MakerDAO bug could’ve let hackers steal Ethereum powering its DAI stablecoin
“The cost of performing the attack is almost zero — just the minimal denomination of each type of gem stolen plus gas,” wrote the researcher who discovered the flaw.
MakerDAO’s smart contract had almost zero access control
A HackerOne disclosure report reveals the attack was to be possible due to a complete lack of access control in a MakerDAO smart contract — specifically, the contract that was to allow the system to auction collateral in exchange for DAI cryptocurrency when loans are liquidated.
“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value,” reads the disclosure. “Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”