MakerDAO Bounty Program Catches 'Critical' Bug Before Launch

MakerDAO patched a "critical" bug in its upcoming Multi-Collateral Dai upgrade that could have put 10% of the system's total collateral at risk.

AccessTimeIconOct 3, 2019 at 7:00 p.m. UTC
Updated Aug 18, 2021 at 12:22 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

MakerDAO has patched a "critical" bug in its yet-to-be-launched Multi-Collateral Dai (MCD) upgrade that could have put more than 10% of the system's total collateral at risk.

The bug was caught by HackerOne user lucash-dev, who reported it via the HackerOne forum and received a $50,000 bounty for uncovering the potentially devastating flaw.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • "Our auction system allowed the potential attacker to create a fake auction, basically offering very little collateral for a large amount of DAI," Chris Smith, a senior software engineer for MakerDAO, told CoinDesk. "The system would trust that number and use it as credit against collateral in the system, allowing the hacker to basically take that other collateral out of the system."

    The bug could have devastated MakerDAO's planned MCD. Lucash-dev said in his report that it "allows an attacker to steal ALL collateral stored in the MCD system during the liquidation phase – possibly within a single transaction."

    Lucash-dev told CoinDesk:

    "That would be disastrous if it ever happened in a live environment."

    But neither the bug nor the MCD upgrade host ever went live – it was caught during the testing phase, before any users had access to the system.

    Both lucash-dev and MakerDAO engineers told CoinDesk that no user funds were ever placed at risk.

    Under the new MCD, users will be able to stake cryptocurrencies other than ETH as collateral to issue new Dai. The value of these "collateralized debt positions'' has to match the Dai in circulation as Dai is a representative currency – much like the US dollar was when it was backed by gold. Certain users can trigger a liquidation mode to balance out the system.

    Lucash-dev told CoinDesk that the system had a fault:

    "The new Multi-collateral DAI contracts can enter a 'liquidation mode' – that means that everyone who own DAI will just collect the collateral tokens corresponding to their DAI stake. The bug allows an attacker to trick the system to give them any number of DAI (only during the liquidation mode), which can in turn be exchanged by all tokens held as collateral!"

    The bug exploited MCD’s kick contract implementation that allowed users to post phony auctions, issue DAI, and then cash out collateral.

    screenshot-2019-10-03-10-47-42

    Wouter Kampmann, head of engineering for MakerDAO, said that bug tracking events like this were routine.

    "Its through processes like these that you get through the system and make sure that it's absolutely as secure as possible before you launch it."

    The bug was posted on August 28 and patched by September 26. Lucash-dev disclosed it to the public on October 1.

    Hacker image via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.