Limiting Governance Attack Surface for Stablecoins

Currently, actions that change the Maker Protocol must wait for the Governance Security Module (GSM) delay before they go live. This module is designed to allow governance to mitigate a governance attack – where an attacker gets enough MKR to become the hat – by allowing MKR holders to respond to prevent a malicious action, or to call Emergency Shutdown using the burner.

This module also prevents governance from responding rapidly in an emergency, and all actions are subject to the delay. For this reason, the Maker Protocol employs a few “Moms” that give governance the ability to bypass the GSM delay in a few very limited ways.

One such way in which governance can bypass the GSM delay is to trigger the liquidation circuit breaker on or off. This is needed in case liquidations are found to be performing poorly to give governance a chance to trip the breaker as fast as possible.

Over the last year, however, governance has added a number of stablecoins that don’t have liquidations active and most likely will NOT need to be turned on in an emergency until governance can trust their liquidation process. That is, governance does not need emergency access to turn stablecoin vault liquidations on or off for USDC-A, USDC-B, TUSD-A, PAXUSD-A, GUSD-A, or PSM-USDC-A. The smart contract domain team believe this only increases the attack surface of the protocol by allowing the circuit breaker to bypass the delay in these specific cases.

Hypothetical attack scenario is as follows

  • An attacker puts a 1 wei bidding keeper on all the stablecoin collaterals mentioned above.
  • That attacker creates a spell using the FlipperMom to turn liquidations on for all the collateral’s mentioned above, and that spell is put into the governance contract.
  • The attacker then uses their MKR to vote on the malicious spell.
  • Liquidations for stablecoin Vaults are instantly enabled!
  • The attacker, or any keeper, proceeds to call cat.bite() on the stablecoin Vaults.
  • This action instantly fills the litterbox, preventing all liquidations.
  • And since the keeper ecosystem around stablecoins isn’t mature, the attacker can make unchallenged 1 wei bids winning all the stablecoin collateral available in the box (currently 15 million DAI) for any given max auction duration tau.

Mitigation considerations

  • This attack only works if an MKR holder has enough MKR to take the hat. Since DssChief 1.2 is no longer vulnerable to flash loans, this would be a well capitalized attacker. This attacker would need ~60k MKR to take the hat, at current market prices, means the attack would take ~$90,000,000 to possibly win an additional $15,000,000.

Actions Taken

  • Rather than rely on the market dynamics of MKR, we believe we can mitigate this attack with low effort by removing the liquidation circuit breaker from the stablecoin vaults mentioned above.

Conclusions

The smart contracts domain team suggests reducing the governance attack surface by removing the liquidation circuit breaker from any Vaults that have liquidations explicitly set to off.

Future Considerations

If we someday believe liquidations on stablecoin Vaults would be performant, governance should re-enable the instant circuit breaker for these Vaults. There is an edge case, where the DAI peg breaks low, where governance could enable liquidations on stablecoin Vaults to bring the peg back to parity with USD. Again, this would require confidence in the liquidation mechanism for those stablecoin Vaults, and may be irrelevant if MKR holders choose to only engage with stablecoins through the PSM.

Credits

  • Smart contract domain team for considering this attack and solution.
16 Likes

After discussions with @cmooney, this change will be included in the executive proposal tomorrow (Friday 15th January.) The rationale for this is:

  • The change shouldn’t be contentious, people don’t tend to care too much about these mechanisms outside of an active emergency.
  • This change doesn’t meaningfully impede governance response to an emergency situation.
  • This change limits attack surface in the event of a governance attack.
7 Likes

Sounds great and costless to mitigate this hypothetical attack!

3 Likes

Sounds good–glad the Smart Contract Domain Team has visualize this attack. From a traders point of view–shelling out $90M to gain 17% at the risk that MKR runs higher and then drops precipitously in value–couple that with the illiquidity/slippage of the Token–probably not the shrewdest trade/easiest money out there. :slight_smile:

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

We will be turning off authorization from the liquidations circuit breaker in this week’s executive for the ilks PSM-USDC-A and UNIV2DAIUSDC-A for the same reasons as the ilks listed in the first post.

6 Likes