A security flaw discovered in the upcoming Multi-Collateral Dai system being developed by DeFi organization MakerDAO could have resulted in the loss of assets that back the digital token.

If exploited by hackers, the vulnerability could potentially have resulted in a single transaction wiping out all assets used as collateral to support the dai stablecoin if it had been undiscovered by launch.

The security flaw was discovered during a bug bounty testing program ahead of the launch of Multi-Collateral Dai (MCD) by an engineer at HackerOne. The summary of the report filed revealed that attackers could exploit a lack of access control in a MakerDAO smart contract used to auction collateral when loans are liquidated. The report said:

The “flip” contract allows for the MCD system to auction collateral in exchange for DAI. A lack of validation in the method “flip.kick” allows an attacker to create an auction with a fake bid value. Since the “end” contract trusts that value, it can be exploited to issue any amount of free DAI during liquidation. That DAI can then be immediately used to obtain all collateral stored in the “end” contract.

Such an exploitation of the security flaw would likely have seen the theft of all collateral stored and undoubtedly brought about the swift demise of the whole MakerDAO project. A costly mistake considering – according to engineer’s report – the cost of performing the attack is almost zero.

Bug Bounty Testing 

But most such flaws are discovered long before a project goes live, and the security flaw discovered in the MCD system underlines the importance of bug bounty testing – where a software development project is opened up to the public in testnet phase so such flaws can be discovered by independent software engineers and testers.

Indeed, Project Libra – the Facebook-led cryptocurrency development – announced in August it was launching a public bug bounty program in partnership with HackerOne.

The HackerOne engineer who discovered the MCD vulnerability received a $50,000 bounty for the discovery. Chris Smith, senior software engineer at MakerDAO, reviewed the HackerOne report and concluded:

We have evaluated this and agree that leaving the “flip.kick” function publicly callable opens an attack vector that could allow significant collateral loss.

Smith said that MakerDAO had implemented a fix for the bug.

What Could’ve Been Lost

According to MakerScan, which monitors levels of collateral and debt in the dai ecosystem, there is currently 40,673.89 in ether – currently the only source of collateral – locked in the system. This is currently worth more than $7 million.

The Multi-Collateral Dai system is working on adding other sources of collateral.


Featured Image Credit: Photo via Pixabay.com