A critical vulnerability on the programmatic lending platform MakerDAO could have made user funds irretrievable, according to security audit firm Zeppelin.
Discovered in the last few weeks, MakerDAO issued Monday an urgent plea to token holders of the MakerDAO platform, writing on Reddit:
“In partnership with Coinbase and Zeppelin, the Maker Foundation has been participating in a second round of audits of the Maker Voting Contract. During this process, we discovered the need to make a critical update…You are advised to move your MKR out of the old contract and back into your personal wallet immediately.”
At the time, MKR token holders were not debriefed about the exact nature of the issue given the vulnerability could still be exploited by an attacker if disclosed.
On Thursday, Zeppelin released a full disclosure outlining how the vulnerability could have moved user tokens and locked them permanently within the MakerDAO voting contract. According to the document, the vulnerability was discovered and analyzed between April 22 and 26, at which point the MakerDAO team was informed, with a fixed contract being subject to an audit on May 2.
A separate post on the MakerDAO subreddit discussed the vulnerability and shared information about the new and uncompromised voting contract. “Due to the exploit, the usual weekly cadence of Governance Polling and Executive Voting was paused as MKR holders transitioned themselves out of the old contract,” the post explained.
Taking a step back, MakerDAO is the preeminent lending platform for popular dollar-pegged stablecoin DAI. MakerDAO is also a decentralized governance platform through which MKR token holders have the power to vote on and execute changes to the DAI lending protocol.
“How the MakerDAO system of governance works is that there are several proposals which are encoded as ethereum addresses and people can vote for one or the other by locking their MKR tokens in the chief voting contract,”…