Maker Foundation, the organization behind the development of the MakerDAO ecosystem, recently announced that the team had discovered a critical vulnerability in its voting contracts, in collaboration with Coinbase and Zeppelin. Coinbase, the leading cryptocurrency exchange, released a blog post titled ‘Technical Retro: Remediating the Vulnerability in MakerDAO’s Voting Contracts’. The blog post detailed the measures taken by the teams to “remediate the vulnerability – leading to no loss of funds”.

Coinbase’s blog post read,

“This story starts with smart contracts. We’ve historically stayed away from smart contracts as part of our infrastructure as we see the smart contract ecosystem as still fairly young […] With Coinbase Custody’s push to provide governance services to its clients, however […] became something we had to develop […]

Further, it stated that the team built a custom VoteProxy smart contract in order to integrate MakerDAO voting to their cold storage system. This was then sent for an audit to their external audit partners, Zeppelin, along with details pertaining to inter-contract interactions in the MakerDAO voting ecosystem. The blog post stated,



“We knew something unusual was happening when Zeppelin scheduled an unplanned check-in. At this point, they briefly let us know they’d found a critical bug in MakerDAO voting. We reached out to the MakerDAO team and we all got on a call together within hours of the initial findings.”





Source: Coinbase



This was followed by the firm stating that there were a “couple of catches” with this situation, underlinig the three major points. The first was the possibility of loss of funds in a scenario where an active attack takes place before users withdraw their MKR from their old vulnerable smart contract,

“However, the MakerDAO team was able to come up with a suite of mitigations that would significantly reduce the impact of any active exploitation. We think this is a fairly interesting corner case in vulnerability management in this kind of environment.”

The second point that was outlined was that the “vulnerable” smart contract was open source and would have been a problem if any other project started to use it, considering the fact that this was “a common problem in open source software development”. The blog post further read,

“In the end, MakerDAO was able to ship a new contract, get network participants moved over and avoid any loss. This was only possible because of the outstanding work in discovering the vulnerability by Zeppelin and the rapid, collaborative involvement of all three parties in reviewing and addressing the issue.”

The post Coinbase reveals steps taken to tackle MakerDAO vulnerability without incurring loss of funds appeared first on AMBCrypto.