Experts Claim Allegations on MakerDao Vulnerabilities Are Substantial

Published at: Dec. 18, 2019

At the start of December, the Maker Foundation hosted a number of governance polls on its website to ease rising concerns following allegations put forth by developer Micah Zoltu in regards to how hackers with enough financial resources could potentially carry out an attack on the MakerDAO network and steal close to $340 million.

As part of the initiative, the foundation’s interim risk team asked their global community of users if they should upgrade the platform’s native Governance Security Module from 0 seconds to 24 hours.

In its essence, the GSM allows MKR token holders to review any new changes that have been proposed for the MakerDAO ecosystem, thereby giving network participants a chance to act if any potential changes are deemed malicious.

The $340 million question

In regards to the matter, Zoltu published a blog on Dec. 9 claiming that any hacker with a disposable $20 million could potentially launch a full-scale attack on the MakerDAO network and pocket a cool $340 million worth of Ether (ETH). He was also quoted as saying:

“Maker DAO v2 was supposed to launch with safeguards against a hostile MKR holder stealing all collateral and potentially robbing a good chunk of Uniswap, Compound, and other systems integrated with Maker in the process. Instead, they decided not to.”

Zoltu’s primary point of contention is that MakerDAO’s operational framework is plagued by an extremely niche technical glitch — a small GSM-based time delay within the system each time it selects a new contract to execute.

While this delay allows the network time to decide whether the contract in question is malicious or not, hackers and third-party agents can potentially exploit the time lag to upvote their own contracts that have been programmed to steal all of the platform’s stored collateral.

Further elaborating on the network’s vulnerabilities, Zoltu added that hackers with 80,000 Maker (MKR) currently have the option of doing whatever they please with Maker’s native contracts. This is because the system’s current GSM delay quotient is set at 0 seconds — which leaves network defenders completely helpless against attacks initiated by wealthy, malicious agents.

Related: Could Blockchain Technology Prevent the Next Financial Crisis?

Maker Foundation denies the issue

Ever since the issue came to the attention of the global crypto community, the MakerDAO team has refused to acknowledge any of Zoltu’s claims. Instead, they have sought to amend the problem by hosting a number of community polls and publishing blog posts outlining their potential plan of action in relation to the matter.

To gain a better understanding of the situation, Cointelegrah reached out to Robert Beadles, president of the Monarch crypto wallet. On the subject, he pointed out:

“Micah brings up some real concerns that appear to hold water. One of the problems with these decentralized smart contracts is that they are only as smart as the person who wrote them.”

Beadles went on to say that very few people in the world can find such vulnerabilities and exploit them, since crypto is still a very new phenomenon, adding that:

“One of the drawbacks of having open source code is that people who do understand it and have the time can find ways to break it or exploit it. If Micah is correct — and it looks like he is — they better patch this quick.”

A similar point of view is shared by Jefferey Liu Xun, the CEO of XanPool — a P2P fiat gateway. He told Cointelegraph that from a purely technical standpoint, Zoltu’s claims seem valid. Additionally, he believes that it is the goodwill of a few that is maintaining the integrity of the system — something that holds true in the crypto world for the vast majority of projects. Xun further added:

“As much as many projects would like to think that their system’s integrity comes from their technology, they are held together socially, depending on the goodwill of major stakeholders such as whales, and developers. Often when building a complex system on Ethereum, it’s difficult to measure ALL of the possible outcomes.”

Further elaborating on his position, Xun highlighted that a vast majority of users and node runners associated with a particular project almost never verify the code that they are running themselves, which puts them at the mercy of the developers and the foundation — essentially, trusting in their reputation and self-interest.

Not only that, but he also pointed out that a vast majority of all coin-based projects (like XRP) are controlled by a few major players who ultimately have the ability to manipulate the price of the currency. Cointelegraph also reached out to Lewis Daniels, chairman of investment firm Mayfair Ventures. He pointed out the following:

“As the Dai crypto is backed by a surplus in smart contracts on the Ethereum chain, making loans unsafe that can then go on to cause various liquidation issues, it’s these that are accessible due to the loophole within the smart contract.”

An easy vulnerability to rectify

While MakerDAO’s vulnerability issue may have caused quite the stir globally, the problem seems to be quite straightforward and can be corrected without any apparent difficulty.

