The Maker Foundation has proposed a new security feature that will help it avoid losing all its collateral investments to hackers. The new security proposal named the Governance Security Module (GSM) aims to instill in the system a 24-hour governance delay on new executive deals.
The proposal comes almost immediately after a loophole was detected in the MakerDAO system, which could lead to a loss of $340 million worth of ETH to hackers. With the existing loophole, any attacker with nearly 52,000 MKR can move all collateral in the MakerDAO system (worth $340 million in ETH) to their individual accounts without resistance.
The Whistleblower
Yesterday (Monday, December 9, 2019), freelance developer Micah Zoltu became the whistleblower in the existing MakerDAO loophole saga. Through a blog post, the developer warned the public of the existing soft spot in the MakerDAO system. Zoltu revealed that currently, the system has no safeguard features to trigger emergency shutdown or governance delays.
This security gap allows anyone with a substantive amount of MKR tokens to create an executive contract to move all collateral from Maker to their individual accounts. Once in their account, they can easily vote on and activate the contract and technically steal all of the Maker’s collateral.
However, responding to Zoltu’s analysis, MakerDAO claimed that Zoltu’s article increased the chances of hackers exploiting the security gap. Through their official blog, the platform said that it created an extra poll to launch the Governance Security Module (GSM). Should the proposal sail through, the GSM delay will increase from zero to 24 hours.
Part of the post reads:
“The GSM is designed to give the MKR token holders a chance to review any changes that will go into the system and act accordingly if those changes are deemed to be malicious.”
MakerDAO Funds Not Safe
In his post entitled “How to Turn $20M into $340M in 15 Seconds,” Zoltu explains how the loophole provides a fertile ground for a severe attack that any script wizard can simply launch.
Currently, the MakerDAO system holds about 80,000 MKR tokens staked on the executive contract. This implies that anyone with more than this amount could easily pass any proposal of choice.
To control such malicious attacks, there should be a delay in the period before the approval and activation of a new executive contract. The delay would allow community members to identify and shut down malicious contracts. The delay, currently set at zero seconds on the platform, shows there is no control against such thefts.
Featured Image Source: Publish0x
