MakerDAO has patched a "Critical" bug in its yet-to-be-launched Multi-Collateral Dai upgrade that could have put more than 10% of the system's total collateral at risk.
The bug was caught by HackerOne user lucash-dev, who reported it via the HackerOne forum and received a $50,000 bounty for uncovering the potentially devastating flaw.
"Our auction system allowed the potential attacker to create a fake auction, basically offering very little collateral for a large amount of DAI," Chris Smith, a senior software engineer for MakerDAO, told CoinDesk.
"The system would trust that number and use it as credit against collateral in the system, allowing the hacker to basically take that other collateral out of the system."
The bug could have devastated MakerDAO's planned MCD. Lucash-dev said in his report that it "Allows an attacker to steal ALL collateral stored in the MCD system during the liquidation phase - possibly within a single transaction."
Neither the bug nor the MCD upgrade host ever went live - it was caught during the testing phase, before any users had access to the system.
The value of these "Collateralized debt positions" has to match the Dai in circulation as Dai is a representative currency - much like the US dollar was when it was backed by gold.
"The new Multi-collateral DAI contracts can enter a 'liquidation mode' - that means that everyone who own DAI will just collect the collateral tokens corresponding to their DAI stake. The bug allows an attacker to trick the system to give them any number of DAI, which can in turn be exchanged by all tokens held as collateral!".
The bug exploited MCD's kick contract implementation that allowed users to post phony auctions, issue DAI, and then cash out collateral.
"Its through processes like these that you get through the system and make sure that it's absolutely as secure as possible before you launch it."
MakerDAO Bounty Program Catches 'Critical' Bug Before Launch
에 게시 됨 Oct 3, 2019
by Coindesk | 에 게시 됨 Coinage
Coinage
이 기사에서 언급
최근 뉴스
모두보기
Blockchain Bites: Bitcoin's Run, Uniswap's Hemorrhaging Value, Anchorage's Banking Bid
Bitcoin is nearing all-time highs in price and market cap last set three years ago.
Japan's megabanks to lead experiment with digital yen
We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol's loss of $7 million.
Number of new Bitcoin addresses spikes amid growing FOMO
Japan's three largest banks, as part of a group of 30 private sector actors, are set to collaborate on an experiment with a digital yen.
Not just Wall Street: Quant trader explains why Bitcoin price is going up
Sam Trabucco, a quantitative trader at Alameda Research, believes four general factors are pushing up the price of Bitcoin.