Categories: Ethereum

‘Critical’ MakerDAO Vulnerability Could Have Frozen Voter Funds, Auditors Say

Click here to view original web page at

A critical vulnerability on the programmatic lending platform MakerDAO could have made user funds irretrievable, according to security audit firm Zeppelin.

Discovered in the last few weeks, MakerDAO issued Monday an urgent plea to token holders of the MakerDAO platform, writing on Reddit:

“In partnership with Coinbase and Zeppelin, the Maker Foundation has been participating in a second round of audits of the Maker Voting Contract. During this process, we discovered the need to make a critical update…You are advised to move your MKR out of the old contract and back into your personal wallet immediately.”

At the time, MKR token holders were not debriefed about the exact nature of the issue given the vulnerability could still be exploited by an attacker if disclosed.

On Thursday, Zeppelin released a full disclosure outlining how the vulnerability could have moved user tokens and locked them permanently within the MakerDAO voting contract. According to the document, the vulnerability was discovered and analyzed between April 22 and 26, at which point the MakerDAO team was informed, with a fixed contract being subject to an audit on May 2.

Taking a step back, MakerDAO is the preeminent lending platform for popular dollar-pegged stablecoin DAI. MakerDAO is also a decentralized governance platform through which MKR token holders have the power to vote on and execute changes to the DAI lending protocol.

“How the MakerDAO system of governance works is that there are several proposals which are encoded as ethereum addresses and people can vote for one or the other by locking their MKR tokens in the chief voting contract,” explained head of research at Zeppelin Alejo Salles to CoinDesk.

In essence, vulnerability disclosed by the Zeppelin team jeopardized the MKR tokens held within the MakerDAO voting contract. An attacker could have hypothetically moved tokens staked in favor of one MakerDAO governance proposal to another competing proposal and locked them in place forever.

Salles stressed to CoinDesk that MKR tokens were not able to be withdrawn from the MakerDAO voting contract but rather simply locked and moved.

More audits

This vulnerability, as far as Zeppelin is currently aware, hasn’t been exploited on the MakerDAO platform.

However, Salles noted that it did have the potential to effectively freeze $100 million worth of MKR tokens held in the original MakerDAO voting contract.

“This contract was very central in the MakerDAO system. It had privileges over many other things,” notes Salles to CoinDesk. “Security is very sensitive in the crypto industry and in this case was possible because the MakerDAO team still has enough funds to make the change.”

Indeed, the non-profit MakerDAO Foundation holds by far the largest share of MKR tokens, with over 25 percent of the 1 million total supply. Given the highly sensitive nature of the security vulnerability, the MakerDAO Foundation leveraged the funds at its disposal to secretly execute a state change without broader public awareness.

“In a more decentralized system, which is what MakerDAO will be in the near future, this would have been much worse,” warns Salles. “Because you have to coordinate all these people but at the same time not raise too much awareness of what’s going on. That’s sort of impossible.”

The code behind the MakerDAO voting contract is part of a larger library of code that was fully inspected back in 2017 by security firm Trail of Bits.

When asked whether Trail of Bits had known about the vulnerability disclosed today, CEO Dan Guido affirmed they did not but added that since 2017 “there have been many commits to that specific code and to many of its dependencies.”

Trail of Bits this month completed a new audit over highly-anticipated MakerDAO code to support multi-collateral DAI. As Guido told CoinDesk:

“In the course of our assessment of multi-collateral Dai, we discovered two low severity security issues that escaped identification by verification. The first issue escaped verification due to the attack’s reliance on the passage of time to pull it off. The second issue was economic in nature, and described an attack strategy to abuse the system based on its correct behavior. These issues were fixed immediately by MakerDAO.”

Due diligence

The secondary audit of the MakerDAO voting contract by Zeppelin was actually contracted by cryptocurrency exchange Coinbase. Coinbase has for some time been planning to enable a seamless interface with the MakerDAO voting platform for holders of MKR tokens.

“We spearheaded the audit as part of our due diligence process in supporting the MakerDAO voting capability within the Coinbase Custody product,” said Alan Leung, head of security for Coinbase Custody.

Leung explained that Coinbase clients holding MKR tokens were not comfortable directly interfacing with the MakerDAO voting protocol given that “they don’t know the risk or the risks outweigh the act of participation.”

According to Leung, part of Coinbase’s efforts in supporting a third-party audit of the MakerDAO voting contact code was to ensure that capabilities being built on Coinbase to interface with MakerDAO were secure.

“Our vision is to provide our customers a secure channel for network participation and as part of this process we dived fairly deeply into how the MakerDAO contract works and how voting works,” said Leung to CoinDesk.

With the vulnerability havingbeen disclosed and addressed, Leung affirmed with CoinDesk that intention to launch MKR voting capability on Coinbase Custody remain unchanged.

“We’ve done our homework in making sure [our interface] is the most secure way to participate in the MakerDAO network because we’re putting our label behind the action,” he told CoinDesk.

Lock image via Shutterstock

Discovered in the last few weeks, MakerDAO issued Monday […]


Illuminati, Mason, Anonymous I'll never tell. I can tell you this, global power is shifting and those who have the new intelligence are working to acquire this new force. You matter naught except to yourself, therefore prepare for the least expected and make your place in the new world order.

Disqus Comments Loading...
Published by

Recent Posts

New York Gym Grit Bxng Accepts BTC Payments

Who would have ever thought that working out and bitcoin could ever go together? Well, thanks to a new Manhattan-based… Read More

4 hours ago

Are Whales Behing Bitcoin’s Latest Dips?

A reason for the recent up-and-down behavior of bitcoin may have been uncovered. It’s being reported that several whales moved… Read More

4 hours ago

Bitcoin Drops Below $10,000 as Support Wears Thin

Bitcoin (BTC) has once again found itself caught in the throes of a choppy trading range that has provided little… Read More

4 hours ago

Bitcoin Bottomed at $9,080, BTC to Rally Into End of 2019

Once again, Bitcoin (BTC) has stagnated, finding a foothold around $10,000 for the umpteenth time in a matter of weeks.… Read More

4 hours ago

Cresio CIO Comments, New ‘Satoshi’ and BTC Games: This Week in CT Spain

As many of our readers probably know, Cointelegraph has a number of non-English branches, each covering news from different parts… Read More

4 hours ago

VeChain Attends Shanghai International Blockchain Week 2019

SHANGHAI, Aug. 24, 2019 /PRNewswire/ -- From September 14-18, 2019, Shanghai International Blockchain Week 2019, the largest and most influential… Read More

4 hours ago

This website uses cookies. We use these cookies to collect data about your interaction with our website for the purpose of continuously improving your experience with our site. For more information we encourage you to read our privacy policy.

Read More