A software developer claims to have found a way in which to make an incredibly profitable but expensive attack to steal all the Ethereum available in MakerDAO.

Micah Zoltu described the potential attack in a blog postpublished on Monday, noting a successful attack could see the hacker ride off into the sunset with $340 million worth of Ethereum.

The problem is, Maker Foundation has decided that the appropriate value for this governance delay is 0 seconds. That is right,defenders have 0 seconds to defend against an attacklaunched by a wealthy but malicious party, he adds in the post.

The issue, Zoltu notes, lies in the way in which MakerDao is governed. Some groups of plutocrats can control how the system behaves.

In order to carry out the attack, the hacker would have to deploy approximately $20 million (40,000 MKR), which wouldnt necessarily be straightforward. CoinDesk reports that the person would need to buy MKR without affecting the price, which is, of course, unlikely.

Zoltu claims Maker has been aware of the issue since before Maker v2 launched.

Despite this, they arechoosingnot to plug the hole (the plug is easy). Because of that, I do not believe that it would be responsible for me to keep my mouth shut and hope that no attacker figures out what should be obvious to anyone who understands Makers governance model, he notes.

Back in October, MakerDAO disclosedanother dangerous security flaw that could have potentially allowed an attacker to stealEthereum ETH powering its then-unreleasedmulti-collateralDaiwith a single transaction. This couldvedone untold damage to the credibility of the MakerDAO system.

At the time, a HackerOnedisclosure reportrevealed the attack was made possible due to the complete lack of access control in a MakerDAO smart contract, whichallows the system to auction collateral in exchange for DAI cryptocurrency once loans are liquidated.

Published December 9, 2019 16:20 UTC

Read more from the original source:

Dev says MakerDAO attackers could turn $20M in Ethereum into $340M almost instantly - The Next Web