Maker DAO Vulnerable to Collateral Theft
New research suggests the governance functions of the MKR token may allow malicious actors to divert the entire collateral stored in the DeFi scheme.
Maker DAO has a significant problem, based on its governance approach, recent research shows. In an investigative blog posting by Micah Zoltu, the suggestion is made that governance through MKR ownership opens up the project to stealing the collateral.
The reason for this is that the chief smart contract in operation is activated by the biggest MKR owner. In theory, one big MKR “whale”, or even a group of holders, could collude to vote in a new smart contract and generate new events with the tokens.
“Anyone with ~40,000 MKR (about 20,000,000 USD) can steal all of the collateral in Maker DAO, both DAI and SAI, along with a good chunk of assets from Compound, Uniswap, and other Maker integrated systems (over 340,000,000 USD),” Zoltu concluded.
The reason the theft is possible is the fact that the newest version of Maker was launched without a Governance Delay, meaning a malicious smart contract could fire immediately. This makes Maker inherently governable by plutocrats, or whales, but also by malicious actors who rustle up enough MKR to vote.
The MKR collateral is currently above 2 million ETH, as the theft could also mint new DAI and SAI.
Maker is aware of the problem, and has currently opened a vote to activate the enforced governance delay. Hence, the opportunity to steal the collateral may soon disappear, as any attempt would be noticed and foiled due to the time delay on the smart contract.
“The ds-pause was designed to be used as a component in the Maker Protocol’s governance system in order to give affected parties time to respond to decisions. If those affected by governance decisions have e.g. exit or veto rights, then the pause can serve as an effective check on governance power,” the explanation on the voting page states.
MKR trades at $508.46, with total DAI single-collateral supply down to about 54 million coins. The project is still in the process of transferring ETH to multi-collateral DAI.