'Critical' MakerDAO Vulnerability Could Have Frozen Voter Funds, Auditors Say

A critical vulnerability on the programmatic lending platform MakerDAO could have made user funds irretrievable, according to security audit firm Zeppelin.

On Thursday, Zeppelin released a full disclosure outlining how the vulnerability could have moved user tokens and locked them permanently within the MakerDAO voting contract.

According to the document, the vulnerability was discovered and analyzed between April 22 and 26, at which point the MakerDAO team was informed, with a fixed contract being subject to an audit on May 2.

A separate post on the MakerDAO subreddit discussed the vulnerability and shared information about the new and uncompromised voting contract.

Taking a step back, MakerDAO is the preeminent lending platform for popular dollar-pegged stablecoin DAI. MakerDAO is also a decentralized governance platform through which MKR token holders have the power to vote on and execute changes to the DAI lending protocol.

"How the MakerDAO system of governance works is that there are several proposals which are encoded as ethereum addresses and people can vote for one or the other by locking their MKR tokens in the chief voting contract," explained head of research at Zeppelin Alejo Salles to CoinDesk.

In essence, the vulnerability disclosed by the Zeppelin team jeopardized the MKR tokens held within the MakerDAO voting contract.

"Security is very sensitive in the crypto industry and in this case was possible because the MakerDAO team still has enough funds to make the change."

Given the highly sensitive nature of the security vulnerability, the MakerDAO Foundation leveraged the funds at its disposal to secretly execute a state change without broader public awareness.

According to Leung, part of Coinbase's efforts in supporting a third-party audit of the MakerDAO voting contact code was to ensure that capabilities being built on Coinbase to interface with MakerDAO were secure.