Last week, an unknown market manipulator launched a sophisticated arbitrage attack against the bZx decentralized finance lending protocol, netting the bad actor some $350,000 USD worth of ether.
Days later, heads turned again when bZx suffered a separate oracle-based attack. This time, the culprit — whose style suggested it was the same agent or group behind the first incident — made off with roughly $650,000 in ETH.
Notably, both episodes involved flash loans, a new type of DeFi primitive that allows users to conduct complex sequences of financial activities within a single transaction. More simply put, flash loans allow you to create a loan that’s created once it’s been paid back, all within one transaction.
It’s a powerful tool, and one the cryptoeconomy has now seen can be used for both good and bad ends. Regarding the latter, the bZx team has taken emergency measures to defend against new assaults, but DeFi stakeholders are now on high alert for further nefarious attempts against even bigger projects.
The Governance Vector
MakerDAO, which is easily the largest DeFi project right now, has a big target on its back.
The good news is that a major defensive mechanism is on the slate and could be activated in short order.
For context, MakerDAO is a decentralized lending platform. Its system lets users draw out automated loans denominated in the dollar-pegged Dai stablecoin against locked-up collateral like ETH.
MakerDAO’s governance token, MKR, is a key aspect of this system, insofar as MKR holders can participate in routine votes to steward the trajectories of the Maker and Dai projects. But what if a bad actor had a massive amount of MKR and voted with those tokens to essentially loot the Maker protocol’s collateral trove?
That’s the hypothetical catastrophe that no DeFi stakeholder wants to see. Fortunately, several large Maker “whales” are public-facing venture capital firms that have more to gain by helping the dApp succeed than by looting it, and there presently isn’t enough MKR liquidity around the cryptoeconomy for an attacker to source the necessary funds for a governance assault.
Still, the recent flash loan exploits against bZx has led to growing awareness that, if the conditions were right, a malicious agent could borrow a massive sum of MKR and attempt to attack Maker in rapid fashion. That’s where the aforementioned defensive mechanism, the so-called Governance Security Module (GSM), comes in.
Why the GSM Is a Big Deal
“The GSM is designed to give the MKR token holders a chance to review any changes that will go into the system and act accordingly if those changes are deemed to be malicious,” the Maker team explained last year.
With that said, an attacker could try to a governance blitz against the Maker project, but the GSM would allow good faith stakeholders to block nefarious voting results from ever being finalized.
The problem? The GSM is currently set at 0 hours, which means a DeFi predator could theoretically attempt to ambush Maker as things stand. This “0 hour” status would allow MKR voters to act decisively and immediately in the event of an early crisis, but it could also be abused quickly if governance were to be compromised.
That’s why an executive proposal to raise the GSM to a 24 hour delay is set to be decided by MKR voters on Friday, February 21st. If the new module passes, Maker’s defenders would have a full day to respond to nefarious governance results.
Notably, in recent weeks raising the GSM has been voted down by MKR voters, perhaps over a lack of awareness. Fresh community campaigning in support of a higher GSM means there will undoubtedly be more “yay” votes this go around, whatever happens.