At the start of December, the Maker Foundation hosted a number of governance polls on its website to ease rising concerns following allegations put forth by developer Micah Zoltu in regards to how hackers with enough financial resources could potentially carry out an attack on the MakerDAO network and steal close to $340 million.
As part of the initiative, the foundation’s interim risk team asked their global community of users if they should upgrade the platform’s native Governance Security Module from 0 seconds to 24 hours.
In its essence, the GSM allows MKR token holders to review any new changes that have been proposed for the MakerDAO ecosystem, thereby giving network participants a chance to act if any potential changes are deemed malicious.
The $340 million question
In regards to the matter, Zoltu published a blog on Dec. 9 claiming that any hacker with a disposable $20 million could potentially launch a full-scale attack on the MakerDAO network and pocket a cool $340 million worth of Ether (ETH). He was also quoted as saying:
“Maker DAO v2 was supposed to launch with safeguards against a hostile MKR holder stealing all collateral and potentially robbing a good chunk of Uniswap, Compound, and other systems integrated with Maker in the process. Instead, they decided not to.”
Zoltu’s primary point of contention is that MakerDAO’s operational framework is plagued by an extremely niche technical glitch — a small GSM-based time delay within the system each time it selects a new contract to execute.
While this delay allows the network time to decide whether the contract in question is malicious or not, hackers and third-party agents can potentially exploit the time lag to upvote their own contracts that have been programmed to steal all of the platform’s stored collateral.
Further elaborating on the network’s vulnerabilities, Zoltu added that hackers with 80,000 Maker (MKR) currently have the option of doing whatever they please with Maker’s native contracts. This is because the system’s current GSM delay quotient is set at 0 seconds — which leaves network defenders completely helpless against attacks initiated by wealthy, malicious agents.
Maker Foundation denies the issue
Ever since the issue came to the attention of the global crypto community, the MakerDAO team has refused to acknowledge any of Zoltu’s claims. Instead, they have sought to amend the problem by hosting a number of community polls and publishing blog posts outlining their potential plan of action in relation to the matter.
To gain a better understanding of the situation, Cointelegrah reached out to Robert Beadles, president of the Monarch crypto wallet. On the subject, he pointed out:
“Micah brings up some real concerns that appear to hold water. One of the problems with these decentralized smart contracts is that they are only as smart as the person who wrote them.”
Beadles went on to say that very few people in the world can find such vulnerabilities and exploit them, since crypto is still a very new phenomenon, adding that:
“One of the drawbacks of having open source code is that people who do understand it and have the time can find ways to break it or exploit it. If Micah is correct — and it looks like he is — they better patch this quick.”
A similar point of view is shared by Jefferey Liu Xun, the CEO of XanPool — a P2P fiat gateway. He told Cointelegraph that from a purely technical standpoint, Zoltu’s claims seem valid. Additionally, he believes that it is the goodwill of a few that is maintaining the integrity of the system — something that holds true in the crypto world for the vast majority of projects. Xun further added:
“As much as many projects would like to think that their system’s integrity comes from their technology, they are held together socially, depending on the goodwill of major stakeholders such as whales, and developers. Often when building a complex system on Ethereum, it’s difficult to measure ALL of the possible outcomes.”
Further elaborating on his position, Xun highlighted that a vast majority of users and node runners associated with a particular project almost never verify the code that they are running themselves, which puts them at the mercy of the developers and the foundation — essentially, trusting in their reputation and self-interest.
Not only that, but he also pointed out that a vast majority of all coin-based projects (like XRP) are controlled by a few major players who ultimately have the ability to manipulate the price of the currency. Cointelegraph also reached out to Lewis Daniels, chairman of investment firm Mayfair Ventures. He pointed out the following:
“As the Dai crypto is backed by a surplus in smart contracts on the Ethereum chain, making loans unsafe that can then go on to cause various liquidation issues, it’s these that are accessible due to the loophole within the smart contract.”
An easy vulnerability to rectify
While MakerDAO’s vulnerability issue may have caused quite the stir globally, the problem seems to be quite straightforward and can be corrected without any apparent difficulty.
On the issue, Pascal Thellmann, CEO of project reviews and guides platform CoinDiligent, told Cointelegraph that in his article, Zoltu has only really talked about the cost of obtaining the MKR tokens needed to perform the attack. However, he ignores the far greater costs associated with the potential legal consequences, the cost to launder and cash out the funds, and the risk of miner coordination to reverse the attack. Thellman then proceeded to add:
“The attack Zoltu outlines is not economically attractive for a regular individual. The only malicious actor that could execute this attack is a rogue nation-state, like North Korea, since they would not have to worry about potential legal consequences and are able to give use to the funds, regardless of them being tainted.”
Xun also believes that the problem is relatively easy to fix, noting that that Zoltu himself raised the problem before it was deprioritized by the Maker Foundation.
Denied to comment
While the vulnerabilities put forth by Zoltu may not be as serious as previously imagined, the fact that MakerDAO’s PR team have refused to fully acknowledge his assertions appears strange to both experts and the community.
Cointelegraph reached out to Maker with hopes of getting a clearer view on the situation, but a spokesperson for the organization refused to comment on the questionnaire submitted — instead citing a blog post issued by the company on Dec. 9.