All MKR Holders, on Friday 12pm EST, please vote for the GSM to be activated!

Update: The vote has now passed. Thanks to all who voted!


Based on the recent goings on regarding flash loans, and the general concern over the risk of governance attack it seems likely that we are going to put an executive proposal to activate the GSM on-chain on Friday.

Once the GSM executive goes live on Friday we need to make sure that it is activated as quickly as possible in order to minimise the risk of governance attack.

In the meantime, in order to defend against a possible governance attack, consider moving your MKR to the ‘Hat’ proposal.

So, to conclude, I am asking MKR Holders to do two things.

1. When this weeks executive vote goes up (Friday, 12pm EST), please review it promptly, and seriously consider voting to activate the GSM as quickly as possible. It is critically important that this is activated as soon as possible.

2. Vote for the current hat proposal prior to Friday. This is the executive proposal that has already passed, and was created the Friday before last. The more MKR on this proposal, the safer the Maker Protocol is from attack. Current hat proposal can be found here: https://vote.makerdao.com/executive-proposal/activate-the-savings-rate-spread-and-the-sai-and-dai-stability-fee-adjustments

11 Likes

Is it possible to provide a quick explanation of how the GSM will help mitigate a governance attack (i.e. where an entity gains enough MKR to force an immediate executive vote, through the use of a flash loan / liquidity pools or otherwise)?

1 Like

Hello! Thanks for coming to the forum.

I’ll give a summary my best shot.

  • Activation of the GSM (Governance Security Module) means that there will be a delay between a proposal being ‘passed’ and a proposal becoming ‘active’
  • This immediately shuts down flash loans, because there is no way for an attacker to abuse the change that they voted in within the same block that they voted it in.
  • Outside of the use of flash loans or borrowed MKR generally, having a GSM delay means that for 24 hours (or the length of the delay), other MKR Holders can see what change will be activated, and react if it is malicious.
  • This reaction can take a couple of forms. If more MKR than the attacker owns can be brought to bear before the delay expires, the change can be cancelled. If we can’t muster more MKR than the attacker within the delay period a quorum of MKR (currently 50k) can trigger Emergency Shutdown.
  • In practice, this means that governance attacks of this nature are not viable and shouldn’t happen. An attacker will never be able to financially benefit from an attack before Emergency Shutdown is called, so there is no incentive to attack the protocol, and we should never need to use the Emergency Shutdown mechanism.

Hope that answers your questions. :slight_smile:

2 Likes

Thanks - much appreciated. I guess that if an attacker set it up in such a way that after the 24 hour period, all pillaged ETH collateral was paid out to MKR token holders proportionally, then there may not be much of a motivation to enact Emergency Shutdown (or cancel the executive vote via a quorum) by MKR token holders. Having said that it does seem a step in the right direction.

Just realised that the title of this post previously specified 12pm PST, while the body specified 12pm EST. Pretty big cock-up on my part. Apologies all.

The correct time is: Friday 12pm EST

1 Like

Question on Emergency Shutdown: Is there an attack vector here as well, as in, flash loan or obtain 50k and trigger it?

Hello, welcome to the forum!

Ultimately yes but not by using flash loans. MKR locked in the Emergency Shutdown module (when this reaches 50k shutdown is triggered) is locked permanently. If this happens, the community need to decide whether the ES was malicious or not, if they deem it to have been justified, they can restore the MKR (technically we would need to mint more or migrate to a new token, but the actual mechanism isn’t super important.)

This means that if you trigger ES maliciously you lose a bunch of money. Doesn’t mean that it can’t happen, but there is a high cost associated with it.

Link to docs: https://docs.makerdao.com/smart-contract-modules/emergency-shutdown-module#game-theory-of-funding-and-firing-the-esm

Ok, understand, guess question then becomes what the impact/disruption of this ES is on the overall DeFi landscape (given the importance of DAI)… And if an attacker can see a path to profit through the impact (with either a short or long duration) of an ES.

Maybe worth exploring this mechanism further.

@the_ocs

https://forum.makerdao.com/tag/emergency-shutdown

1 Like

If more MKR than the attacker owns can be brought to bear before the delay expires, the change can be cancelled.

Personally, I think 24hrs is too short to coordinate MKR in response to an attack making emergency shutdown a more likely scenario. I would feel much better at 72 hrs to 1 week

1 Like

I agree, but I think starting the debate around the actual delay now is probably a bad idea. 24 hours was the previous suggestion and is what everyone has been assuming it will be set to up until this point.

If we activate at 24 hours that fixes the current attack vector. Later on we have time to discuss and find a value that makes the most sense.

2 Likes

Classic perfection is the enemy of good situation

Totally agree, if 24hrs is more likely to pass quickly I’m all for it

3 Likes

Actually i would have prefer a 0 Delay time with a dedicated team 24/24 working on this.

Since we are moving millions…worth it…

‘’ A Hacker never sleep ‘’

In practice, this means that governance attacks of this nature are not viable and shouldn’t happen. An attacker will never be able to financially benefit from an attack before Emergency Shutdown is called, so there is no incentive to attack the protocol, and we should never need to use the Emergency Shutdown mechanism.

an emergency shutdown by one anon person griefing flash loans would be bad

it’s easy to profit a lot by predicting a “black swan” accurately in any market

human nature is that people do things just to see if they can, for no profit

defi can’t survive on “lack of incentives” it requires “strong disincentives”

1 Like

You can’t trigger ES with flashloans. The Emergency Shutdown Module locks the MKR used to trigger it, you can’t get it back again.

The strong disincentive to this is that you lose all the MKR locked to trigger Emergency Shutdown.

4 Likes

Continuing the discussion from All MKR Holders, on Friday 12pm EST, please vote for the GSM to be activated!:

Hi all!

We did an analysis of the attack vector using flash loans and crowd funding to take over the Maker Governance Contract here: https://medium.com/@dominik.harz/stealing-all-of-makers-collateral-f940970605b1

Right now the attack is not possible using flash loans due to missing liquidity. However, if the liquidity at the flash loan pools become high enough, it is entirely possible. By introducing a delay through the GSM, flash loan attacks would be prevented.

Actually i would have prefer a 0 Delay time with a dedicated team 24/24 working on this.

The problem with flash loans is that it would become a race condition even if you had a 24/7 team working on this. Best they could do is detect the tx with the flash loan in the mempool and try to get in a transaction before the attacker that would prevent the attack.

4 Likes

This is not the main problem actually ? The one who got the more liquidity and CPU power calculation ?

@dominik
Could you provide any reference for the numbers (i.e. available liquidity) you are citing in the article?
Where did you get 38k MKR available liquidity for kyber?

Not sure what you mean by more liquidity and CPU power. I mean if you had enough liquidity in a flash loan and if there is enough MKR available to buy within a single tx, then the attacker can execute within the single tx.
As a defense, you would have to see the transaction first before it is included in the longest chain. Then you would have to send a transaction the e.g. takes the same flash loan but replaces the governance contract with one that has the GSM with a delay > 0 activated to counter the attack. But then it becomes a decision of the miner which transaction will be included first.

Could you provide any reference for the numbers (i.e. available liquidity) you are citing in the article?
Where did you get 38k MKR available liquidity for kyber?

Sure! We used this https://dexindex.io/?symbol=MKR&amount=50000&action=buy to check the liquidity. On Kyber itself you would only see the liquidity they have in reserve (the swap). I guess you would have to execute the trade with the limit orders as well to get that amount of MKR. Also, the price has changed quite a bit since we did the last check. It has become more than 4x the price it seems.