TUSD Disabled due to unannounced token upgrade

When the Smart Contracts team analyzed TUSD, we determined that since it uses an “upgradability proxy pattern” that the team controlling TUSD could point the token to a new implementation, one that hadn’t been vetted by the SC Team or an outside team with enough notice. Therefore, the token adapter for TUSD was fixed to a specific implementation of the code.

This morning, TUSD underwent 3 upgrades (an upgrade that was missing some safe math checks, then a downgrade back to the old one, then the one that’s currently active).

Token Adapters are some of the most powerful contracts in the Maker Protocol. They have access to the system core and require extensive auditing and vetting. We put this implementation whitelist in place to protect the system. Glad to see that it’s working! Personally, I don’t see any malice here, but we are going to need another round of verification for the new implementation.

We can discuss more here or in chat and I’ll be in touch with Rich and LFW and others to see how we proceed.

Thank you!

16 Likes

For information, here are the three txs that upgraded the implementation

Jun-04-2020 06:56:37 PM +UTC https://etherscan.io/tx/0x2fb06a28af05a55489dbcdf2581afa00820472be107bf60fbcf705bd18a41ae2

Jun-04-2020 07:05:27 PM +UTC https://etherscan.io/tx/0x33fd4215e5a4f96642014c64b3f7a54d51b58d7630775c02bb00557714cf6736

Jun-04-2020 09:20:24 PM +UTC https://etherscan.io/tx/0xa01f46f5693518da506b08e38b5073cf7cfc60895fa1c9e4114c275db7c24827

8 Likes

Tagging @RyanRodenbaugh from the TUSD team!

A couple of things to note.

The TUSD implementation code was reviewed at the time of the deployment and greenlighted by the Smart Contracts team. We have not reviewed any other implementation so the circuit-breaker was triggered that blocks new Joins and Exits.

  • TUSD can revert their implementation to the original contract and the adapter will immediately resume joining and exiting.

  • The Smart Contracts team can review the new implementation and present it for approval in a future executive spell.

  • The adapter supports multiple whitelisted implementations, so if TUSD or other tokens using the UpgradeabilityProxy would like to upgrade in the future, we can preemptively add a new implementation to the adapter whitelist to avoid any disruption in service.

7 Likes

Good catch. Security is one of the highest if not the #1 priority when making any system changes in MCD. I always appreciate the MakerDao smart contract team’s dedication and rigorous attention to detail in this area. Keep up the good work Mariano and team!

4 Likes
  • what kind of upgrade (goal) did they perform?
  • does that mean that TUSD team was unaware of Maker fixing join/exit to (fixed) pre-upgrade implementation?
  • is there any communication from TUSD Team (even unofficial)?
  • can we expect some official communication in the near future?
  • i see that oasis borrow app already has user friendly message (not available due to upgrade)

Quite disappointing.

Appreciate the update @Mariano_Conti. From the sounds of it, immediate action is not required. We’ll have Mariano and / or members of the smart contracts team on this weeks call to discuss the details of the issue and answer any questions.

@Smart-Contracts may then propose a change under the weekly cycle if they believe it to be advisable.

Just to make sure folks on this thread have the latest info, adding a link here to the TrustToken team’s response to these concerns:

1 Like