Headlines have spread across the cryptosphere over the last 24 hours or so, regarding the recently-discovered exploit in the MakerDAO smart contract.
According to some reports, every dollar worth of collateral in the system was at risk – a very scary thought.
But how legitimate were these claims, and how close were we really to a MakerDAO apocalypse?
Real bug, fake news
It turns out the bug was very real. Upon closer inspection, however, the facts were somewhat twisted and the panic was unjustified.
Here are a few reasons why the MakerDAO bug headlines were little more than clickbait:
- The bug only would have affected the new Multi-Collateral Dai (MCD) smart contract, which will not be released for some time
Headlines were purposely worded so that the flaw appeared to affect the current smart contract – something that could’ve been catastrophic. The reality, however, is that the MCD upgrade does not go live for some time, and is still under testing – which brings us to our next point.
- The bug was found during a testing phase, and reported via the bug bounty program
This is nothing out of the ordinary for software releases in the crypto (or general tech) world. Testing phases and bug bounties are designed for discovering these flaws, and fixing them before the release date. Although the exploit was a serious one, it is unlikely that it would’ve remained undiscovered by the time the MCD smart contract was deployed.
- It’s been patched, and quickly at that
The flaw was nothing that the team couldn’t fix in a heartbeat. The flaw has been fixed, and will not be exploitable once MCD is finally launched.
What was the bug?
When the value of a user’s collateralized debt position (CDP) in MakerDAO drops below a threshold value (creating a risk of default), the system is designed to automatically liquidate this collateral.
This liquidation is done via auction, and paid for in DAI.
The bug in the code was a lack of validation mechanism for offers made in such auctions; users could make a fake offer any amount of DAI, and purchase collateral with this non-existent money.
This bug would have had the most impact during a “liquidation phase”. This is a rare event in which the entire Dai system is halted, and all positions are liquidated at a fixed rate.
Since all collateral is liquidated simultaneously, all funds in the system would have been put at risk.
Such a liquidation phase is extremely rare, however, and can only be initiated via a stakeholder vote. This is reserved for special cases, regarding a system threat or software upgrade.