Manipulating DeFi data is too simple, the current oracle solution does not help much


 679 total views

The vulnerability is so common that DeFi cannot be adopted on a large scale. But there is still a solution to the problem of the oracle.

It seems that every week we hear a news that a DeFi project has been hacked or exploited. Among them, the latest batch of victims include Harvest Finance, Akropolis, Value DeFi, Origin, and of course, Compound.

When vulnerabilities are actually exploited, they usually involve manipulation of reference prices on data sources, such as ETH/DAI on Curve, Kyber or Coinbase Pro. Sometimes, this is also a negligence. Just as in the SNX case, the decimal point of the Korean won is incorrectly positioned.

With the development of decentralized finance, the possibility of price being used will certainly increase. In addition, as more and more assets are used as collateral, the DeFi field will become more complex.

As indexes become more common, options settled at fair market value will also reach their potential, but the complexity will also increase. Of course, success in these areas depends on accurate, safe, and unmanipulated data.

So, if trading pairs such as ETH/DAI are so easily manipulated, what opportunities do those poorly liquid reference values ​​have to resist attacks? Some of these transactions are rarely conducted in multiple trading venues, and are almost entirely conducted on decentralized exchanges. Others rely on third-party calculations.

Reduce the risk of DeFi being hacked and exploited

Multiple oracles. Each oracle has a different structure in terms of its preferred data source, how to reach data consensus, and how to calculate these prices. When dealing with less liquid trading pairs, one potential option is to use multiple oracles. Although this will bring additional costs, compared with traditional oracles, new oracles have made great progress in reducing costs.

Set boundaries. Setting boundaries around the price will serve as a more sensible test. For stablecoins, we can set minimum and maximum values ​​to reduce potential vulnerability hazards. For example, we can set the price of Dai between US$0.97 and US$1.03.

Fuse mechanism. In addition to stablecoins with restricted ranges, for other cryptocurrency pairs, we can set the trading range. Once these ranges are broken, we will enter a cooling-off period. This is roughly the same as the circuit breaker mechanism used by Nasdaq and other traditional financial markets. Only after the cooling-off period has elapsed can trading be restarted.

Average. According to the usage of DeFi projects, time-weighted average prices and/or quantity-weighted average prices in different periods can also mitigate attacks on prices with poor liquidity. By using averages of different times and quantities, sudden and temporary price shocks will have less impact on the reference price. Andre Cronje took this to the extreme in his Keep3r oracle. It is understood that the oracle uses daily average prices.

Inside the market. When attacks do occur, these attacks often only use one aspect of the market, such as bidding. The sudden and large fluctuations in the bid/ask price difference are also a sign of problems. As a member of the industry, we should always pay attention to the occurrence of these events and issue alerts when they occur.

Volatility index. Implied volatility, or IV, plays an important role in the financial sector. It is the basis for option pricing. However, even in mature and liquid markets, such as the CBOE Volatility Index (the volatility index of the S&P 500 index covering 30 trillion US dollars), there is still the possibility of manipulation. The current implied volatility of DeFi is calculated based on the IV in the price of Deribit European options. By using different methods, the implied volatility is reversed based on the option price, expiration time, exercise price, spot price and current interest rate. We should check whether there is an abnormality in the implied volatility, such as whether the IV value of the underlying product or the market as a whole has suddenly increased or decreased. Although IV is an indication of future volatility expectations, it is usually correlated with the underlying asset and/or overall market volatility. In addition, for cash-settled options, especially near the expiry date, time-weighted or quantity-weighted volatility should also be considered.

A better oracle will create a better DeFi ecosystem

Ideally, we can collect data from multiple sources, which are difficult to operate and costly to operate.

First of all, the existing oracles only support the largest cryptocurrency pairs, and often cannot refresh prices frequently. For example, Compound chose to use Coinbase Pro instead of Chainlink. This may seem to many people to be a puzzling choice.

However, even Chainlink only updates the Dai contract every 24 hours, or when the price changes by 2%. Therefore, Compound is forced to choose between timely/active data and unmanipulated data. If they choose Chainlink instead of Coinbase Pro, they may still suffer losses when the price of Dai is manipulated to fluctuate in the 2% range. And this loss is often a chronic death, rather than a direct fatal blow.

Many cryptocurrencies are only traded on one or two exchanges, sometimes only on decentralized exchanges, and have extremely low liquidity and high volatility. In these types of situations, DeFi projects must cooperate with oracles that can provide the breadth and activity of data they need, which is crucial.

Every DeFi project faces a unique and different set of variables. Therefore, not all suggested solutions are suitable for every project. Each project should consider its unique data requirements to choose a compromise solution that suits its requirements.