What is the underlying problem behind DeFi’s frequent “Flashloan attacks”?
Behind the flashloan attacks was actually the manipulation of the oracle to create an internal and external price differential and arbitrage from it.
Recently, the DeFi market has been going through a severe test with a number of attacks that have resulted in huge asset losses. In most of the security incidents, the “naming” of a flash loan attack seems to have become the norm. However, the truth behind it, which cannot be ignored, is that the oracle is actually manipulated to create a price differential between inside and outside and arbitrage from it.
The so-called Flashloan is actually an innovative financial tool that enables unsecured lending but requires repayment within the same block or the transaction will rollback. The beauty of Flashloan is that it allows borrowers to become “wealthy” in seconds without any effort or cost. Of course, the large amount of money also indicates a strong potential for market manipulation.
In such security incidents, the attacker usually gets something for nothing. Firstly, they use flash loans to obtain a large number of funds, and after having the “weight” to start the attack, they then enter and exit all kinds of mortgages, loans, transactions and other protocols through a series of means, after manipulating and distorting asset price data, they will implement arbitrage, and finally return the “principal”.
Data shows that the number of hacker attacks based on re-entry vulnerabilities has declined since 2020, while the percentage of attacks based on price manipulation vulnerabilities is on the rise and has resulted in cumulative losses in excess of tens of millions of dollars.
So, what exactly is the oracle?
The “bridge” of external communication of blockchain
Oracle is not a fantasy, it is actually a “bridge” to maintain data and information communication between the blockchain network and the Internet and other blockchain networks. In particular, in a decentralized application (Dapp) such as DeFi smart contracts, oracle allows developers to call on various external data resources including market prices, connecting the Dapp to the external real-world data environment.
There is no doubt that the oracle that can provide unalterable and reliable data will be an important cornerstone of DeFi development. In DeFi applications, whether configured on its own or relying on third-party supply, the oracle can be used to obtain important information such as prices, exchange rates, etc. in various markets. For a decentralized exchange (Dex), it is even more important to have accurate and reliable price data.
Unlike a centralized exchange, the Dex tends to be more “islanding” in its market data, and the automated market maker (AMM) pool in the Dex is likely to lose spreads due to dramatic changes in trading volume, liquidity, etc. if it is not connected to the outside world in real-time.
As the DeFi market has grown in popularity, the industry has been thinking more about the number of projects, scale, and model. On the contrary, the attention to the security of oracles is in a lukewarm state. Recently, the frequent security incidents may have sounded the alarm that the oracle security is crucial to the orderly development of DeFi ecosystem.
Typical oracle security events
1. Regarding the first oracle security incident, the date has to back on June 25, 2019, when an anomaly on the DeFi derivatives platform Synthetix oracle caused the platform’s sKRW/sETH exchange rate to erroneously report that more than 37 million sETHs were being traded at a low price, with a value of nearly $1 billion.
Causes: The feed source information was out of order, then the oracle malfunctioned and posted the wrong price on the chain, which the trading robot discovered and quickly arbitrated. In the end, Synthetix recouped the huge loss by reaching a repayment agreement with the owner of the trading robot. It is important to note that anomalies in upstream price sources can be devastating to smart contracts and that an oracle without validation is a security risk in terms of data accuracy and stability.
2. Among the events that followed was the impressive “bZx serial attack”. bZx, the DeFi loan protocol, was attacked twice in a week in February 2020, causing losses of approximately $1 million.
Causes: Hackers took advantage of a price flaw in the Uniswap algorithm to manipulate underlying asset price data and navigate multiple DeFi protocols for arbitrage. Seven months later, bZx was attacked again, this time causing approximately $8 million in losses. bZx co-founder Kyle Kistner mentioned after the incident that it appeared to be an oracle manipulation attack. However, ultimately, the cause of the incident was attributed to a code vulnerability.
3. On October 26, the DeFi project Harvest Finance was hacked, resulting in losses of approximately $24 million.
Causes: The attacker manipulated price data and controlled the number of minted tokens through a huge exchange in order to make multiple arbitrages. Officials revealed that the hackers attacked through the curve y pool, causing the price of the stable coin in Curve to abnormally exceed 387.9%, and made multiple arbitrages within 7 minutes. As a result, the price of the Harvest token FARM plummeted by 65% in a short period of time.
4. On November 14, the Value DeFi protocol was hacked, again through a series of inter-protocol operations, ultimately resulting in over $7 million in losses.
Causes: The attackers exploited the Oracle vulnerability to manipulate the price of the Curve pool assets to steal excess 3CRVs to exchange for DAIs and then arbitrage. Sadly, the hacker ended up returning 2 million DAIs and left a sarcastic message: “Do you really know flashloans?” which is in response to the team’s previous tweets claiming to be protected against flashloan attacks.
In recent times, the cumulative loss of assets due to oracle attacks alone has exceeded $30 million. In such incidents, hackers have manipulated the oracle to create exchange rates that allow for arbitrage and, ultimately steal the protocol assets.
Thus, the most systemically risky element of the DeFi ecosystem is the oracle, which is susceptible to price manipulation, rather than a financial instrument such as falshloan.
The oracle has a wide range of application scenarios where Dapps that need to interact with off-chain data can use it to realize functionality and value. Typical application scenarios include Dex, derivatives, stable coins, lending platforms, games, insurance, prediction markets, and so on. Faced with this “data fortress”, the oracle is expected to provide better services through iterative upgrades and security testing.
Since the blockchain itself has no function to verify whether the data is fair and reasonable, the wrong external data will be returned indiscriminately by the oracle under the decentralized mechanism, and this kind of “making the best of a mistake” can easily lead to various kinds of losses.
The iterative upgrade of the oracle should realize the connection of trusted data on and off the chain to ensure a normal, stable, and orderly data environment. In terms of quotation, the oracle should aggregate data from multiple nodes as far as possible, reserve a processing mechanism for price deviations, and synchronize updates according to time to ensure that the data provided to the smart contract is reliable, trustworthy, and anti-interference.
In Dex, the oracle should maintain and adjust the weights of AMMs while providing price updates, ensure that the internal exchange rate matches the external market price, and effectively intercept the attacker’s manipulation of prices and exchange rates through validation mechanisms and abnormal alarm mechanisms to prevent arbitrage.
On the other hand, DeFi developers should strengthen the targeted testing of the oracle, especially before the project goes live. For example, simulate the various scenarios of price manipulation attacks as much as possible, find out the problem and find a solution in time, and improve the project’s resistance to oracle attacks.
After the project goes live, developers should also choose to access third-party oracle services, security testing services, etc., and hold relevant bounty activities for vulnerabilities, so as to timely investigate and remedy shortcomings, optimize the overall structure, and minimize the possibility of the same type of incident happening again.
A coin always has two sides. In the case of flashloan, it was an innovative financial tool that could have efficiently provided large amounts of funds and facilitated the value cycle. However, it has been exploited by attackers and turned into a weapon for asset theft.
Whether it is the development of DeFi or the expansion of new areas of blockchain, on-chain and off-chain data exchange is inevitable, and the role of the oracle should not be underestimated. In fact, the attacker’s manipulation methods are not profound, but at this stage, the oracle is not intelligent enough to respond and defend in time.
Likewise, the path of things is always winding. After suffering many painful costs, the “shortboard” of the oracle is exposed. In order to ensure blockchain ecological security, before the birth of the perfect oracle, which is completely resistant to manipulation attacks, it becomes imperative to strengthen the verification and detection of multi-party technology to prevent attacks before they occur.
Article form Beosin
Translated by Yang(Mengyan Finance)