HackerOne User Finds Critical Bug in MakerDAO Upgrade

MakerDAO has fixed a critical bug that could have resulted in a complete loss of funds for all Dai users thanks to HackerOne user lucash-dev. 

Bug Bounty Hunter 

Lucash-dev took part in MakerDao’s bug bounty program and made the first critical finding in MakerDao’s planned Multi-Collateral Dai (MCD) upgrade. In a report submitted on Oct. 1^st, lucash-dev wrote that the bug could have enabled an attacker to steal all collateral store on the MCD system, potentially in one fell swoop. 

From the report, lucash-dev cites a complete lack of access control in a MakerDao smart contract as the bug-enabler. Quoted from the report, “A lack of validation in the method of flip.kick allows an attacker to create and auction with a fake bid value. Since the end contract trusts that (fake-bid) value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral storied in the end contract.” 

After identifying the security flaw, lucash-dev was awarded a $50,000 bounty. The bug was discovered during the testing phase of the MCD upgrade before general user-access had been granted.

Image via Shutterstock