Hackerone User Reveals Critical Bug Through MakerDAO Bounty Program

Published on by Cointele | Published on

MakerDAO, the decentralized organization that runs on Ethereum, has fixed a critical bug that could have resulted in a complete loss of funds for all Dai users.

50,000 bountyOn Oct. 1 HackerOne user lucash-dev disclosed a report that revealed a critical bug in MakerDAO's planned Multi-Collateral Dai upgrade.

The bug could have allowed an attacker to steal all of the collateral stored in the MCD system - possibly within a single transaction, Lucash-dev said.

The bug was caught during the testing phase of the MCD upgrade and before any users had access to the system.

The report reveals that the attack was possible due to a complete lack of access control in a MakerDAO smart contract.

"A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value. Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract."

Lucash-dev reported the security flaw via the HackerOne forum and received a $50,000 bounty from MakerDAO's bounty program which was the first critical finding in the program.

MakerDAO gives grant to freelance employment platformCointelegraph reported in September that blockchain-based employment platform Opolis received a developer grant from MakerDAO, which will allow them to bring MakerDao's stablecoin DAI to Opolis' blockchain-based employment platform for freelancers.

"Maker is looking forward to seeing how Dai can help de-risk this emerging workforce."

x