Critical MakerDAO bug would've let hackers steal all your money

Crypto funds held in a soon-to-be launched MakerDAO smart contract could have been completely drained by a malicious attacker, it was revealed Thursday.

MakerDAO issues the DAI stablecoin, which is backed by ether (ETH) and nominally pegged to the US dollar. The platform will soon allow users to generate “multi-collateral” DAI tokens backed by a variety of cryptocurrencies. 

On Thursday, a security researcher disclosed a flaw in the multi-collateral contract that would have allowed a hacker to steal all of the funds staked.

The flaw was embedded in the smart contract’s auction function, the process by which stakeholders auction off their crypto funds when DAI holders’ collateral drops in value. If the value of that collateral drops too far, the stablecoin won't be fully backed—which is problematic, to say the least. A liquidation mechanism stops the whole system falling apart.

A white hat hacker found that throughout this auction process⁠, for mere pennies, the smart contract could be exploited to siphon off all the collateral. “The cost of performing the attack is almost zero—just the minimal denomination of each type of gem stolen plus gas,” wrote the researcher who discovered the flaw.

That’s a lot of money at risk—MakerDAO’s smart contracts currently account for $270 million worth of ether, the only cryptocurrency that can currently be deposited into contracts.

But all’s well that ends well—the code was patched in early September, with the researcher pocketing a $50,000 bug bounty. Which they can stake on MakerDAO, if the mood takes them.