Critical ItchyDAO Bug in the Voting Contract of MakerDAO

Details

In the MakerDAO system, users could lock up their MKR to vote and participate the governance, you can refer to FAQ for more details.

function lock(uint wad)
public
note
{
GOV.pull(msg.sender, wad);
IOU.mint(msg.sender, wad);
deposits[msg.sender] = add(deposits[msg.sender], wad);
addWeight(wad, votes[msg.sender]);
}
function free(uint wad)
public
note
{
deposits[msg.sender] = sub(deposits[msg.sender], wad);
subWeight(wad, votes[msg.sender]);
IOU.burn(msg.sender, wad);
GOV.push(msg.sender, wad);
}
mapping(bytes32=>address[]) public slates;
mapping(address=>bytes32) public votes;
mapping(address=>uint256) public deposits;
function etch(address[] yays)
public
note
returns (bytes32 slate)
{
require( yays.length <= MAX_YAYS );
requireByteOrderedSet(yays);
bytes32 hash = keccak256(yays);
slates[hash] = yays;
Etch(hash);
return hash;
}
function vote(address[] yays) public returns (bytes32)
// note both sub-calls note
{
var slate = etch(yays);
vote(slate);
return slate;
}
function vote(bytes32 slate)
public
note
{
uint weight = deposits[msg.sender];
subWeight(weight, votes[msg.sender]);
votes[msg.sender] = slate;
addWeight(weight, votes[msg.sender]);
}
Figure 1: The flow of vote(address[] yays)
mapping(bytes32=>address[]) public slates;
mapping(address=>uint256) public approvals;
function addWeight(uint weight, bytes32 slate)
internal
{
var yays = slates[slate];
for( uint i = 0; i < yays.length; i++) {
approvals[yays[i]] = add(approvals[yays[i]], weight);
}
}
function subWeight(uint weight, bytes32 slate)
internal
{
var yays = slates[slate];
for( uint i = 0; i < yays.length; i++) {
approvals[yays[i]] = sub(approvals[yays[i]], weight);
}
}
Figure 2: Precalculate the sha3 hash (slate)
Figure 3: Call etch() to assign sha3 hash (slate)

Timeline

About Us

PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store