HackerOne User Reveals Critical Bug Through MakerDAO Bounty Program

Published at: Oct. 3, 2019

MakerDAO, the decentralized organization that runs on Ethereum, has fixed a critical bug that could have resulted in a complete loss of funds for all Dai users.

$50,000 bounty

On Oct. 1 HackerOne user lucash-dev disclosed a report that revealed a critical bug in MakerDAO’s planned Multi-Collateral Dai (MCD) upgrade. The bug could have allowed an attacker to steal all of the collateral stored in the MCD system – possibly within a single transaction, Lucash-dev said.

The bug was caught during the testing phase of the MCD upgrade and before any users had access to the system. 

The report reveals that the attack was possible due to a complete lack of access control in a MakerDAO smart contract. The report reads:

“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value. Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”

Lucash-dev reported the security flaw via the HackerOne forum and received a $50,000 bounty from MakerDAO’s bounty program which was the first critical finding in the program.

MakerDAO gives grant to freelance employment platform

Cointelegraph reported in September that blockchain-based employment platform Opolis received a developer grant from MakerDAO, which will allow them to bring MakerDao’s stablecoin DAI to Opolis’ blockchain-based employment platform for freelancers.

Richard Brown, head of community development at MakerDAO, explained that while the freelance and gig economy offers freedom to many, it does not come without its downsides, and added:

“Maker is looking forward to seeing how Dai can help de-risk this emerging workforce.”

Tags
Related Posts
MicroStrategy's bottom line gets beefier on Bitcoin moves: Bad crypto news of the week
It’s been another strong week for Bitcoin. The dollar price is up about 2.5 percent over the week, although that’s still something of a decline from its recent high above $13,400. At one point, Bitcoin fell 4 percent in 24 hours. But bulls remain optimistic and see the price advancing towards $20,000, possibly as early as March. That future price movement will depend on a number of factors, including whether banks follow Paypal into cryptocurrency acceptance; the size of the stimulus expected to counter the new coronavirus outbreak; and the pattern of the hash rate, among other factors. One point …
Blockchain / Oct. 31, 2020
Unofficial Iranian Telegram Applications Leak Data of 42M Users
While Telegram isn’t giving up its ongoing legal battle with United States regulators to launch its TON blockchain project, some online perpetrators are taking advantage of the messenger’s popularity to expose millions of user records of third-party versions of Telegram app. Per an investigation by cybersecurity firm Comparitech and security researcher Bob Diachenko, at least 42 million Iranian “Telegram” usernames and phone numbers were leaked via unofficial Iranian-made versions of Telegram, while real Telegram is banned in the country. 42 million Iranians that are willing to use the banned messenger got their data exposed According to a March 30 report …
Blockchain / March 31, 2020
Finance Redefined: Alchemy raises $200M, Bunny goes DAO, Feb. 4–11
Welcome to the latest edition of Cointelegraph’s decentralized finance newsletter. As the DeFi space continues its technical resurgence, essential news on funding, innovation and DAOs continues to drive adoption in what remains a nascent industry. For the full version of this newsletter including longer, more descriptive analysis of the top stories this week, subscribe below: Alchemy raises $200M in latest funding, ACH token soars 77% Web3 platform Alchemy announced the launch of a $200-million Series C funding round this week, giving the company a decacorn status and a valuation of $10.2 billion. The seven-investor round was led by two California-based …
Decentralization / Feb. 12, 2022
BNB Chain confirms BSC halt due to 'potential exploit'
BNB Chain (BNB) the blockchain of cryptocurrency exchange Binance, was paused on Oct. 6 due to what it states is “irregular activity” on the network with the team having determined a potential exploit. The official Twitter account of the BNB Chain announced the temporary pause, soon after adding it had found a possible exploit. Binance provide an update that the blockchain was “under maintenance” suspending all deposits and withdrawals. To confirm, we have suspended BSC after having determined a potential exploit. All systems are now contained, and we are immediately investigating the potential vulnerability. We know the Community will assist …
Blockchain / Oct. 6, 2022
Main hacker in Transit Swap exploit agrees to return remaining funds
On Monday, decentralized finance (DeFi) protocol Transit Swap announced that it had reached an agreement with its biggest hacker for the return of funds. Approximately one week prior, a hacker exploited an internal bug on a swap contract within the protocol and caused other individuals to imitate the security breach, leading to a loss of over $23 million in user funds. However, the main hacker has since returned approximately 70% of exploited funds thanks to the help of security companies such as Peckshield, SlowMist, Bitrace, and TokenPocket. They quickly tracked down the hacker by identifying their IP address, email address, …
Blockchain / Oct. 10, 2022