‘Critical’ MakerDAO Vulnerability Could Have Frozen Voter Funds, Auditors Say

shutterstock_1100500598
9 May 2019

A critical vulnerability on the programmatic lending platform MakerDAO could have made user funds irretrievable, according to security audit firm Zeppelin.

Discovered in the last few weeks, MakerDAO issued Monday an urgent plea to token holders of the MakerDAO platform, writing on Reddit:

“In partnership with Coinbase and Zeppelin, the Maker Foundation has been participating in a second round of audits of the Maker Voting Contract. During this process, we discovered the need to make a critical update…You are advised to move your MKR out of the old contract and back into your personal wallet immediately.”

At the time, MKR token holders were not debriefed about the exact nature of the issue given the vulnerability could still be exploited by an attacker if disclosed.

On Thursday, Zeppelin released a full disclosure outlining how the vulnerability could have moved user tokens and locked them permanently within the MakerDAO voting contract. According to the document, the vulnerability was discovered and analyzed between April 22 and 26, at which point the MakerDAO team was informed, with a fixed contract being subject to an audit on May 2.

A separate post on the MakerDAO subreddit discussed the vulnerability and shared information about the new and uncompromised voting contract. “Due to the exploit, the usual weekly cadence of Governance Polling and Executive Voting was paused as MKR holders transitioned themselves out of the old contract,” the post explained.

Taking a step back, MakerDAO is the preeminent lending platform for popular dollar-pegged stablecoin DAI. MakerDAO is also a decentralized governance platform through which MKR token holders have the power to vote on and execute changes to the DAI lending protocol.

“How the MakerDAO system of governance works is that there are several proposals which are encoded as ethereum addresses and people can vote for one or the other by locking their MKR tokens in the chief voting contract,” explained head of research at Zeppelin Alejo Salles to CoinDesk.

In essence, the vulnerability disclosed by the Zeppelin team jeopardized the MKR tokens held within the MakerDAO voting contract. An attacker could have hypothetically moved tokens staked in favor of one MakerDAO governance proposal to another competing proposal and locked them in place forever.

Salles stressed to CoinDesk that MKR tokens were not able to be withdrawn from the MakerDAO voting contract but rather simply locked and moved.

More audits

This vulnerability, as far as Zeppelin is currently aware,  hasn’t been exploited on the MakerDAO platform.

However, Salles noted that it did have the potential to effectively freeze $100 million worth of MKR tokens held in the original MakerDAO voting contract.

“This contract was very central in the MakerDAO system. It had privileges over many other things,” notes Salles to CoinDesk. “Security is very sensitive in the crypto industry and in this case was possible because the MakerDAO team still has enough funds to make the change.”

Indeed, the non-profit MakerDAO Foundation holds by far the largest share of MKR tokens, with over 25 percent of the 1 million total supply. Given the highly sensitive nature of the security vulnerability, the MakerDAO Foundation leveraged the funds at its disposal to secretly execute a state change without broader public awareness.

“In a more decentralized system, which is what MakerDAO will be in the near future, this would have been much worse,” warns Salles. “Because you have to coordinate all these people but at the same time not raise too much awareness of what’s going on. That’s sort of impossible.”

The code behind the MakerDAO voting contract is part of a larger library of code that was fully inspected back in 2017 by security firm Trail of Bits.

When asked whether Trail of Bits had known about the vulnerability disclosed today, CEO Dan Guido affirmed they did not but added that since 2017 “there have been many commits to that specific code and to many of its dependencies.”

Trail of Bits this month completed a new audit over highly-anticipated MakerDAO code to support multi-collateral DAI. As Guido told CoinDesk:

“In the course of our assessment of multi-collateral Dai, we discovered two low severity security issues that escaped identification by verification. The first issue escaped verification due to the attack’s reliance on the passage of time to pull it off. The second issue was economic in nature, and described an attack strategy to abuse the system based on its correct behavior. These issues were fixed immediately by MakerDAO.”

Due diligence

The secondary audit of the MakerDAO voting contract by Zeppelin was actually contracted by cryptocurrency exchange Coinbase. Coinbase has for some time been planning to enable a seamless interface with the MakerDAO voting platform for holders of MKR tokens.

“We spearheaded the audit as part of our due diligence process in supporting the MakerDAO voting capability within the Coinbase Custody product,” said Alan Leung, head of security for Coinbase Custody.

Leung explained that Coinbase clients holding MKR tokens were not comfortable directly interfacing with the MakerDAO voting protocol given that “they don’t know the risk or the risks outweigh the act of participation.”

According to Leung, part of Coinbase’s efforts in supporting a third-party audit of the MakerDAO voting contact code was to ensure that capabilities being built on Coinbase to interface with MakerDAO were secure.

“Our vision is to provide our customers a secure channel for network participation and as part of this process we dived fairly deeply into how the MakerDAO contract works and how voting works,” said Leung to CoinDesk.

With the vulnerability having been disclosed and addressed, Leung affirmed with CoinDesk that intention to launch MKR voting capability on Coinbase Custody remain unchanged.

“We’ve done our homework in making sure [our interface] is the most secure way to participate in the MakerDAO network because we’re putting our label behind the action,” he told CoinDesk.

Lock image via Shutterstock