100 total views
Read everything about price oracles and learn how to use them safely.
Written by: Sam Sun, well-known white hat, research partner of Paradigm, a crypto venture capital firm. Compiler: Perry Wang
Paradigm authorized chain news to translate and publish the Chinese version of the article
At the end of 2019, I published a post titled “From the lack of mortgage loans for fun and profit” (Taking undercollateralized loans for fun and for profit) of. In this article, I described an economic attack on Ethereum ‘s decentralized application DApp , which relies on accurate price data of one or more tokens. It is the end of 2020. Unfortunately, many projects have already made very similar mistakes. The most recent example is the hacking incident of Harvest Finance , which caused a collective loss of USD 33 million for the agreement users.
Although developers are familiar with vulnerabilities such as reentrancy, they obviously do not often consider the issue of price oracles being manipulated. On the contrary, over the years based on reentrancy vulnerabilities have declined, while based on price manipulation oracle vulnerability is now on the rise. Therefore, I decided that it was time for someone to give clear resources on this type of manipulation to increase safety awareness.
This article is divided into three parts. For readers who are not familiar with this topic, this is a popular science article on the introduction of oracle and oracle manipulation. Readers who want to test the level of knowledge can jump directly to the case study, we look back at the past, some associated with the oracle vulnerabilities and attacks. Finally, we summarize some of the technology that developers can use to protect their projects against price manipulation pathway oracle attack.
What is an oracle manipulation event? Take a real case example
Wednesday, December 1, 2015. Your name is David Spargo , and you were watching a concert by Peking Duk , the Australian “Dark Horse” in Sydney, Australia. You might want to see this band with your own eyes, but two security guards are blocking your way to the backstage. It is absolutely impossible for them to let an ordinary passerby walk into the backstage.
You might wonder how the security guards will react if you act like a backstage person. Family members will definitely be allowed to visit the band backstage, so all you need is to convince the security guard that you are a relative of the band members. You think about it and come up with a plan, which may be called a genius plan, or it may be extremely clumsy.
When you are ready, you walk to the security guard confidently. You introduce yourself as David Spargo, Peking Duk’s family. When security asks to see evidence, you show them irrefutable evidence- Wikipedia .
David Spargo revised Peking Duk’s Wikipedia entry, adding his own name andname scene to “family members”
The security guard waved you through and made you wait. One minute, two minutes. Five minutes later, you want to know if you should run away before the police show up. When you were about to leave, one of the band members, Reuben Styles, came over and introduced himself. You get together with him backstage lounge, the band impressed with your wisdom, and finally you drink a few beers together. Later they also shared what happened on the Facebook page.
What is a price oracle machine?
Price oracle, generally, is something that you consult price information. Take the plot in the American drama “Office” for example. When Pam asked Dwight about the cash value of Schrute Buck, Dwight acted as a price oracle.
In the Ethereum blockchain, everything is a smart contract, so it is also a price oracle machine. Therefore, it is more useful to distinguish how the price oracle machine obtains its price information. One method is simply to collect price data from the existing price chains or exchanges the API, to the introduction of these data to the chain. Another way to calculate the instantaneous price can go up through the center of the Exchange Consulting chains.
Both options have advantages and disadvantages. Chain reaction to the volatility of the data is usually slow, you try to use according to its use, this may be a good thing, it could be a bad thing. But usually require a small number of privileged user pushes data to the chain, so you have to believe they will not become evil, it will not be forced to push bad information. EU data does not require any privileges to access, and always up to date, but this means the attacker can easily manipulate it, could lead to catastrophic failure.
What could go wrong?
Take a brief look at some cases where poorly integrated price oracles caused serious financial damage to DeFi projects.
Synthetix sKRW oracle false alarm
Synthetix is a derivatives platform that allows users to access other currency assets. In order to match such transactions, Synthetix (at that time) depends on the price of feed chain under a custom implementation mechanism, according to which a group of secret price to calculate the aggregated feed prices, according to a fixed time interval published on the chain. Then allow users to make long or short positions in the assets they support at these prices.
June 25, 2019, the price of one source Synthetix rely on false price of KRW 1,000 times higher than the real exchange rate. Due to other errors in the price prediction system elsewhere, this price was accepted by the system and published on the chain, and one of the trading robots quickly carried out buying and selling transactions in the SKRW market.
This automated trading robot eventually earn more than $ 1 billion in profits, although Synthetix teams can negotiate with traders returning the money, instead giving its correction bounty.
Synthetix correctly executed the oracle contract and introduced quotations from multiple data sources to prevent traders from predicting price changes before publishing on the chain. However, the price of an upstream feed isolated cases of failure, leading to a devastating attack. This shows that the risks of using chain under price data oracle: you do not know how the price is calculated, so the system must be carefully designed in order to correctly handle all potential failure modes.
