Vulnerabilities in Maker: Oracle-Governance Attacks, Attack DAOs, and (De)Centralization
The security of the Maker stablecoin Dai relies on trusted oracles to provide pricing information. These are chosen through on-chain governance. Consequently, the oracle feed is manipulable by MKR token holders. In this article, I discuss attacks on Maker similar in style to 51% attacks, though not necessarily requiring 51% of MKR, in which a coalition can profitably manipulate governance to ‘steal’ system collateral. These attacks affect both the current single-collateral Dai (SCD or ‘Sai’) and the upcoming multi-collateral Dai (MCD) implementations, as well as similar systems with on-chain governance.
A consequence of these attacks is that, at current and historical market prices, ‘fully decentralized’ Dai is insecure from incentive misalignment. ‘Fully decentralized’ here requires that MKR is sufficiently distributed for the purpose of decentralization. The current Maker system is semi-centralized with most MKR reputedly held by a few Maker individuals and the Maker Foundation. This suggests that the market may discount MKR value because it is not sufficiently decentralized, and thus security of Dai relies on a trust link to the Maker Foundation and the possibility of legal recourse in the event of an attack. Either the market doesn’t realize that the potential for MKR governance attacks should lead to a lower bound on pricing, or the market is saying that MKR would be worth more if it were fully decentralized.
These attacks also suggest serious scaling issues with Dai: to maintain security, MKR value needs to grow substantially faster than Dai and collateral supplies. Dai and CDP holders need to bid up these prices for their security. Essentially, stable asset holders need to hold significant positions in a very risky asset in order to secure their stable position, which may defeat the purpose of the stablecoin.
I. Maker governance: oracles and global settlement
The Maker system is governed by MKR token holders, who vote on-chain to decide system parameters and processes. They are entrusted with three important tasks that are related to oracle security.
First, MKR holders populate Maker’s list of trusted oracles. The Maker system relies on these trusted oracles to provide real world price data, which is used to determine the threshold for collateralized debt position (CDP) liquidations.
Second, MKR holders influence protections against oracle manipulation. The Maker system builds in a maximum oracle price change in a given amount of time (the ‘price feed sensitivity parameter’) and an hourly delay on new oracle prices taking effect. MKR holders directly determine the price feed sensitivity parameter.
Third, MKR holders determine the set of ‘global settlers’ who can trigger global settlement, thus they can effectively control global settlement. In global settlement, the Maker system is frozen and participants (Dai and CDP holders) are able to recover their portion of the collateral as determined by the last oracle price.
Assuming honest MKR governance, oracle manipulation may be reasonably controlled. Hourly price delay provides emergency oracles (pre-determined by MKR holders) time to react to an attack. The Maker price feed takes the median of oracle prices, so a majority of oracles (including emergency oracles) would have to collude. Maximum oracle price change limits the immediate severity of an attack. And, if all else fails, the price delay provides time for global settlers (pre-determined by MKR holders) to trigger global settlement.
II. Oracle-governance attacks in Maker
With dishonest MKR holders, two important attacks become possible:
- MKR→CDP Exit Attack: MKR holders could hold large amounts of CDPs, collude to choose oracles that will deliver ETH price →∞, and then trigger global settlement.
- MKR→Dai Exit Attack: MKR holders could hold large amounts of Dai, collude to choose oracles that will deliver ETH price →0, and then trigger global settlement.
Both of these scenarios sweep the collateral value to the dishonest MKR holders, via their holdings of (respectively) CDPs or Dai. A profitable amount of CDPs or Dai will depend on the value in MKR required to facilitate the attack (more on this below).
Note that the oracle protections built into Maker don’t prevent these attacks. Dishonest MKR holders can collude to set a higher max hourly price change just before the attack. Via the oracles, they can then compound the max price change over multiple hours. This time gives other actors (e.g., Dai and CDP holders) time to react. Let’s explore what happens then in the Dai market:
In the MKR→CDP Exit Attack, when Dai holders realize the manipulation attack, their expectation of long-term Dai price goes to zero. The Dai market becomes a fire sale as all Dai holders try to trade for other assets. This triggers the Dai price to decrease, but doesn’t prevent the dishonest MKR holders from continuing the oracle manipulation and later trigger global settlement, realizing their gains.
