Market Shrugs Off Maker's Problems

  • 10 December 2019, Tuesday, 09:00

Maker (MKR), the native token of MakerDAO, remains largely unmoved by the market, despite a potential major loophole in MakerDAO, the Ethereum-based decentralized finance platform, was exposed, prompting a swift reaction from the foundation.

In the face of yesterday’s potentially bad news, followed by a quick response from the Maker Foundation, MKR, ranked 21st by market capitalization, is trading sideways in the past 24 hours. It’s currently (13:08 UTC) trading at USD c. 493, and is unchanged in a day, while the price dropped by 6% in a week.

MKR price chart:

It all started with a blog post by freelance developer and a co-author of the original white paper for the Augur prediction market, Micah Zoltu, in which he exposes a loophole in MakerDAO that can be exploited by a hacker. He describes a very expensive attack that could potentially drain all USD 340 million worth of Ethereum (ETH) locked into the Maker protocol by the users to get loans in DAI. As there are no safeguard features in place, anyone with MKR 40,000 (c. USD 20 million) “can steal all of the collateral in MakerDAO, both DAI and SAI, along with a good chunk of assets from Compound, Uniswap, and other Maker integrated systems,” warned Zoltu. As a matter of fact, he says, the Maker Foundation has set zero seconds for a defense against such an attack.

Zoltu adds that a quadrillion DAI could also be minted; a smart contract where people who don’t trust each other can collude under a strict set of rules could be created; and Maker Foundation could technically attack the system in the described way right now if they wanted.

The Maker Foundation responded to this post pretty quickly saying that:

the community previously considered the exploit and decided it wasn’t an immediate issue, but its probability increased due to potential publicity from Zolut’s post;the introduction of the Governance Security Module (GSM) into the core protocol is planned next, and now an additional Poll is added to the governance portal for the community to include the GSM in the Executive vote on Friday;if the change is accepted, the GSM delay will be increased from 0 to 24 hours;improvements and updates to the Maker protocol will be presented to governance for consideration over the coming months.

While a 24-hour delay is “significantly better” than a 0-hour one, Zoltu recommends a delay of about a week, as “an attacker can probably still execute the attack by timing it to coincide with a distracting event like a holiday or DevCon,” he said, adding that there is a minimal risk for the attacker involved.

You could buy it at 10x markup and still come out ahead. ???? My recommendation would be to do a slow accumulation over time and/or look for dark pool liquidity.

— Micah Zoltu (@MicahZoltu) December 9, 2019

Many commenters agreed that it’s important for Maker and the community should focus on its security more, whether one thing the failure of Maker would only damage Ethereum’s reputation, or it would spell Ethereum’s demise.

Now I finally understand why they call it DeFi. Instead of having just the bank as a single point of failure, with DeFi anyone can be a point of failure

— Federico Tenga (@FedericoTenga) December 9, 2019

Meanwhile, others, such as ‘lex-node’ state that MakerDAO needs a quorum requirement on MKR votes, so to improve the governance and mitigate this type of an attack, despite the delays it may cause.

Great article by @MicahZoltu . This is just one example of a broken governance assumption that many have pointed out: the assumption that a majority of participating MKR holders have a net long position in MKR & therefore have good governance incentives due to 'skin in the game'.

— ☠l̶̫͚̍̃͊́͐e̷̛̊́x̸-̴́̿n̷̛̜̣̥͛̋͛̓ǒ̶̾̿̒͂̈́̍d̸͛̔̀̽ë̵́☠ (@lex_node) December 10, 2019

link to that explanation? & how do you reconcile that with the idea that this system is governed by anyone other than the Foundation, rather than by MKR holders as such? seems like it's just a failsafe for the Foundation to come in and use its MKR to override any other MKR

— ☠l̶̫͚̍̃͊́͐e̷̛̊́x̸-̴́̿n̷̛̜̣̥͛̋͛̓ǒ̶̾̿̒͂̈́̍d̸͛̔̀̽ë̵́☠ (@lex_node) December 10, 2019