{"id":100580,"date":"2020-10-29T20:46:58","date_gmt":"2020-10-29T17:46:58","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/maker-community-scrambles-to-fix-long-standing-vulnerability-to-flash-loans\/"},"modified":"2020-10-29T20:46:58","modified_gmt":"2020-10-29T17:46:58","slug":"maker-community-scrambles-to-fix-long-standing-vulnerability-to-flash-loans","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/maker-community-scrambles-to-fix-long-standing-vulnerability-to-flash-loans\/","title":{"rendered":"# Maker community scrambles to fix long-standing vulnerability to flash loans"},"content":{"rendered":"

# Maker community scrambles to fix long-standing vulnerability to flash loans <\/strong>”
\n<\/p>\n

The MakerDAO (MKR) community is urgently implementing measures to prevent voting manipulation through flash loans. This was precipitated by what is likely the first instance of the feature being used to influence a DeFi governance vote on Oct. 26.<\/p>\n

According to a post published<\/a> by community member LongForWisdom, someone used a flash loan to force a governance proposal through. BProtocol, a service that lets users pool liquidity to join in Maker debt auctions, came forward as the culprit.<\/p>\n

The proposal would have whitelisted the project to access Maker\u2019s price oracle, making it possibl to run decentralized keepers.<\/p>\n

BProtocol used dYdX\u2019s flash loan feature \u2014 an unbacked loan that is only granted if it is also returned within the same block. This requirement means that its users must have a predefined path for the money they borrow, and it is only useful for operations that can be completed instantly.<\/p>\n

Maker community member Monetsupply explained to Cointelegraph that the governance contracts did not feature any lock-up period:<\/p>\n

\u201cCurrent MKR gov system allows voters to lock their tokens, immedia<\/a>tely vote to pass a proposal, and then unlock the tokens all in the same block.\u201d<\/p><\/blockquote>\n

Using flash loans to engage in governance can be seen as manipulative because the money is essentially free. Anyone could use them to execute their own proposals without being a Maker stakeholder.<\/p>\n

The governance power is limited to how much MKR is contained in various DeFi protocols. In this specific case, MKR was sourced from Aave, but up to 64,000 MKR worth $34 million is available for flash loans. This is enough to influence at least some of the future governance proposals.<\/p>\n

Due to this, the community is engaging emergency containment measures to make exploitation harder as they wait for a more definitive fix. A twelve hour delay between proposals passing and being executed \u2014 introduced to allow for the community to challenge malicious votes \u2014 will be extended to 72 hours.<\/p>\n

Furthermore, the community is disabling circuit breakers that would allow governance to turn off oracles and liquidations, as they could be potentially abused by malicious actors to exploit the system for money. <\/p>\n

The case that set off the alarms was relatively minor, with the founder of BProtocol saying that \u201cwe meant no harm, and no harm was made.\u201d He further suggested that this was \u201caimed to trigger an internal technical discussion,\u201d and that he did not expect such a dramatic community response.<\/p>\n

A proposal to fix the underlying issue was being discussed<\/a> for at least three weeks, but \u201cthis incident made it much more urgent,\u201d Monetsupply said.<\/p>\n