In the MKR→Dai Exit Attack, when CDP holders realize the manipulation attack, their expectation of their share of the collateral value in a global settlement goes to zero. They rush to unlock their collateral. This can be partly blocked by MKR holders setting a higher over-collateralization threshold. To unlock collateral, CDP holders rush to buy back Dai. However, Dai holders now expect their Dai to be worth much more. The Dai market price increases to account for the extra collateral value, at which point CDP holders have already lost. The dishonest MKR holders can again continue the oracle manipulation and later trigger global settlement, realizing their gains.
To assure success of the attack, colluding MKR holders would need to control >50% of MKR tokens. The attack could potentially be successful with much less, however. For instance, voter participation is typically very low, the network can be clogged so that honest participants have little chance to react, and dishonest MKR holders could collude with miners to censor voting and CDP collateral transactions. Another added complexity is that MKR is burned when closing a CDP. Thus an attacker in the MKR→Dai Exit Attack could seem to attack the oracle with <50% of MKR and, once the CDP holders start closing the CDPs, actually gain the full 50%.
III. At current prices, Maker governance is vulnerable
The potential reward of these attacks is the total value of collateral locked in Maker. The cost of these attacks could be the cost of 50% of the MKR supply. If this reward is > the cost, there is a perverse incentive for profit-seeking MKR holders and a possible equilibrium in which a majority of MKR holders collude to perform this attack.
As of 5 Nov 2019, these values were collateral value C = $336m, MKR market cap M = $555m, and Dai market cap D = $96m. This yields the potential attack profit of
Under the MKR→CDP Exit Attack, this represents a joint coalition return of
Under the MKR→Dai Exit Attack, this represents a joint coalition return of
Following a swell in MKR price in the last few days, this measure of attack profitability has decreased to $19m. This remains substantial, especially considering that the profitability is only coming from the current SCD system, which has a small cap size, whereas the MKR price prospects stem from the soon-to-be-launched MCD system, which is expected to attain a larger size. Figure 1 tracks the full history of these profitability measures. During many extended periods, the profitability of these attacks has been much higher.
Actual profitability may be significantly higher
Note that actual profitability may be significantly higher for a few reasons. First, the Maker Foundation, which reportedly holds ~ 30% of MKR, has committed to not taking part in governance voting (see here). If they stick to this, or at some point remove their voting rights in the smart contracts, then much less MKR gives a coalition a controlling share, drastically decreasing the cost to attack. Figure 2 illustrates significantly increased profitability in this case. Second, a minority of MKR holders and key miners could collude to perform the attack. Third, the attack could be combined to exploit other systems that piggyback on Maker oracles.
Other complicating factors
There are a couple complicating factors that can affect the analysis. If the attackers need to acquire MKR, they will need to buy or borrow it. While rates for borrowing MKR can be low (2.6% on Nuo for the very small pool of $300k in September), a large acquisition would have a market squeeze effect and may be difficult if many MKR holders are honest, long-term hodlers. Similarly, if the attackers need to acquire large amounts of Dai or CDPs, this may be difficult given market forces. Successful acquisitions would likely be spread over a long period of time. Similarly, the gas costs to execute the steps of the attack will weigh on the profitability.
Coordinating collusion with an ‘Attack DAO’
This said, realistically, we don’t know who owns combined holdings of MKR, Dai, and CDPs, and many agents could collude. We can’t rule out that some coalition controls a mix of assets that makes this attack profitable. If such a coalition exists, the perverse incentive exists for that coalition to collude in this attack. To assure that enough colluders coordinate well, an ‘Attack DAO’ could be created that pools together the required mix of assets and triggers the attack steps to profit.
IV. Consequences for MKR pricing
MKR value comes from two factors: (1) the (discounted) value of regular cashflows, and (2) the conditional cashflow value from governance manipulation. Regular cashflows come from Maker fees (the ‘stability fee’) that are used to burn MKR — this regularly reduces the supply similar to a corporate share buyback scheme. The MKR value linked to regular cashflows is linked to expectations around Dai growth as a larger Dai system leads to more fees. The governance manipulation conditional cashflow represents the potential profitability of a MKR-orchestrated attack, such as the 51% attack described above. This is an ‘alternative’ way that MKR holders could cash out.
To be secure against governance manipulation, the MKR market cap would have to be >2× total collateral value (and potentially much higher if we consider more complex attacks mentioned above and the non-voting commitment of the Maker Foundation). Arguably, the MKR price in a decentralized Dai should reach these levels through market forces as otherwise the attack represents an arbitrage-like opportunity for some coalition (although this is not completely clear, as discussed in the next section).
