A software developer claims to have found a way in which to make an “incredibly profitable” but “expensive” attack to steal all the Ethereum available in MakerDAO.
Micah Zoltu described the potential attack in a blog post published on Monday, noting a successful attack could see the hacker “ride off into the sunset with $340 million worth of Ethereum.”
“The problem is, Maker Foundation has decided that the appropriate value for this governance delay is 0 seconds. That is right, defenders have 0 seconds to defend against an attack launched by a wealthy but malicious party,” he adds in the post.
The issue, Zoltu notes, lies in the way in which MakerDao is governed. “Some groups of plutocrats can control how the system behaves.”
In order to carry out the attack, the hacker would have to deploy approximately $20 million (40,000 MKR), which wouldn’t necessarily be straightforward. CoinDesk reports that the person would need to buy MKR without affecting the price, which is, of course, unlikely.
Zoltu claims Maker has been aware of the issue since before Maker v2 launched.
“Despite this, they are choosing not to plug the hole (the plug is easy). Because of that, I do not believe that it would be responsible for me to keep my mouth shut and hope that no attacker figures out what should be obvious to anyone who understands Maker’s governance model,” he notes.
Back in October, MakerDAO disclosed another dangerous security flaw that could have potentially allowed an attacker to steal Ethereum ETH powering its then-unreleased multi-collateral Dai with a single transaction. This could’ve done untold damage to the credibility of the MakerDAO system.
At the time, a HackerOne disclosure report revealed the attack was made possible due to the complete lack of access control in a MakerDAO smart contract, which allows the system to auction collateral in exchange for DAI cryptocurrency once loans are liquidated.
Published December 9, 2019 — 16:20 UTC
December 9, 2019 — 16:20 UTC