It is unwise to use any single centralized data source as a price oracle machine.
Recommended reading: ” Well-known white hat Sam Sun wrote an article detailing why DeFi frequently launches price oracle manipulation attacks “
Written by: rekt, anonymous author Compiler: Perry Wang
We can never see through choices we don’t understand.
——Matrix lines
In many recent attacks, hackers returned millions of dollars to victims, and others simply left money on the table when they could have taken away more money.
Hacker attacks are rampant, hackers have used various methods to steal funds, but they have always been related to one word from beginning to end…
Looking back at the plot of The Matrix, Morpheus, who led the protagonist Neo to explore the Matrix, said that The Oracle has served the resistance movement “from the very beginning.” The oracle is a human intuition testing program that helps human resistance activists to get rid of the oppression of machines.
Recently, the oracle has been continuously attacked by anonymous agents, who aim to manipulate her view of reality to maximize her profits.
NEO : I think the most obvious question is, how can I trust you?
ORACLE: There is no doubt that this is a serialization process pickle .
The issue of trust in price oracles is widespread, both on-chain and off-chain.
The famous white hat samczsun wrote :
In one method, you only need to collect existing off-chain price data from price APIs or exchanges to bring these data into chain products. On the other hand, the real-time price can be calculated by consulting the decentralized exchange on the chain.
Both options have their pros and cons.
On-chain price oracles, such as Uniswap, Kyber, or Balancer, do not require privileged access and are always updated in a timely manner, but this also means that they are easily manipulated by attackers.
Off-chain oracles, such as Coinbase, are usually slow to respond to volatility, and they need to:
“A few privileged users push data onto the chain, so you have to believe that they will not become evil and will not be forced to push bad information.”
Today, the large-scale liquidation on Compound is due to errors or manipulation of the Coinbase oracle.
Since Compound Finance uses Coinbase as the only oracle it relies on, we see that the loan settlement amount of the agreement exceeds $110 million.
As the price of DAI soared to $1.3, the highly popular income farming trading pair DAI/USDC fell as a result, leading to large-scale liquidation, while anonymous agents waiting to liquidate these positions made huge profits.
Sam Priestley explains how the liquidation happens and how people profit from it:
“Today, someone liquidated US$49 million in assets in the compound agreement. The liquidator earned US$3.7 million through a single method.
The victim was a farmer who borrowed the proceeds of leveraged trading. They lent DAI and USDC, and borrowed DAI and USDC. When the price of DAI changes, enter its account into liquidation. If they put DAI and USDC in separate wallets, this kind of loss would not happen.
When your account is being liquidated, the liquidator can choose to accept any collateral from you in exchange for repaying your debt. So the liquidator took DAI. Borrow DAI from Uniswap. Repay DAI debt. Get more DAI from liquidation. Repay Uniswap. Take profits.
Giant whales may think that their assets are safe, because they have never called the USDC “enter-markets” function. But by borrowing USDC, they activated USDC as collateral for their DAI debt. “
Thanks to @arbingsam for this analysis.
The following chart shows the soaring price of DAI-a big increase for so-called stablecoins.
When Coinbase launched its oracles, they noticed that relying on offline oracles might cause this problem:
“Using data from off-chain sources requires trusting the publisher to issue the correct price and keep the signature key safe”
However, their approach is not to try to reduce the need for trust, but to assure readers that they deserve this trust.
Coinbase is one of the most trusted companies in the crypto field, and our mission is mainly to develop the crypto economy. Anchoring highly reliable price feeds in Coinbase’s secure infrastructure can help the decentralized financial DeFi ecosystem be safer, reduce systemic risks, and start the next wave of growth and adoption.
Compound founder and CEO Robert Leshner seemed to believe Coinbase’s statement at the time. He said at the time:
The Coinbase price oracle machine will improve the security and decentralization of Compound price feeds, which is essential for the application protocol and ecosystem built on Compound. Not ourselves-other players in the DeFi field will also enjoy faster development speeds, consistent data and sharing standards.
— Robert Leshner, Compound CEO
So what’s wrong?
If “the oracle uses data from off-chain sources and requires a privileged publisher to push the data to the chain”, how is this done?
The Coinbase status page currently displays as follows:
The Coinbase oracle has had “problems” in the past, and it seems that certain participants will always get high profits.
Whether the above incident is a manipulation or technical problem is not clear, but we do know that no lightning loan was used.
Manipulating the Coinbase order book to achieve such a state only costs 100,000 DAI, because the depth of the order book is 300,000 DAI, and the price of DAI deviates from the anchored one-dollar price, reaching $1.3.
Is the above incident malicious or unintentional, or is it caused by technology expiration? Either way, the liquidation robots have profited from this event.
It is unwise to use any single centralized data source as a price oracle, and Coinbase is particularly bad, especially if you can wipe the order book with $100,000.
“There are programs running everywhere. Those who are doing their job well and doing their best, they are invisible. You will never know they are here. But the others, well, we will always hear their stories.”
Source link: rekt.ghost.io
