Currently, actions that change the Maker Protocol must wait for the Governance Security Module (GSM) delay before they go live. This module is designed to allow governance to mitigate a governance attack – where an attacker gets enough MKR to become the hat
– by allowing MKR holders to respond to prevent a malicious action, or to call Emergency Shutdown using the burner.
This module also prevents governance from responding rapidly in an emergency, and all actions are subject to the delay. For this reason, the Maker Protocol employs a few “Moms” that give governance the ability to bypass the GSM delay in a few very limited ways.
One such way in which governance can bypass the GSM delay is to trigger the liquidation circuit breaker on or off. This is needed in case liquidations are found to be performing poorly to give governance a chance to trip the breaker as fast as possible.
Over the last year, however, governance has added a number of stablecoins that don’t have liquidations active and most likely will NOT need to be turned on in an emergency until governance can trust their liquidation process. That is, governance does not need emergency access to turn stablecoin vault liquidations on or off for USDC-A, USDC-B, TUSD-A, PAXUSD-A, GUSD-A, or PSM-USDC-A. The smart contract domain team believe this only increases the attack surface of the protocol by allowing the circuit breaker to bypass the delay in these specific cases.
Hypothetical attack scenario is as follows
- An attacker puts a
1 wei
bidding keeper on all the stablecoin collaterals mentioned above. - That attacker creates a spell using the
FlipperMom
to turn liquidations on for all the collateral’s mentioned above, and that spell is put into the governance contract. - The attacker then uses their MKR to vote on the malicious spell.
- Liquidations for stablecoin Vaults are instantly enabled!
- The attacker, or any keeper, proceeds to call
cat.bite()
on the stablecoin Vaults. - This action instantly fills the
litterbox
, preventing all liquidations. - And since the keeper ecosystem around stablecoins isn’t mature, the attacker can make unchallenged
1 wei
bids winning all the stablecoin collateral available in thebox
(currently 15 million DAI) for any given max auction durationtau
.
Mitigation considerations
- This attack only works if an MKR holder has enough MKR to take the
hat
. SinceDssChief 1.2
is no longer vulnerable to flash loans, this would be a well capitalized attacker. This attacker would need ~60k MKR to take the hat, at current market prices, means the attack would take ~$90,000,000 to possibly win an additional $15,000,000.
Actions Taken
- Rather than rely on the market dynamics of MKR, we believe we can mitigate this attack with low effort by removing the liquidation circuit breaker from the stablecoin vaults mentioned above.
Conclusions
The smart contracts domain team suggests reducing the governance attack surface by removing the liquidation circuit breaker from any Vaults that have liquidations explicitly set to off.
Future Considerations
If we someday believe liquidations on stablecoin Vaults would be performant, governance should re-enable the instant circuit breaker for these Vaults. There is an edge case, where the DAI peg breaks low, where governance could enable liquidations on stablecoin Vaults to bring the peg back to parity with USD. Again, this would require confidence in the liquidation mechanism for those stablecoin Vaults, and may be irrelevant if MKR holders choose to only engage with stablecoins through the PSM.
Credits
- Smart contract domain team for considering this attack and solution.