Report: Hackers Took Advantage of ETH Mempool Congestion to Steal $8.3M MakerDAO
During the market crash in March, bad actors stole $8.3 million from DeFi protocol Maker DAO. Latest research from analytical company Blocknative suggested that it was made possible by manipulating the Ethereum (ETH) mempool.
Just published: “Evidence of Mempool Manipulation on Black Thursday: Hammerbots, Mempool Compression, and Spontaneous Stuck Transactions” https://t.co/koXjcbSaDK
— Blocknative (@blocknative) July 22, 2020
According to the report, the hackers deployed bots to overload the ETH mempool with unusually low-fee transactions. This slowed down transaction confirmation speed and in some cases even resulted in their failure.
Ethereum unconfirmed transaction volume chart
Attackers took advantage of DAI features
The attackers took advantage of specific features of DAI, wherein to borrow DAI, a user has to deposit collateral in ETH in the system and to reclaim the collateral assets, the user has to pay back the same amount in DAI.
To maintain the market value of DAI, a system was put in place for liquidation of collateral through an auction if the price of the asset falls below a specified level. On Black Thursday ETH’s price nearly halved, triggering the liquidation mechanism. The report further explains:
“When the price of ETH collapsed on March 12, a large number of CDPs [collateralized debt positions] immediately became undercollateralized and eligible for forcible liquidation. MakerDAO and the Ethereum ecosystem are incentivized to operate various Keeper bots in order to ensure a competitive marketplace for liquidated CDP positions. Such liquidations occur in auctions.”
Due to the clogged mempool, owners of collateral could not get their auction bids through.
“One negative consequence of this congestion were ‘zero bid auctions’ on liquidated MakerDAO CDPs. Of the 3,994 liquidation auctions associated with Black Thursday, 1,462 or 36.6% were won by zero bids. Over a roughly 12 hour period, $8.32 million in aggregated locked CDP value was lost to these zero bid auctions.”
Analysts noted that the cybercriminals conducted a test attack on the network on March 8, four days before the Black Thursday. However, they were unable to find any evidence that the hackers were involved in the market crash.
Following the hack, the platform users filed a class action lawsuit for $28 million against the Maker Foundation and several affiliated organizations.
Subscribe to our Newsletter