The Maker Foundation, MakerDAO’s parent company, has responded to claims that the DAO structure is flawed, and hackers could make millions of it. On December 9, the Foundation announced several governance polls in its voting system, with the hope of getting feedback from users on how to improve its Governance Security module (GSM), one of its most critical security components, after it was criticized as being hazardous and susceptible to manipulation.
Millions Could Be Stolen By Criminals
The allegations themselves came from Micah Zoltu, a software developer who posted in a December 9 blog post that he had discovered a vulnerability that could be exploited to steal all of the network’s Ether. Speaking on the “incredibly profitable” but “expensive” attack, Zoltu explained that he could easily make a hefty $340 million payday.
Interesting attack on MakerDAO.
How to turn $20M into $340M in 15 seconds by Micah Zoltu https://t.co/rflm8qOePh
— Emin Gün Sirer (@el33th4xor) December 9, 2019
As he put it, the biggest issue with MakerDAO was the way it was governed. In order to carry out the attack, a hacker could deploy 40,00 MKR tokens (worth about $20 million). However, the prospect of purchasing that much of the token without affecting its price will almost be impossible.
“The problem is, Maker Foundation has decided that the appropriate value for this governance delay is 0 seconds. That is right, defenders have 0 seconds to defend against an attack launched by a wealthy but malicious party,” he said.
He added that the company has known about the issue for a while now, and despite launching the Maker v2 update, it didn’t fix it.
“Despite this, they are choosing not to plug the hole (the plug is easy). Because of that, I do not believe that it would be responsible for me to keep my mouth shut and hope that no attacker figures out what should be obvious to anyone who understands Maker’s governance model,” he notes.
Zoltu pointed out that the Foundation tries to counter any possible threats by enforcing the GSM delay after each new contract. However, even though the delay could work, it is possible for a hacker who has enough funds to vote up their own contracts to steal all of the collateral. As he noted, a person with up to 80,000 MKR tokens ($4 million) could do whatever they wanted on the network.
For now, we’ll have to wait to see what the resolution of the Foundation’s poll is. However, if the proposal to introduce the GSM passes, the GSM delay will be increased to 24 hours, allowing defenders to prevent any malicious attacks.
This isn’t the first time that MakerDAO will have its security questioned. Back in October, the company disclosed a security flaw that could have allowed a hacker to steal Ether via its multi-collateral Dai through one transaction. The hack could have severely damaged the company’s reputation and security, but, fortunately, it found it and had it fixed before a catastrophe happened.