On the 26th October, the Smart Contracts Domain Team detected voting behaviour irregularities with respect to: Increase the Surplus Buffer, Oracle Whitelisting - October 23, 2020 proposal. It has since been confirmed that a flash loan was used to pass the October 23rd proposal in the following manner:
- Oct 26, 2020, 17:37:17 UTC a single transaction was executed
a. WETH was borrowed from dYdX with a $20m flash loan (50k ETH)
b. This was deposited on AAVE, and used to borrow $7m MKR (13k MKR)
c. The MKR was locked in governance,chief.lock()
d. Voted on the proposal withchief.vote()
e. Made the hat with calledchief.lift()
f. Then freed withchief.free()
g. The spell with the hat was scheduled withspell.schedule()
h. The MKR was unlocked and returned to AAVE and dYdX - Finally, after the GSM delay of 12 hours (Oct 27, 2020, 05:37 UTC), the spell was then executed with
spell.cast()
The Maker Foundation has been in contact with the BProtocol team, and are aware that they were responsible for the flash loan. BProtocol has been fully transparent in communicating their actions once the Foundation became aware of the voting irregularities.
Their actions are a practical example for the community that flash loans can and may impact system governance and highlight that MKR market liquidity needs to be actively monitored.
The DAO also needs to assess its ability to react in the event a more contentious vote is pushed through. The fact that the proposal in question was directly related to BProtocol being whitelisted on the ETHUSD Medianizer and OSM oracles raises some concerns as to how/if flash loans should be accepted in such circumstances.
In addition to this issue, last week was the first time in which a malicious governance attack using flash-loans has been theoretically possible (the available MKR liquidity exceeded the value of MKR on the hat.)
While the GSM pause delay does allow governance 12 hours (currently) to react to a malicious proposal, it is still an open question as to whether MKR Holders would be able to react in time. Additionally, the Liquidation Circuit Breaker (FlipperMom) and the Oracle Freeze Module (OsmMom) are both modifiable outside of the GSM Pause Delay.
In light of both the flash loan on the 23rd and the reduced amount of MKR on the hat, both the Smart Contracts Domain Team and the Governance Facilitator feel that the risk of malicious governance action has become unacceptably high.
There are two primary issues that have been identified:
1. The risk of malicious governance action using flash loans has become unacceptably high.
2. Flash loans can be used to pass controversial governance proposals.
The rest of this post will deal solely with the first issue, with the second to be addressed once the Maker Protocol has been further secured against malicious governance proposals.
At time of writing, there is MKR liquidity available on multiple platforms that can be used by flash loan attacks:
- 42,649 MKR in Balancer
- 15,170 MKR in AAVE
- 5,626 MKR in Uniswap
This comes to a total of 63,445 MKR that is accessible using flash loans.
Given that the current hat proposal has ~79k MKR, there is no immediate risk of governance attack. However, there is risk when new executive proposals are submitted.
In light of this issue the Governance Facilitator and the MakerDAO Smart Contracts Domain team will take the following actions.
Actions
Prepare executive spell to minimize risk
The MakerDAO Smart Contracts Domain Team will prepare an executive spell that if ratified will take the following actions:
- The GSM pause delay will be increased to 72 hours.
- The Oracle Freeze Module (OsmMom) will be deauthorized.
- The Liquidations Circuit Breaker (FlipperMom) will be deauthorized.
We are aware that disabling the Oracle Freeze Module and the Liquidations Circuit Breaker increases risk in other areas. We feel that the Oracle and Liquidation risks are less than that of governance attack especially given the additional lightfeeds and box
parameter.
72 hours was chosen given that it stretches across at least one working day, regardless of the timing on the governance attack. This gives Governance more time to secure the hat, and domain teams time to prepare an action to cancel the plotted spells.
This executive spell will not immediately be put on-chain.
Gather more MKR on the hat proposal
We feel that additional MKR is required on the hat in order to ensure safety while MKR transitions from one proposal to another.
The Governance Facilitator will provide additional updates and next steps once either of the following conditions has been met.
- The MKR on the hat exceeds 100,000 MKR
- One week has passed.
100k MKR was chosen because it exceeds the 63k currently available liquidity, and the new governance portal has a feature that allows voting on multiple proposals at once which should mitigate the risk of the hat proposal decreasing below 63k during the transition.
Signalling around Governance Attack Response
The Governance Facilitator will post a signal request that will aim to confirm the following sentiment to all MKR Holders:
“In the event of a malicious governance attack that leads to redeployment of the Maker Protocol prior to the introduction of flash loan guards into the governance process, the community and domain teams should do everything possible to burn the MKR involved in the attack, regardless of whether the owner was directly involved in the attack.”
Reaching out to large MKR Holders
The Smart Contracts Domain Team, and the Governance Facilitator will attempt to contact large MKR Holders with MKR on Aave, Balancer and Uniswap with the aim of convincing them to remove MKR from these platforms until flash loan guards are in place and to add their MKR to the current hat and vote in the coming executive.
The executive containing YFI and BAL collateral onboarding will be delayed
The Smart Contracts domain team was aiming to have these complete this week, however the flash loan issue has taken priority for the time being.
The Smart Contracts Domain Team will explore options to mitigate the flash loan risk prior to the DssGov upgrade
Given the potential severity of flash loan related attacks, the Smart Contracts Domain Team feels that it is wiser to resolve the vulnerability from flash loans sooner than would be possible if they waited for DssGov.