MakerDAO is considering an update designed to fix a potential $340 million exploit.
On Monday, software developer Micah Zoltu published a Medium post, which claimed that the cost of an attack on the MakerDAO network would be just $20 million—with a potential $340 million to gain. Following the post, the MakerDAO community is polling the community over a potential solution. But, according to the MakerDAO team, the issue won’t be fixed until Friday.
So, what was the attack vector?
MakerDAO is an Ethereum-based platform designed to direct the DAI stablecoin as well as other integrated systems within Maker's ecosystem. As such, the platform employs on-chain voting to govern, using polls to gauge the community sentiment and “executive votes” to form binding proposals.
In essence, those holding the token get to have their opinion heard, and those at the top get to make the final decision—in essence, having a large amount of control over the network.
Zoltu explains that Maker's latest DAO v2 release—also known as the Multi-Collateral DAI—was designed with two safeguards: emergency shutdown and governance delay.
The delay was specifically installed to avoid a mass theft occurring from network dominance. Once an executive decision is made, it gives those on the network a safety period in which to check the decision and agree with it or not, depending on whether it was malicious.
But here's the kicker, the delay was set for 0 seconds, giving those on the network exactly zero time to do anything about a malicious attack.
According to Zoltu, with 40,000 MKR (roughly $20 million), a malicious actor could seize the entirety of funds retained within the Maker DAO—currently over $340 million worth of ETH. And the network would have been powerless to stop it.
He wrote, “It is worth noting that Maker Foundation could attack the system in this way right now if they wanted. What is worse, [venture capital firm] a16z has enough MKR on hand right now to execute the attack the patient way!”
Since the post, and subsequent backlash, MakerDAO has added a poll on the issue. If passed, it would change the delay to 24 hours, allowing sufficient time for a nefarious attack to be noticed and thwarted.
Currently, just 31 people have voted, with 99% in favor of adding the delay. These people represent just four percent of the MakerDAO community. If the poll passes, then the fix will be put live on Friday, December 13, at 5 PM UTC. But, this crisis has raised wider questions that a single post won’t fix.