Maker community scrambles to fix long-standing vulnerability to flash loans

The MakerDAO community is urgently implementing measures to prevent voting manipulation through flash loans.

According to a post published by community member LongForWisdom, someone used a flash loan to force a governance proposal through.

BProtocol used dYdX's flash loan feature - an unbacked loan that is only granted if it is also returned within the same block.

Using flash loans to engage in governance can be seen as manipulative because the money is essentially free.

In this specific case, MKR was sourced from Aave, but up to 64,000 MKR worth $34 million is available for flash loans.

Due to this, the community is engaging emergency containment measures to make exploitation harder as they wait for a more definitive fix.

A twelve hour delay between proposals passing and being executed - introduced to allow for the community to challenge malicious votes - will be extended to 72 hours.

The community is disabling circuit breakers that would allow governance to turn off oracles and liquidations, as they could be potentially abused by malicious actors to exploit the system for money.

A proposal to fix the underlying issue was being discussed for at least three weeks, but "This incident made it much more urgent," Monetsupply said.

A relatively simple solution involves measuring a user's voting power from the tokens locked in the preceding block, thwarting any flash loan-based attack.