Steal $340M from MakerDAO with $20M
secondary title
How to Steal $340 Million Locked in MakerDAO With 20 Million
The author mainly shared a loophole about Maker, which allows you to easily earn 12 million. This article aroused a lot of sharing and discussion in the Defi community. The main reason is to attack giant whales and foundations to turn Defi into Cefi, but MakerDAO chooses not to plug the loopholes. In fact, I didn’t read the attack process in depth, but the discussion of DAO and Defi on social media brought by the article, especially the discussion of DAO, is far more exciting than the article.
Anyone with ~40,000 MKR (approximately $20,000,000) can steal all collateral in Maker DAO, including DAI and SAI, as well as a large amount of assets (over 340,000,000 USD) from Compound, Uniswap, and other Maker integrated systems.
Maker DAO v2 (aka Multi-Collateral DAI, aka McDAI) was supposed to launch with defensive measures (emergency shutdown and governance delay) to prevent hostile MKR holders from stealing all collateral and potentially looting large chunks of Uniswap, Compound. But they decided not to.
MakerDAO, which has about $340 million worth of ETH locked up. He is a governance system, and the governance system can call various internal functions. To mitigate the threat of malicious actors, the system has a mechanism for taking any action after the selection of a new administrative contract, hence the delay. During this delay, anyone with enough MKR can trigger settlement of the entire system, shutting down new enforcement contracts before they can perform dangerous things. This means that if a thief shows up and tries to vote in an execution contract that steals all the collateral in their scheme, even if they own more shares than other execution contracts, they have to wait for this delay and hope that no one in Defense mechanisms are triggered during this period.
The problem is, the Maker Foundation has determined that an appropriate value for this governance delay is 0 seconds.
Given the above, an attacker can do the following:
- Get 80,000 MKR by any means possible.
- Create an executing contract that is programmed to transfer all collateral from Maker to you.
- Immediately (in the same transaction) to vote on the contract.
- Activate the contract immediately (in the same transaction).
- Walk away with $340 million worth of ETH (give up your MKR).
there are more! Ethereum is a system based on binding agreements! This means that one can create a smart contract in which multiple mutually distrusting parties can collude under a strict set of rules. The rule could be this: If the contract charges 40,000 MKR, then anyone can trigger the contract and it will rob Maker instantly. After a successful heist, the loot will be divided equally among MKR contributors. If the robbery fails, participants can withdraw MKR. Anyone can withdraw their MKR at any time.
I have raised this attack scenario with Maker and they have made it clear that it is not worth giving up immediate governance control to prevent this attack. Their arguments are generally as follows
Attack vectors have been around for a long time, but so far so good.
Attackers must telegraph their attack
We will take legal action against any attacker
We will take legal action against any attacker
It's hard to be anonymous on Ethereum
Maker has been aware of this issue since before Maker v2 was released (probably since the beginning). Still, they chose not to plug the holes (which is easy). I don't expect any attacker to figure out a vulnerability to understanding Maker's governance model.
secondary title
Some secrets about DAO that you can't see at the developer conference
This is an article by JYP, the co-founder of Decred. It’s an article last month. It’s not bad. It mainly talks about the DAO’s recent attention at the developer’s conference. From experience, these lessons correspond to the four areas needed to achieve the purpose of a successful DAO: 1) humble leadership that fades as the project grows; 2) funding without special interests; 3) aggressive development; 4) The community is strongly involved in decision-making. The third point in it actually touched my ""
Leaders need to let go of themselves and eliminate themselves. The leader must be able to let go and, over time, hand over all control to the DAO.
get enough money. As funding often comes from the traditional financial system, new approaches are needed to ensure sustainable funding in these uncharted territories. Without infrastructure, we have no model to follow, so DAOs must forge paths, overcome obstacles, and find creative solutions.
Let the community decide. Members of a DAO must have real potency, not just the ability to comment on decisions, the more people who participate in a decision or vote, the fairer the outcome will be and the healthier the DAO will be. Direct voting means individuals have strict sovereignty and must bear the consequences of their decisions, while a delegated system means DAO members don't really belong. Instead, they are just staking to make money.
secondary title
An in-depth analysis of the cryptocurrency network economy
The author should be a Polkadot investor. This is a milk article about Polkadot and Web3. The article is still relatively long. The author mainly wants to express the following "three economic eras", which can be regarded as a very interesting investment narrative.