As mentioned earlier, I published a post in September 2019 outlining the risks associated with price oracles using on-chain data. Although I strongly recommend reading the original post, there are quite a few and complicated technical details that may make it difficult to digest. So I offer a simplified explanation here.
Suppose you want to go to the center of the block chain introduced a loan. Users can deposit assets as collateral and borrow other assets of a certain amount determined by the value of the deposited assets. Suppose a user wants to borrow USD using ETH as collateral. The current price of ETH is 400 USD and the mortgage ratio is 150% .
If the user deposits 375 ETH, it is equivalent to depositing $150,000 in collateral. They can borrow $1 for every $1.50 mortgage, so they can borrow no more than $100,000 from the system.
Of course, in the blockchain, it is not as simple as simply claiming that 1 ETH is worth $400, because a malicious user can simply claim that 1 ETH is worth $1000, and then steal all the money from the system. Therefore, for developers, there is a great need for the interface of recent price oracles, such as Uniswap , Kyber , or the current spot prices in other decentralized exchanges.
At first glance, this seems to be the correct approach. After all, whenever you want to buy or sell ETH, the price of Uniswap is always roughly correct, because any deviation will be quickly corrected by arbitrageurs. But it turns out, the spot price to the center of the exchange may be very wrong during the transaction, the following example shows.
Consider the functional formula of Uniswap’s retained assets. Its internal quotation is calculated based on the amount of assets held in reserve, but with the user between ETH and USD transactions, reserve assets changing. What if a malicious user performs a transaction before and after obtaining a loan from your platform?
Before users get a loan on your platform, they buy 5000 ETH for 2 million USD. Uniswap exchange now calculates the price as 1 ETH = 1733.33 USD. Now their 375 ETH can be used as collateral, the loan can go up to $ 43.3333 million in assets and $ 2.0 million in exchange for them with the original 5000 ETH, replacement price within Uniswap. The result is that your loan platform agrees that the user has lent an additional $333,333 in unsecured loans.
This case study illustrates the use of decentralized Stock Exchange as the most common error when price oracle: the attacker during a transaction almost complete control of the price, in order to accurately read the price, just read the article before stabilizing weight The meter reads the same. You may get the wrong number, and under certain circumstances, you may suffer heavy losses.
Synthetix MKR manipulation
In December 2019, Synthetix suffered another price oracle manipulation attack. It is worth noting that this attack to break down the barriers between the price data on a chain with a chain of price data.
Reddit user u/MusatheRedGuard observed that the attacker is making some very suspicious transactions against sMKR and iMKR (reverse MKR) . The attacker first bought a long MKR position indirectly by buying sMKR, and then bought a large amount of MKR from the Uniswap ETH/MKR trading pair. After waiting for a period of time, the attacker sold his sMKR to iMKR, and then sold the MKR back to Uniswap. Then they repeated the process.
Behind the scenes, the attacker traded through Uniswap, allowing it to move the price of MKR in the Synthetix protocol. This may be because the off-chain price feed that Synthetix relies on actually relies on the maker’s on-chain price , and there is not enough liquidity to enable arbitrageurs to push the market back to the best price allocation.
The incident illustrates the fact that even though you think you are using the price data downlink, in fact, may still be using price data on the chain, and still could face complications involved in using these data.
bZx hacking incident
In February 2020, bZx agreement was hacked twice within a few days, the hackers made off with about $ 1 million. Here you can see an excellent technical analysis of the two hacking incidents, but we will only discuss the second hacking in this article.
In the second hacking attack, the attacker first used ETH to purchase almost all of the SUSD in the Kyber protocol. The attacker then purchased the second batch of SUSD from Synthetix itself and deposited it on bZx . The attacker used sUSD as collateral and loaned the maximum amount of ETH allowed. Then they sold sUSD back to Kyber.
If you’ve been paying attention, you will realize that this is essentially the same lack of mortgage attack routine, but use different collateral and various decentralized exchange.
On July 25, 2020, I reported to yEarn a protocol vulnerability in their newly launched yVault contract. You can read the official material on this error, but I will briefly summarize it below.
yVault system allows users to deposit tokens and earn income without having to manage their own tokens. Inside yVault, the vault tracks the total amount of yVault tokens minted and the total amount of underlying tokens deposited. The value of a single yVault token depends on the ratio of minted tokens to deposited tokens. All the profits earned by the vault are equally divided by all minted yVault tokens (thereby being divided equally by all yVault token holders) .
The first yVault allows users to use USDC to provide liquidity to the MUSD/USDC liquidity pool in the Balancer protocol to earn income. When users provide liquidity to the Balancer pool, they will receive BPT in return, which can be exchanged for a portion of the assets in the liquidity pool. Therefore, yVault calculates its holding value based on the amount of MUSD/USDC that can be redeemed using BPT
This implementation seems to be correct, but unfortunately, we Jeopardy mentioned before, the same applies: state Balancer liquidity pool during trading unstable, the price can not be trusted. In this case, due to the joint curve selected by Balancer, users will not get a 1:1 exchange rate from USDC to MUSD, but will actually leave some MUSD in the liquidity pool. This means that the value of BPT may be temporarily expanded, this vulnerability an attacker to maliciously manipulate prices, and this drained the treasury.