Effects of semi-centralization
As noted in the intro, the Maker system is currently semi-centralized: most MKR is reputedly held by the Maker Foundation and a few Maker individuals. In this case, a governance attack would really have to be performed by Maker itself. They would be identifiable in such an attack and therefore potentially legally liable. In this case, a lower MKR price may be reasonable as the potential legal liability counterbalances any incentive to perform the attack for a quick profit. But this places a trust link to the Maker Foundation.
Because the attacks outlined above are potentially profitable today, either the market doesn’t realize that the potential for MKR governance attacks should lead to a lower bound on secure pricing, or the market may be discounting MKR because it is not sufficiently decentralized. In other words, MKR could be worth more if its distribution were more decentralized.
Can cashflows secure the system?
For the above reason, we can consider that the price of MKR today represents the expectations of regular cashflows from purchase and burning of MKR through CDP operations (this is essentially like share buybacks). This provides valuable data toward designing secure systems like this. Importantly, this illustrates that, in most cases, these cashflows are not sufficient to secure Maker.
In fact, if Maker were sufficiently decentralized, regular cashflows from share buybacks may be less necessary for governance security as we may expect rational agents to bid MKR price up to the attack value. From a security perspective, share buybacks would just be needed to push the MKR price marginally above the attack value. Thus, because Maker is semi-centralized, there is an effective tax on users to support the MKR price, whereas the fee revenue could potentially be better ported to support long-term stability.
Scaling issues
These attacks suggest a serious scaling issue with Dai: to maintain security, MKR value has to grow substantially faster than Dai supply and locked collateral. To ensure the security of their funds, Dai and CDP holders may need to bid up the MKR price. Thus stable asset holders would need to hold significant positions in a very risky asset in order to secure their stable positions, which may defeat the purpose of the stablecoin.
V. Toward solving these issues
The attacks and issues described above occur in a wider setting: a game played between stablecoin, CDP, and MKR holders (and also potentially miners), who strategically decide the mix of assets that they hold. Modeling this game can help us understand the assets that the different players need to hold (e.g., how much MKR) in order to secure the system. In particular, the players can’t risk too much MKR being owned by someone who has a right mix of assets to perform a profitable attack.
Several points are worth exploring in this context. It can help us understand how tokens need to be distributed to secure the system. If holdings of a risky asset need to be high, participating in the game may not be worth it for many players (e.g., stablecoin holders if they must hold MKR to secure the system). In which settings is it worth it for players to bid up governance price to secure the system? Are there other equilibria than bidding assets to a secure pricing? And what are the consequences for volatility of all of the tokens involved?
Toward the last point, MKR price stems from ‘created’ value connected to the collateral and amounting to several times its value. MKR value is meant to reflect the very uncertain outlook of the Dai stablecoin. In a system collapse (e.g., from attack), the total value of the system collapses to the collateral value, leaving many people with nothing. MKR is intended to absorb this and become worthless in this event, with the collateral settling obligations to stablecoin and CDP holders. However, by extension through the attacks described above, stablecoin and CDP positions also take on this risk. If MKR price is below secure levels, then various MKR, stablecoin, and CDP positions can be gamed out of their value in the settlement. These risks should factor into the volatility of these assets.
Whether intentional or not, Maker’s solution to these issues has been to centralize governance ownership and place a trust link to Maker (though it may not necessarily be invoked unless presented with a serious threat). This isn’t necessarily a problem — many traditional systems operate in this way. However, we should openly understand that this trust line exists. Notably, attacks could still be performed with miner collusion.
Based on a conversation with the Maker team at Devcon, there has been discussion toward setting the right threshold to call global settlement — e.g., setting to 10% of MKR. It’s unclear that this solves the incentive problems discussed here, however. One point is that it’s not clear that calling global settlement early in the attack is the best response for an honest 10% MKR coalition. This is because their value would still take a large hit (possibly to 0) in an attack-based settlement. There could also be other abuses of settlement from a dishonest 10% coalition. Understanding the incentives comes back to understanding the game played between MKR, CDP, and stablecoin holders. With this different setup, a potential outcome could be a bribe from the attacking parties to 10% MKR coalitions, or between other parties.
Solving these problems in a decentralized way is still an open question, hence the importance of rigorous mechanism design work along the lines of the discussion in this section.