So far, the innovation of professional capabilities of economic entities has gone through three different eras, which we call the protocol era, the smart contract era and the interoperability era.
The Protocol Era (2008-2013)
The network space economy dominated by the agreement era and the peak of Bitcoin is characterized by its relatively simple economic behavior. In this day and age, there are significant obstacles to introducing a new class of economic agents (Script). Also, in this day and age, there are significant obstacles (forks) to changing the rules of the economy. These drawbacks are the main drivers behind the emergence of alternative cyberspace economies, changes in protocols and the emergence of new types of economic entities.
The Smart Contract Era (2014–2019)
The era of smart contracts reached its apogee as Ethereum became the dominant cyberspace economy. This era provides solutions to the ills of the Protocol Age by lowering the barriers to introducing new types of economic agents and allowing the creation of sub-economy within the larger cyberspace economy. The Ethereum Virtual Machine (EVM) and its programmable smart contracts have spawned an explosion of new specialized economic entities (smart contracts) and sub-economies (tokens). More importantly, this era brings about the so-called intraoperability: that is, the interoperability between these secondary economies but still within the larger cyberspace economy. The limitation of the capacity (cost, throughput) of smart contract platforms is the main driving force behind the emergence of alternative smart contract blockchains, again with changes in protocols and the emergence of new economic entities.
The era of interoperability (>2020)
Until now, most blockchains have been (and will remain) self-sufficient in a closed state. This status exists as long as an entity can survive or continue its activities without external assistance or international trade. If the self-sufficient economy also refuses any trade with the outside world, then economists can call it a closed economy.
There are clear signs of major innovation in the blockchain industry, making the cyberspace economy a more open economy. An open economy is an economy in which domestic communities and foreign communities trade in products (goods and services).
By working on blockchain interoperability, many projects are making significant strides toward a more open cyberspace economy. We at WEB3SCAN believe that Polkadot has the best ability to master the era of interoperability by cultivating specialized cyberspace economies and establishing the broadest foreign trade mechanism imaginable between these specialized cyberspace economies.
secondary title
All About HEX: Promises, Allegations and Responses
HEX has been very hot and controversial recently. Twitter cryptocurrency guru Richard Heart claims he created the best financial product ever created. In many ways it is superior to any other cryptocurrency including Bitcoin. There are many cryptocurrency bloggers and bitcoin maximalists attacking him as a fraud, but let's see if this HEX project is really a scam. I think he just added some staking designs. The design is a pure shit project, but his narrative and performance art are quite high-profile.
Richard Heart is giving away his new cryptocurrency for free to bitcoin scammers.
HEX A cryptocurrency that behaves like a bank savings account.
It has all the benefits of the blockchain: running on the Ethereum blockchain, HEX has a fixed annual inflation rate of 3.69%, and those who hold HEX for a certain period of time, in order to earn a percentage of the new HEX minted, 3.69%, Then he locks up BTC to obtain HEX.
Many high bonus ways,
Why HEX? (Sweating profusely, a little speechless, but it can be regarded as what the market needs now)
1- Its transaction volume will exceed that of any cryptocurrency (including Bitcoin). It used to run on Bitcoin, but switched.
2- Compared with the BTC in the lightning network, the amount of BTC wrapped in the HEX network is more.
3- More developers, the last developer conference of the HEX network had 2400 attendees.
4- A more ambitious roadmap, including zk-SNARK (anonymous), state channel (Layer2), ProgPOW (anti-ASIC), POS (more energy-efficient consensus), and sharding (expansion).
5- There are multiple core implementations, one written in RUST and one in GO.
6- Higher adoption of decentralized exchanges.
7 – Atomic Swap Technology
9- Multiple other blockchains support solid language written in HEX, it can switch to one of them.
secondary title
DeFi interest rate betting product: Maple
This is a derivative of Defi, similar to a bet on Defi interest rate, you can use Maple SmartBonds to speculate or hedge the interest rate of Compound that provides Sai. It’s not a big innovation, but you can still take a look at it. I believe there will be more and more Defi derivatives like this.
Speculation: If you want to make a profit when the compound interest rate rises, you can issue Maple SmartBonds and set a fixed interest rate. If the compound interest rate rises above this rate, the profit will increase.