This incident shows that price oracles are not always convenient. Developers need to be alert to the types of data they are ingesting and consider whether these data can be easily manipulated by unprivileged users.
Harvest Finance hacking incident
On October 26, 2020, an unknown user invaded Harvest Finance ’s liquidity pool using a technique that you may have guessed: the attacker executed transactions to suppress the USDC price in the Curve protocol liquidity pool to reduce The latter price enters the Harvest liquidity pool, and then reverses the previous transaction to restore the price, and then exits the Harvest liquidity pool at a higher price. This is causing more than $ 33 million in losses to the Harvest liquidity pool.
Harvest Finance official post-mortem report
How can I protect myself?
As of now, I hope you have learned to identify common: it is not always obvious, you use the price oracle, if you do not follow proper precautions, the attacker can fool your agreement, swept away a lot of money. Although there is no permanent solution, but the following are some of the projects in the past proven solutions. Maybe one of them is also suitable for you.
Don’t venture into the shallow water market
Just like diving into the shallow end of a swimming pool, jumping into a shallow market is also painful, can cause a lot of expenses, and change your life forever. Before considering the complexity of the plan to use a specific price oracle, consider whether sufficient tokens have liquidity, sufficient to ensure integration with the platform.
A bird in hand is better than two in the forest
The potential exchange rate on Uniswap may be sloppy and fascinating, but before the bag is safe, those are just flowers in the mirror, moon in the water. Similarly, the best way to determine the exchange rate between the two assets is the direct exchange of assets. This method is great because there is no recycling and no uncertainties. But this approach may not work for loan platforms that need to hold original assets.
Nearly decentralized oracle
The problem with oracles that rely on on-chain data is that they are a bit too new. If this is the case, why not introduce some artificial delay it? Write a smart contract and update it with the latest prices of decentralized exchanges such as Uniswap, but only when requested by a few privileged users. Now even if an attacker can manipulate the price, they cannot let your protocol actually use it.
This method is easy to use and quick work, but there are some drawbacks: when the block chain congestion, you may not be able to update prices according to the desired speed, sandwich still vulnerable to attack. In addition, your users need to believe that you will actually keep prices updated.
Manipulating price oracles is an extremely time-sensitive operation, because arbitrageurs are always watching and hoping to have the opportunity to optimize any sub-optimal market. If the attacker wants to minimize the risk, he needs to execute the two transactions required to manipulate the price oracle in a single transaction, so that arbitrageurs cannot get a foot in the middle. As a developer agreement, if your system can support, simply Located between the entry and exit system to a short delay is sufficient to block blocks.
Of course, this may affect the composability of the agreement, and the number of miners and traders joining hands to commit evil is increasing. In the future, bad factors may perform price oracle manipulation in multiple transactions, because they know that the miners they work with will ensure that no one can insert in the middle and get a share of their profits.
Time-weighted average price TWAP
Uniswap V2 introduces a TWAP oracle machine for developers on the chain. This document details the exact security guarantees provided by this oracle. Generally speaking, for large liquidity pools that have not been congested by the blockchain for a long time, the TWAP oracle has a high degree of resistance to oracle manipulation attacks. However, due to the nature of its implementation, it may react quickly enough to the huge time market volatility, liquidity and applies only to existing tokens on the chain assets.
Sometimes they say that if you want to do the right thing, you’d better do it yourself. What if you call up N trusted friends and ask them to submit the on-chain price they think is correct, and the best M answer is the current price?
This method is now adopted by many large-scale projects: Maker runs a set of price sources operated by trusted entities, Compound creates special bidders such as Open Oracle and Coinbase, Chainlink aggregates price data from Chainlink operators and puts them on the chain Make it public. Remember, if you choose to use one of these solutions, you have now delegated trust to a third party, and your users can only do so. Requiring bidders to manually release on-chain updates also means that during periods of high market volatility and blockchain congestion, price updates may not arrive on time.
to sum up
DeFi price oracle for safety-critical, but often overlooked. Using price oracles safely is a difficult problem. There are many ways to balance yourself and your users. In this article, we introduced the oracle price manipulation cases of attacks have occurred, and confirmed that reads price information in the transaction process may be unsafe, may lead to catastrophic financial losses. We also discussed some of the techniques used by other projects to combat price oracle manipulation. In the final analysis, every situation is unique, and you may find yourself unsure whether the current use of price oracles is correct. If this is the case, please feel free to contact us for advice.
Special thanks to Dan Robinson and Georgios Konstantopoulos for reviewing this article.