According to Micah Zoltu, the funds deposited as collateral in Maker DAO are not safe because the system is vulnerable.
Indeed, Zoltu claims that anyone with about 40,000 MKR (equal more or less to 20 million dollars) could take over all the funds deposited in Maker DAO as collateral for the generation of both DAI and SAI, as well as a good part of the resources of Compound, Uniswap and other integrated systems, for a total of more than 340 million dollars.
The fault would be of Maker DAO v2 (the Multi-Collateral DAI) and in particular for a lack of security, such as an emergency shutdown and delay in governance against a hypothetical hostile MKR holder.
Maker DAO currently has about 340 million dollars in ETH locked in versions v1 and v2, but it is a “governed” system. This, according to Zoltu, could allow some “groups of plutocrats” to control the behaviour of the system.
Zoltu reveals that Maker DAO’s governance system can use a wide variety of internal features that allow managers to do just about anything they want. Governance is a fairly simple “stake the leader” system, whereby MKR is staked on the contract allowing to have control of the system and the contract with more MKR is given that control.
The current executive contract has about 80,000 MKR staked, or about $41 million.
To mitigate any threats, the system provides for a delay before the contract can take any action. The problem raised by Zoltu is that the Maker Foundation has decided that the appropriate figure for this governance delay is zero seconds, explaining also what hypothetical procedure could be followed to take over all the collateral.
The procedure would be very expensive, but in theory very profitable.
Maker DAO: a known vulnerability?
Maker is actually aware of the problem and has already initiated a vote to activate the delay in governance. As a result, the problem could soon disappear, since by reintroducing the delay any attempt would not go unnoticed and could thus be averted.
Meanwhile, the slow replacement of the old SAI with the new DAI proceeds, and if the delay is reintroduced soon, this vulnerability will also be resolved.