[Signal Request] Should the Maker Community burn attacking borrowed MKR in the event of a governance attack leading to protocol redeployment?

The purpose of this signal is to disincentivise large MKR Holders from providing MKR Liquidity on Lending Platforms and AMM Platforms until such a time as the Maker Governance contracts can be replaced with versions that cannot be attacked using flash loans.

Pros:

  • Hopefully disincentivises MKR Holders from providing liquidity that could be used for flash loans and used to attack the Maker Protocol.
  • It may encourage Maker Holders to vote, and become more aware of the risks that come along with providing MKR liquidity to the wider ecosystem.

Cons:

  • This may reduce MKR Liquidity in the wider ecosystem, making MKR trades harder to execute.
  • Reduced liquidity will make it harder for keepers to acquire MKR for FLAP and FLOP auctions.
  • This has the potential to frustrate or annoy MKR Holders that are currently providing liquidity.
  • This has the potential to drive MKR Holders that are providing MKR Liquidity away from the Maker Protocol.

The title is a simplification of the below statement. Please vote according to that statement and not the title of this thread.

Statement + poll follows:

“In the event of a malicious governance attack that leads to redeployment of the Maker Protocol prior to the introduction of flash loan guards into the governance process, the community and domain teams should do everything possible to burn the MKR involved in the attack, regardless of whether the owner was directly involved in the attack.” - How do you feel about this statement?
  • Yes, I agree with the above statement.
  • No, I disagree with the above statement.
  • I believe that the above statement should be rephrased and will suggest an alternative below.
  • Abstain

0 voters

This poll will remain open for at least 7 days (2020-11-04T16:00:00Z). After that time, it will either be extended or closed depending on participation.

If someone provides valid and critical feedback about the statement as currently formatted, I may restart the poll with the new statement.

5 Likes

Wait, are you saying that if I lend my MKR on Balancer, AAVE, etc., and it’s used to execute a Flash Loan – my MKR should be burned? If you can provide a simpler explanation of the quoted statement – that would be highly appreciated. Thank you in advanced.

NVM–that’s exactly what you’re saying…

2 Likes

From my eyes, if MKR that is borrowed by a 3rd party is basically maliciously used, then the MKR should be burned. How it got to being in a place that allowed it to be borrowed, is (in my eyes) irrelevant.

3 Likes

If you are on the lending MKR side and MKR used for the attack is burned, that might actually benefit the MKR lender… As they are burned, interest rate for lending out MKR will get much higher.

“But they are burned so they can’t pull out MKR liquidity” That is assuming MKR holders won’t redeposit to lending platform. In reality, as MKR lending interest rate will be high, many will actually deposit to take advantage of it (especially after the protocol is redeployed and burn penalty removed) Anyway, my point is the incentive is not so straight forward.

1 Like

Well, I’ll note that I’m abstaining as governance facilitator. But yes, that is what the statement means.

I’ll also highlight that the statement is of limited scope (ends when the governance contracts are no longer vulnerable to flash loan attacks.)

Signalling on something like this is a way of communicating with MKR Holders providing liquidity that what they’re doing comes with risks to the protocol that they are invested in, regardless of whether or not the signal passes.

5 Likes

Also, wouldn’t this create pervasive incentive to conduct more governance attacks using MKR flashloans as some benefit if a large amount of MKR gets burned?

4 Likes

It could initially. That said, if that MKR is actually burned (e.g. the community stands together to show that attack doesn’t go unanswered), then the next guy / gal will probably not be in a rush to do … Further, if borrowed MKR is burned, presumably the attacker would have a collateral issue for his / her loan. Finally, folks depositing MKR in platforms that allow it to be loaned out via flash loans (or any loans) will have reservations about engaging in lending if the MKR might be truly lost.

1 Like

We would only be burning it if they managed to successfully take down the protocol and we were forced to redeploy. Doing this would almost certainly lead to a massive drop in MKR price, and imo is unlikely to be profitable in either the immediate or extended term.

To your other points, flash-loaned MKR used in an attack would return to it’s owner after the attack, meaning that the interest rate in whichever lending protocol shouldn’t be affected. It’s also likely that a successful flash loan attack would need to utilize MKR currently present in AMM pools, which would also revert to the pool after the attack.

1 Like

I thought you and others (as you can see from mrabino1) were implying that if it’s flash loaned, then MKR can still be burned by whatever necessary. For example, if flashloan came from Aave, then contract somehow burn MKR there. Good to know that it’s not that way.

1 Like

A flash loan is a unique animal and I am absolutely not an expert in this. However, in general if borrowed MKR is used maliciously and it takes down the system, we should fork that MKR out of the protocol. It becomes far more difficult to grasp “how” when it is a flash loan… The spirit is the same.

I think that’s exactly what is being implied.

This seems quite agonistic towards LPs. This signal is open for 7 days, won’t the GSM pause delay be increased to 72 hours by then?

Seems like it should be the responsibility of ALL MKR holders that a malicious proposal that passes doesn’t get executed.

1 Like

To be completely honest, the mechanics of this haven’t really been thought through at this stage. This signal is more about the intention “We’re going to try to burn your MKR if it’s used to attack the protocol.” Rather than a concrete proposal on how we would achieve that. And to be honest, I think that helps to achieve the goal despite the uncertainty.

Possibly. If the GSM delay is increased to 72 hours, there is much less risk of a successful governance attack, so LPs should feel more comfortable where they are.

It very much depends how much MKR responds to the posts and votes on the current hat.

I feel like the community will be fairly antagonistic towards LP’s if there is a successful governance attack that was only possible because of the MKR deposited in AMMs.

I agree with this generally, and to be honest if there was a successful governance attack that required redeployment I think we would also be having a discussion on whether non-voting holders should keep 100% of their stake in the system.

1 Like

The Maker Foundation could secure the hat with their MKR. The governance delay should be increased to 72h ASAP. Those 2 actions should be enough for now.

1 Like

I disagree because of the social contract we have with MKT token holder. Most will never see this. They have the ownership of their token and never were told that it can be removed. Lending is quite standard in DeFi.

If I understand, those attacks are governance polls, not the hat. Hardly something that will change the world. Just have to follow the gov polls and the mandated actors can remove any suspicious result from the executive.

If the hat is at risk, we have a bigger problem. Their first action will be to burn most MKR token they don’t control. Not an expert but looking at the contract and if we can burn some MKR token, they can. In any case, MKR tokens can move between the executive and the actual execution I guess.

1 Like

The flash loan was used to lift the hat and execute in a non-organic manner (less capital was utilized than would normally be necessary). This particular hat didn’t have any nefarious code, but it is evident that a similar approach could be used to elect a malicious hat and cause damage to the protocol.

In this sense, any flash-lendable MKR poses a risk. People choose to lend to secondary platforms at their own peril. Note that this risk only manifests if a flash-loan attack does end in emergency shutdown. I also believe there is no other way to uphold the social contract of “malicious MKR would not be reinstated during a system redeployment”.

Because of the above, I think signaling this increases the DAO security by an appreciable amount without much realistic downside.

Can’t you just take a snapshot of all of the MKR before the proposal/vote is raised and only let those token holders vote or have their vote count?

Yes, exactly! This is what is being proposed by the smart contracts team in the Governance Contract Redesign, where the notion of snapshots is being used to record MKR balances at a point in time relative to the amount of MKR locked in the governance contract.

Poll closes in ~4 hours. Please vote if you haven’t already!

Polls are now closed and the majority appears to be in favour. This signal will move on-chain on Monday 9th November. Thanks to all who voted.

1 Like