DEFISECURITY

Governance Alert Resurfaces! Project Side Votes with Flash Loans on Specific MakerDAO Governance Proposal

share
Governance Alert Resurfaces! Project Side Votes with Flash Loans on Specific MakerDAO Governance Proposal

Throughout this year, there has been a surge in hacker incidents targeting various DeFi protocols through "Flash Loans." Recently, a Flash Loan was even used to manipulate a governance proposal in MakerDAO. The team has issued a warning regarding this matter and has extended the execution time after passing governance proposals to 72 hours to ensure they have enough time to address similar malicious attacks in the future.

Case Rings Governance Alarm

MakerDAO mentioned the flash loan incident in the announcement released on October 29th, stating that the team behind the lending protocol B Protocol hoped to whitelist the protocol for accessing MakerDAO's oracle prices. In order to achieve this goal, the team initiated a proposal for the oracle whitelist on the 23rd and used flash loans to "vote" on the 26th. The process of a single transaction (flash loan) executed on the 26th is as follows:

  • Borrowed 50,000 WETH (approximately 20 million USD) from dYdX
  • Collateralized in AAVE and borrowed 13,000 MKR
  • Locked MKR in governance proposal and voted
  • Unlocked MKR, returned to AAVE and dYdX

The MakerDAO governance team pointed out that the actions of B Protocol were not malicious. When the team discovered the violation, they understood that the flash loan was orchestrated by B Protocol. B Protocol has been in close communication with MakerDAO and fully disclosed their steps. MakerDAO views this incident as a security warning for governance mechanisms and uses it as a case study for the community.

Follow-up Measures

The MakerDAO governance team believes that flash loans may affect governance mechanisms and emphasizes the need to actively monitor the liquidity of governance token MKR in the market. They pointed out two main issues highlighted by this incident:

  • The risk of malicious governance through flash loans has become unacceptably high
  • Flash loans may be used to manipulate controversial governance proposals

The circulating MKR available for flash loans in the current market is as follows:

  • Balancer: 42,649 MKR
  • AAVE: 15,170 MKR
  • Uniswap: 5,626 MKR

A total of 63,445 MKR is available for flash loans, while there are approximately 79,000 MKR in current proposals. There is still potential risk when submitting Executive Votes proposals, so MakerDAO has decided to change the delay time for the Governance Security Module (GSM) to 72 hours.

In addition, the MakerDAO governance team will try to communicate with large MKR holders on platforms such as Aave, Balancer, and Uniswap to persuade them to withdraw MKR tokens from the platforms. The update originally scheduled for this week to include Yearn Finance (YFI) and Balancer (BAL) as loan collateral has been postponed due to the flash loan incident.