On the issue, Pascal Thellmann, CEO of project reviews and guides platform CoinDiligent, told Cointelegraph that in his article, Zoltu has only really talked about the cost of obtaining the MKR tokens needed to perform the attack. However, he ignores the far greater costs associated with the potential legal consequences, the cost to launder and cash out the funds, and the risk of miner coordination to reverse the attack. Thellman then proceeded to add:

“The attack Zoltu outlines is not economically attractive for a regular individual. The only malicious actor that could execute this attack is a rogue nation-state, like North Korea, since they would not have to worry about potential legal consequences and are able to give use to the funds, regardless of them being tainted.”

Xun also believes that the problem is relatively easy to fix, noting that that Zoltu himself raised the problem before it was deprioritized by the Maker Foundation.

Denied to comment

While the vulnerabilities put forth by Zoltu may not be as serious as previously imagined, the fact that MakerDAO’s PR team have refused to fully acknowledge his assertions appears strange to both experts and the community.

Cointelegraph reached out to Maker with hopes of getting a clearer view on the situation, but a spokesperson for the organization refused to comment on the questionnaire submitted — instead citing a blog post issued by the company on Dec. 9.

Tags
Blockchain
Cryptocurrencies
Related Posts
Altcoins notch triple-digit gains as Bitcoin price pushes toward $60K
If this past weekend is any indication of the current bull market cycle, then an altcoin season may be well underway. Similar to previous cycles, after Bitcoin (BTC) makes a significant run-up in price and then enters a consolidation period, funds begin to migrate into large and small market cap altcoins. Data from Cointelegraph Markets and TradingView shows that while Bitcoin traded in a range between $57,000 and $60,200 over the past week, multiple altcoins saw double-digit gains as exchange listings and protocol developments brought a new wave of enthusiasm and trading volume for select projects. Tron ecosystem leads the …
Blockchain / April 6, 2021
XRP price surges 55% to a 3-year high amid push for financial inclusivity
The price of XRP saw a 55% breakout over the past two days as the sixth-ranked cryptocurrency by market capitalization has renewed its focus on the creation of a cross-border payment network that is inclusive and sustainable. Data from Cointelegraph Markets and TradingView shows that XRP dropped to a low of $0.566 in the early hours on April 4 before a wave of trading volume helped lift its price to a high of $0.877 within the last few hours. The uptick in trading volume was sparked after Ripple posted a blog titled “Creating a More Financially Inclusive and Sustainable Future” …
Blockchain / April 5, 2021
Major Bank CEOs Testify at US Congress, Topics Include Blockchain and Crypto
Chief executive officers of leading banks testified before the United States House of Representatives Financial Services Committee on April 10 on how the banking industry has transformed since the 2008 financial crisis. Among many topics spanning the breadth of the banking industry, the CEOs and lawmakers discussed blockchain technology and cryptocurrencies. During his allotted time for questioning, Rep. Warren Davidson (R) argued that the industry is entering into a new era of innovation, wherein blockchain technology is transforming existing financial systems, as well as cybersecurity. Davidson also noted that the U.S. is currently staggering behind due to regulatory certainty issues. …
Blockchain / April 10, 2019
Swiss National Bank Board Director: Central Banks’ Interest in Issuing Crypto Has Waned
Thomas Moser, a board director at the Swiss National Bank (SNB), believes that central banks’ interest in developing central bank-issued digital currencies (CBDCs) has now waned, Business Insider reports today, June 23. Moser told Business Insider at this week’s Zug Crypto Valley Conference that although there was initial interest among central banks in issuing CBDC or a national cryptocurrency, “enthusiasm has slowed again because of the implications it would have for financial stability:” "The whole technical issue, which excited everyone, really takes second place to this conceptual policy issue. The mood now is: everyone is monitoring it, some are experimenting …
Blockchain / June 23, 2018
Finblox withdrawal restrictions trigger concerns from the community
Finblox, a crypto-staking platform backed by Three Arrows Capital (3AC) has paused reward distributions and tightened its withdrawal limits. Following this, community members expressed concerns over their assets, with some calling for transparency and bringing up decentralization. In a tweet, Finblox announced that the firm is assessing the effects of 3AC’s situation on its liquidity. While the firm does this, it highlighted, Finblox has paused its reward distribution for all of its users and lowered its monthly withdrawal limit to $1,500. Many of the platform’s users were disappointed with the news, sharing their frustrations about not being able to withdraw …
Blockchain / June 17, 2022