Maker (MKR), the native token of MakerDAO, remains largely unmoved by the market, despite a potential major loophole in MakerDAO, the Ethereum-based decentralized finance platform, being exposed, prompting a swift reaction from the foundation.
In the face of yesterday’s potentially bad news, followed by a quick response from the Maker Foundation, MKR, ranked 21st by market capitalization, is trading sideways in the past 24 hours. It’s currently (13:08 UTC) trading at USD c. 493, and is unchanged in a day, while the price dropped by 6% in a week.
MKR price chart:
It all started with a blog post by freelance developer and a co-author of the original white paper for the Augur prediction market, Micah Zoltu, in which he exposes a loophole in MakerDAO that can be exploited by a hacker. He describes a very expensive attack that could potentially drain all USD 340 million worth of Ethereum (ETH) locked into the Maker protocol by the users to get loans in DAI. As there are no safeguard features in place, anyone with MKR 40,000 (c. USD 20 million) “can steal all of the collateral in MakerDAO, both DAI and SAI, along with a good chunk of assets from Compound, Uniswap, and other Maker integrated systems,” warned Zoltu. As a matter of fact, he says, the Maker Foundation has set zero seconds for a defense against such an attack.
Zoltu adds that a quadrillion DAI could also be minted; a smart contract where people who don’t trust each other can collude under a strict set of rules could be created; and Maker Foundation could technically attack the system in the described way right now if they wanted.
The Maker Foundation responded to this post pretty quickly saying that:
- the community previously considered the exploit and decided it wasn’t an immediate issue, but its probability increased due to potential publicity from Zolut’s post;
- the introduction of the Governance Security Module (GSM) into the core protocol is planned next, and now an additional Poll is added to the governance portal for the community to include the GSM in the Executive vote on Friday;
- if the change is accepted, the GSM delay will be increased from 0 to 24 hours;
- improvements and updates to the Maker protocol will be presented to governance for consideration over the coming months.
While a 24-hour delay is “significantly better” than a 0-hour one, Zoltu recommends a delay of about a week, as “an attacker can probably still execute the attack by timing it to coincide with a distracting event like a holiday or DevCon,” he said, adding that there is a minimal risk for the attacker involved.
Many commenters agreed that it’s important for Maker and the community should focus on its security more, whether one thing the failure of Maker would only damage Ethereum’s reputation, or it would spell Ethereum’s demise.
Meanwhile, others, such as ‘lex-node’ state that MakerDAO needs a quorum requirement on MKR votes, so to improve the governance and mitigate this type of an attack, despite the delays it may cause.