Maker community scrambles to fix long-standing vulnerability to flash loans

Published at: Oct. 29, 2020

The MakerDAO community is urgently implementing measures to prevent voting manipulation through flash loans. This was precipitated by what is likely the first instance of the feature being used to influence a decentralized finance governance vote on Monday.

According to a post published by community member "LongForWisdom," someone used a flash loan to force a governance proposal through. BProtocol, a service designed to create a more symbiotic relationship between Maker debt liquidators and users, came forward as the responsible party.

The proposal would have whitelisted the project to access Maker’s price oracle, making it possible to run decentralized keepers.

BProtocol used dYdX’s flash loan feature — an unbacked loan that is only granted if it is also returned within the same block. This requirement means that its users must have a predefined path for the money they borrow, and it is only useful for operations that can be completed instantly.

Maker community member "Monetsupply" explained to Cointelegraph that the governance contracts did not feature any lock-up period:

“Current MKR gov system allows voters to lock their tokens, immediately vote to pass a proposal, and then unlock the tokens all in the same block.”

Using flash loans to engage in governance can be seen as manipulative because the money is essentially free. Anyone could use them to execute their own proposals without being a Maker stakeholder.

The governance power is limited to how much MKR is contained in various DeFi protocols. In this specific case, MKR was sourced from Aave, but up to 64,000 MKR, worth $34 million, is available for flash loans. This is enough to influence at least some of the future governance proposals.

Due to this, the community is engaging emergency containment measures to make exploitation harder as they wait for a more definitive fix. A twelve-hour delay between proposals passing and being executed — introduced to allow for the community to challenge malicious votes — will be extended to 72 hours.

Furthermore, the community is disabling circuit breakers that would allow governance to turn off oracles and liquidations, as they could be potentially abused by malicious actors to exploit the system for money.

The case that set off the alarms was relatively minor, with the founder of BProtocol saying that “We meant no harm, and no harm was made.” He further suggested that this was “aimed to trigger an internal technical discussion,” and that he did not expect such a dramatic community response.

A proposal to fix the underlying issue was being discussed for at least three weeks, but “This incident made it much more urgent,” Monetsupply said.

A relatively simple solution involves measuring a user’s voting power from the tokens locked in the preceding block, thwarting any flashloan-based attack. This fix is expected to be added soon by the Maker Foundation, though no concrete deadlines were announced yet.

Some in the community see this incident as a good thing, as it was a long-standing issue that “should have been fixed before,” said forum member "TheoRochaix." As no harm seems to have been done, it is a much less expensive lesson than the Black Thursday auction failure.

Update, Nov. 2 12:30 UTC: The article was amended to better represent what is BProtocol.

Tags
Technology
Ethereum
Defi
Maker
Related Posts
Ether already ‘flippening’ Bitcoin, says Celsius CEO
Bitcoin (BTC), the largest cryptocurrency by market capitalization, has already started losing its market dominance to Ether (ETH), according to Celsius Network CEO Alex Mashinsky. In a Monday interview with Kitco News, Mashinsky argued that the Ether “flippening,” or the hypothetical scenario in which Ether overtakes Bitcoin as the world’s most valued cryptocurrency, is already happening right now. Mashinsky said that the flippening has already happened on Celsius. “We manage about $17 billion in deposits, or in customer coins, and the number one coin held in dollar terms is Ethereum,” he said. Mashinsky also predicted that Ether will have completely …
Decentralization / July 6, 2021
Finance Redefined: DeFi party’s over, back to building now, Sept. 30—Oct. 7
This week in DeFi was notable for its lack of notable events. Nobody set new records for the fastest hack of a new contract, nobody famous exit scammed or pulled a DeFi Jesus reincarnation act. You can just feel that something is different now. It used to be that every weekend we’d discover some new exotic food, or someone would launch a vampire attack on another protocol with a cleverly disguised Ponzi scheme. Not to say nothing happened at all this week, but the scope just feels different this time. What really grabbed attention was the price collapse of a …
Technology / Oct. 7, 2020
Maker community thanks Yearn for seemingly restoring DAI peg
A new vault launched on Yearn.finance is being credited for finally restoring the peg of Dai (DAI), the algorithmic stablecoin of the MakerDAO (MKR) project. As Cointelegraph previously reported, Maker had struggled with maintaining a strict $1 peg for DAI since the start of the yield farming wars in June. Though it’s had ups and downs, the price of DAI consistently hovered around $1.02 in the past 30 days. As of press time, the price came down to $1. The community is crediting the yearn.finance project, which launched a new yield farming strategy that relies on minting DAI to farm …
Technology / Sept. 3, 2020
Range-bound Bitcoin price opens the door for altcoins to move higher
Ether (ETH) took charge as a new month begins and the second-largest cryptocurrency by market capitalization rallied to a new all-time high at $3,338. This has many analysts shouting out that a new 'altcoin season' has commenced. Meanwhile, Bitcoin (BTC) price is continuing to meet resistance around the $56,000 to $58,000 level. Data from Cointelegraph Markets and TradingView shows that since dropping to a low of $2,160 on April 25, the price of Ether has rallied 54% to a new record high at $3,324 on May 3 as Monday’s 12% spike lifted the top altcoin above the $3,300 level for …
Bitcoin / May 3, 2021
From DeFi year to decade: Is mass adoption here? Experts Answer, Part 2
Yat Siu of Animoca Brands Yat is the executive chairman and co-founder of Animoca Brands, which delivers digital property rights to the world’s gamers and internet users, thereby creating a new asset class, play-to-earn economies and a more equitable digital framework contributing to the building of the open Metaverse. “2021 was the year of NFTs, and in the second half of the year, we saw a growing emphasis on GameFi. This trend will continue well into 2022. Real mass adoption of DeFi will happen via GameFi, which will explode in growth during 2022 as the potential for mass financial inclusion …
Decentralization / Dec. 22, 2021