MakerDAO bug could’ve let hackers steal all the Ethereum powering its DAI stablecoin

MakerDAO, the decentralized organization that runs on Ethereum, ETH has disclosed an enormously dangerous security flaw that could’ve allowed an attacker to steal all of the collateral powering its Dai stablecoin with a single transaction.

The bug, if exploited, would’ve resulted in a complete loss of funds for all Dai users, and was likely to have brought the entire MakerDAO ecosystem to its knees.

“The cost of performing the attack is almost zero  just the minimal denomination of each type of gem stolen plus gas,” wrote the researcher who discovered the flaw.

MakerDAO’s smart contract had almost zero access control

A HackerOne disclosure report reveals the attack was possible due to a complete lack of access control in a MakerDAO smart contract  specifically, the contract that allows the system to auction collateral in exchange for DAI cryptocurrency when loans are liquidated.

“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value,” reads the disclosure. “Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”

Liquidation phases exist due to Dai being an “over-collateralized” asset, which means that all circulating Dai cryptocurrency is backed by a surplus of collateral tokens stored in smart contracts on the Ethereum blockchain.

Give an autonomous organization Ethereum to receive crypto loans

MakerDAO documentation explains that Dai loans can be liquidated when they’re deemed unsafe. These measures are in place to ensure there’s enough collateral in the system to guarantee the value of all outstanding Dai tokens, which are meant to have a value of $1.

This collateral is what hackers could have stolen, which would have led to the complete collapse of the…

Source Link