DeFi has grown exponentially since June 2020. According to DeFi Pulse, the total locked-in value grew from $1 billion to $15 billion from June to the end of November 2020. An increase of 15 times in 6 months. The rapid growth of DeFi, a license-free financial ecosystem, has led the transformation of finance, but it is not without risks.
Stablecoins, decentralized exchanges, derivatives, lending, and insurance platforms all share one main risk: the oracle. Decentralized stablecoins and lending utilize overcollateralization to mint stablecoins or lend out digital currency assets. Accurate and timely oracle prices ensure the safety of the network, determining when and how much of the asset should enter the liquidation process. Decentralized exchanges and derivatives rely on the oracle to anchor prices or introduce active market maker algorithms. In the same way that the oracle is the basis of its existence for liquidity providers and traders, exchanges form or refine their price mechanisms with the aid of the oracle, and thus decentralized exchanges become part of the oracle.
It could be said that the oracle is the foundation of the entire DeFi building. As DeFi continues to grow rapidly from its $15 billion base, it’s vital that its foundations achieve the level of safety and stability necessary for assets of this size. Without it the skyscraper built on the beach is bound to come crashing down.
Security Events Caused by Oracles
The oracle problem is essentially a very basic one. The blockchain cannot access off-chain data by itself, nor can it transmit data to off-chain systems. The vast majority of DeFi relies on price information alone. It’s useful to analyze how access to prices and how they are obtained can create a financial security risk. Here are some examples:
Harvest - Price Manipulation by Curve
Harvest is an aggregated mining protocol that automatically finds the highest returns from DeFi protocols. fUSDT and fUSDC, are single-coin, aggregated revenue assets of Harvest which were attacked on October 26. On Harvest, users deposit stablecoins such as USDT, USDC, and DAI into the Curve pool to earn mining revenue.
In the attack, the hackers borrowed a large amount of USDT/USDC through flash loans and used it to manipulate the price. Here’s how it worked.
To start with they converted nearly 20 million USDT to USDC in Curve to increase the value of USDC in the Y pool. As Harvest uses Curve as their only price source, the value of the USDC in the Harvest pool rose. At this point the hacker deposited 50 million USDC and exploited the higher price to exchange for a larger amount of fUSDC. The hacker then continued to exchange USDC back to USDT through the Curve Y pool, thus reducing the value of USDC in the Y pool.
Next the hacker exchanged USDC back to USDT through the Curve Y pool, reducing the value of USDC in the Y pool, and then the 50+ million fUSDC back to USDT through Harvest. This arbitrage earned roughly 620,000 USDT. The hacker repeated this process over and over, earning in total over 30 million USD at the expense of fUSDT and fUSDC holders.
Because Harvest relied only on the Curve Liquidity Pool for pricing, the hackers were able to create an arbitrage opportunity for themselves by manipulating the exchange rate.
Compound - Centralized Exchange Prices Under Attack
Compound is currently the dominant lending platform in the DeFi market. According to Debank, as of November 30th, 2020, the platform had a total $1.6 billion of locked-in crypto assets. Minimum collateral requirements vary by cryptocurrency. Compound delegates the oracle function to a committee that aggregates prices from the top 10 exchanges. In reality, the DAI price data used by Compound relies solely on Coinbase, a centralized exchange. On November 26th, hackers manipulated Coinbase's DAI prices causing them to fluctuate dramatically. At one point the price rocketed to $1.34. This in turn triggered an increase in debt for users who pledged other assets to lend DAI on Compound. As a result some highly leveraged users became under collate ralized, triggering the liquidation threshold and were liquidated by Compound. The hackers acting as the liquidators obtained the 5% liquidation bonus given by the system and eventually made a profit of about $3.55 million.
It is easy to see that the attacked project is essentially a manipulation of the oracle price,and it is difficult to say that the oracle provided the wrong price,because the oracle truthfully obtained the price at that time. The current mainstream oracle is an indirect oracle, which relies on multiple nodes to obtain data from different data sources and integrate it as final data. Ensuring the resistance of the oracle to attacks is an urgent problem for DeFi.