance.

There are about 80,000 Maker (MKR) staked on the current Maker DAO governance protocol; therefore, it would only take 80,000 Maker (MKR) to vote for a new governance protocol. Further, when governance protocols change, there is a slow migration of Maker (MKR) from the old governance protocol to the new governance protocol, and at some point, the old and new governance protocols have 40,000 Maker (MKR) staked each. Therefore, with a script that monitors the transfer of funds from the old governance protocol to the new one, this attack can be performed for 40,000 Maker (MKR).

If 80,000 Maker (MKR) is used to perform this attack instantly, the cost is $40 million. If the attack is done the slower way for 40,000 Maker (MKR), the cost is $20 million.

While the cost of doing the attack sounds like a lot, it is relatively small in the crypto world. Indeed, four wallets hold enough to perform the attack, including the Maker Foundation, hedge fund a16z, and two unknown wallets.

Also, Zoltu describes how an Ethereum (ETH) smart contract could be made where people deposit Maker (MKR) until the 40,000 Maker (MKR) level is reached, at which point the Maker DAO smart contract is emptied and participants split up the profits. In essence, this attack could be easily crowdsourced.

The attack would be highly profitable for the attacker and catastrophic for the crypto space. For the cost of $20-40 million, the attacker would be able to instantly drain $340 million of Ethereum (ETH) from the MakerDAO smart contract. The attacker could then print as much Dai as they want, and steal all of the liquidity from Uniswap on the Dai/Ethereum (ETH) trading pair, as well as drain all the collateral out of Compound. Other decentralized exchanges at risk would be IDEX, Paradex, and RadarRelay.

Further, the value of Dai and Maker (MKR) would collapse to zero, instantly wiping out $550 million from the crypto market cap. Ethereum’s (ETH) price would likely plunge as well in response to this spectacular failure of DeFi, which could easily cause billions of dollars in losses.

Fortunately, this scenario will never happen to Maker DAO and its surrounding ecosystem since, after the post by Zoltu, the Maker Foundation implemented a governance delay of 24 hours. This means that the Maker DAO community would have 24 hours to stop such an attack.

Maker DAO says they have been aware of this issue for a long time, and indeed Zoltu says in his blog post that he contacted Maker DAO about this problem multiple times. According to Zoltu, the Maker Foundation has said they do not want to institute a governance delay since this type of hack has not been a problem so far. They also say it is too expensive for anyone but a few people to execute, and they would take legal action against an attacker. It is hard for an attacker to perform this attack anonymously, and that it is a known risk, but there may be other unknown risks that are worse.

Maker DAO seemingly ‘blames’ Zoltu for going public, which forced them to implement the 24-hour governance delay. Maker DAO says the lack of governance delay made it so the community could take instant action to correct technical errors, oracle malfunctions, and market panics or economic attacks.

In any case, the vulnerability that could lead to an attack like the one we describe in this article has been patched, and the entire DeFi system is safer. That being said, Maker DAO is not the only DAO, and other blockchain-based DAOs should make sure they are not vulnerable to this type of attack.