Cryptocurrency News Today: MakerDAO bug could’ve let hackers steal all the Ethereum powering its DAI stablecoin — leading to immediate collapse
MakerDAO, the decentralized organization that runs on Ethereum, ETH has disclosed an enormously dangerous security flaw that could’ve allowed an attacker to steal collateral powering its Dai stablecoin with a single transaction.
The bug, if exploited, would’ve resulted in a complete loss of funds for all Dai users making use of its upcoming Multi-Collateral Dai system, and was likely to have brought the entire MakerDAO ecosystem to its knees.
“The cost of performing the attack is almost zero — just the minimal denomination of each type of gem stolen plus gas,” wrote the researcher who discovered the flaw.
MakerDAO’s smart contract had almost zero access control
A HackerOne disclosure report reveals the attack was to be possible due to a complete lack of access control in a MakerDAO smart contract — specifically, the contract that was to allow the system to auction collateral in exchange for DAI Cryptocurrency when loans are liquidated.
“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value,” reads the disclosure. “Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”
Liquidation phases exist due to Dai being an “over-collateralized” asset, which means that all circulating Dai Cryptocurrency is backed by a surplus of collateral tokens stored in smart contracts on the