MakerDAO Likely to Approve Fail-Safe in Vote Today
Also, Bitcoiners are building their version of MakerDAO
Hello defiers and happy Friday! It’s a MakerDAO special today,
- MKR holders likely to approve governance fail-safe
- Developers are building a bitcoin-backed stablecoin (kind of)
Also, really happy to announce: You can now subscribe to The Defiant with Dai! Finally :) I’m super excited to be the first writer to work with Unlock’s solution. Go to this link, and you’ll be able to buy an NFT token representing an annual subscription.
There’s a limited amount of The Defiant OG Membership tokens goingfor 70 Dai, instead of for the regular price of 100 Dai. Get them before they’re gone!
MakerDAO Will Likely Get a New Safety Net
MakerDAO community will likely vote to add a time buffer designed to counter potential attacks, but it’s unclear how much safer the system will actually be with it.
Earlier this week, software engineer Micah Zoltu wrote a blog post detailing how an attacker can steal the platform’s collateral used to issue the Dai stablecoin. Maker was aware of the attack and of the way to stop it, but had chosen not to because developers considered the possibility of it happening was smaller than the risks the platform incurs as a consequence of implementing the fix –rock and hard place.
But the likelihood of someone finding the attack increased after Zoltu’s blog post was published and MakerDAO developers put the fix up to a vote, which is happening today.
Image source: vote.makerdao.com
Why does this matter?
- It highlights the risks involved in DeFi. This is nascent, untested technology, which carries the risk of smart contracts bugs, oracle failures, governance attacks, and others. MakerDAO accounts for about half of the assets held in decentralized finance, so an attack to its system would be a major blow to DeFi. Anyone using these platforms should do so with great caution.
- It shows the power of open source platforms. Someone outside of the Maker team found this attack by reading the code, and was able to alert the community and explain it, which led to a broader discussion and a vote.
- Hopefully it will be a lesson for all DeFi projects. It’s great that anyone is free to dig into the code and documentation, but in reality, very few will. DeFi projects should be upfront with the risks in their systems and state them clearly –not bury them deep in documents few people will understand or read.
To understand the attack you have to first know that MakerDAO has a governance system in which holders of MKR stake their tokens towards the option they favor in a vote, and the option with the most tokens, wins the vote. At the time when Zoltu’s blog post was written, on Dec. 9, there was 80,000 MKR, or $41 million, in the voting contract and $340 million work of ETH in the system.
A MKR holder with enough tokens can vote and approve a proposal that’s programmed for them to be able to steal all of the collateral locked. The system has a built-in buffer that can be added between the time when a vote is approved and when it is executed. This would give time for MKR holders to shut down the system before an attacker can get away with the funds
The problem is that the buffer is currently set to 0, giving no time for holders to react. An attacker can create a proposal that’s programmed to transfer the $340 million of collateral to their wallet by buying 80k MKR. Another way to do it, what Zoltu calls “the patient way,” would be to buy half as much MKR, wait until a the 80k is split between two proposals during a vote, and vote on a proposal that transfers all the collateral using about 40k MKR.
Zoltu highlights Maker Foundation has enough MKR to execute the attack, and that a16z has enough MKR to execute it “the patient way.”
What should scare you here is that this isn’t #DeFi, this is #CeFi, but instead of only one person being able to steal all your money (the bank), the bank or any of a number of large individual shareholders, or a group of smaller shareholders could decide to steal all of your money at any time.
The fix and its tradeoff:
One fix is to simply set the time buffer to at least 24 hours to allow for MakerDAO participants to prevent the theft.
The problem there is that also means MakerDAO developers won’t be able to quickly fix smart contract bugs or any issues that may come up, and will also have to wait for the time buffer to expire. That’s why the MakerDAO team had set the buffer time to 0, even if they knew about the attack.
But now that the risk of someone executing the attack is higher, Maker proposed to increase the delay to 24 hours. There was a poll from Dec. 9 to Dec. 13, before the executive vote, which is today, Friday. An addendum was added Thursday to include the oracle system, which feeds price information, from the time buffer.
What did the poll say:
The great majority, or 95 percent, of those who participated in the poll voted to approve the so-called Governance Security Module which raises the delay time. To note, even in this controversial decision, only 57 holders of about 50.9k MKR or about 5 percent of total supply, was staked.
This means the proposal will very likely pass in today’s vote, putting in place a mechanism to protect against these kinds of governance attacks. It will also means the Maker team won’t be able to quickly react to other issues.
Bitcoiners Want their Own MakerDAO
Money on Chain is creating a stablecoin that’s pegged to the dollar and backed by bitcoin, CoinDesk reported. That sounds similar to MakerDAO, which is pegged to the dollar and backed by Ether –except for some important nuances.*
The Defiant is a daily newsletter focusing on decentralized finance, a new financial system that’s being built on top of open blockchains. The space is evolving at breakneck speed and revolutionizing tech and money. Sign up to learn more and keep up on the latest, most interesting developments. Subscribers get full access, while free signups get only part of the content. Click here to pay with DAI.
About the author: I’m Camila Russo, a financial journalist writing a book on Ethereum with Harper Collins. I was previously at Bloomberg News in New York, Madrid and Buenos Aires covering markets. I’ve extensively covered crypto and finance, and now I’m diving into DeFi, the intersection of the two.