On Oct. 1 HackerOne user lucash-dev disclosed a report that revealed a critical bug in MakerDAO’s planned Multi-Collateral Dai (MCD) upgrade. The bug could have allowed an attacker to steal all of the collateral stored in the MCD system – possibly within a single transaction, Lucash-dev said.
MakerDAO, the decentralized organization that runs on Ethereum, has fixed a critical bug that could have resulted in a complete loss of funds for all Dai users.
The bug was caught during the testing phase of the MCD upgrade and before any users had access to the system.
The report reveals that the attack was possible due to a complete lack of access control in a MakerDAO smart contract. The report reads:
“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value. Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”
Lucash-dev reported the security flaw via the HackerOne forum and received a $50,000 bounty from MakerDAO’s bounty program which was the first critical finding in the program.
MakerDAO gives grant to freelance employment platform
Cointelegraph reported in September that blockchain-based employment platform Opolis received a developer grant from MakerDAO, which will allow them to bring MakerDao’s stablecoin DAI to Opolis’ blockchain-based employment platform for freelancers.
Richard Brown, head of community development at MakerDAO, explained that while the freelance and gig economy offers freedom to many, it does not come without its downsides, and added:
“Maker is looking forward to seeing how Dai can help de-risk this emerging workforce.”
Hacker Returns Ethereum Domains Lost in Bug Exploit
The domain names stolen from the Ethereum Name Service’s (ENS) auction have been returned.
As CoinDesk reported at the time, the ENS bidding process managed by digital-collectibles marketplace OpenSea was exploited, allowing a hacker to nab 17 domain names for lower bids than other users placed. ENS and OpenSea asked the hacker to return the domain names, promising compensation for finding the bug.
An alternative to Web 2.0’s centralized domain name servers (DNS) system, ENS is built on top of the ethereum blockchain to leverage its immutability and decentralized properties. As it happens, immutability isn’t always a good thing.
Once the hacker claimed the ENS domain names – which included apple.eth – ENS and OpenSea’s only recourse was to blacklist the domains and ask for the hacker to return them.
Fortunately, they were.
Update: the stolen ENS names were all returned successfully to @ensdomains! ?Thanks for supporting the community; we’re working hard to restart bidding this week before #devcon5 and will send out emails to bidders when it’s ready
– OpenSea (@opensea) October 3, 2019
The hacker was apparently swayed by an attractive offer: 25 percent of the final bidding price for each of the returned domains once they are re-auctioned. Some domain names are listed for impressively high bids such as the owner of coffeshop.eth asking for 100 wrapped ether, worth about $17,000 at press time. With 17 domains stolen, the hacker could be in store for a decent payday depending on the auction prices.
OpenSea says auctions will commence again in the coming weeks.
Speaking with CoinDesk, ENS lead developer Nick Johnson said OpenSea had no direct communications with the hacker before the domains were returned. The company solicited feedback in a Sept. 29 blog post disclosing the bug.
“Evidently the hacker thought 25 percent was a better deal than trying to resell them themselves in the face of blacklisting. Or perhaps they’re just generous – either way we’re grateful.”