This article is from Cointelegram, written by Samuel Kim, compiled by Odaily intern Vane.
Samuel Kim is the founding partner of Umbrella Network, a Layer 2 oracle powering the next generation of DeFi applications. Previously, he was the founder and CEO of Lucidity, a blockchain-based digital advertising transparency solution, and co-founder of the mobile advertising platform Gimbal. Samuel is a graduate of Columbia University and has an MBA from Chicago Booth School of Business, where he focused on Analytical Finance.
It seems like every week we hear about another DeFi project being hacked or exploited. The latest victims include projects such as Harvest Finance, Akropolis, Value DeFi, Origin, and of course Compound.
When exploits do occur, they usually involve manipulating reference prices such as ETH/DAI on data sources such as Curve, Kyber or Coinbase Pro. Sometimes, this is a mistake, such as in the SNX case where the won was quoted with the wrong decimal place.
As decentralized finance grows, the potential for exploitation will certainly increase. DeFi will become more complex as more assets are accepted as collateral. As indices become more common, and options at arms length settle to their potential, so too does the complexity. The success of these results depends on accurate, secure data that has not been manipulated.
first level title
first level title
Multiple oracles.The preferred data source structure is different for each oracle. how they agree on data; and how they calculate those prices. One potential option when dealing with less liquid trading pairs is to utilizemultiple oracles. Although this will increase costs, newer oracles have made long-term progress in reducing costs compared to traditional oracles.
Set boundaries around priceWill serve as a sanity check. For stablecoins, we can set minimum and maximum values to mitigate potential exploitation. For example, the price of Dai can be set between $0.97 and $1.03.
Fuse mechanism.For cryptocurrency pairs other than range-bound stablecoins, we can set trading ranges. If these limits are exceeded, we may implement a cooling-off period. It functions in much the same way as circuit breakers used by Nasdaq and other traditional financial markets. Can only be restarted after the cooldown period.
average value.Depending on the usage of the DeFi project, time-weighted average price and/or volume-weighted average price over different time periods can also mitigate illiquid attacks. By using time and volume averaging, sudden and temporary price shocks have less impact on the reference price. Andre Cronje takes this to the extreme in his Keep3r oracle, where he uses daily average prices.
market internal forces.When attacks do occur, they typically exploit only one side of the market inside, such as bidding only. Large and sudden swings in the bid/ask spread should indicate that something might not be right. As an industry, we should be aware of these incidents and have procedural alerts when they occur.
volatility index.first level title
first level title
In an ideal world, we would collect data from multiple sources that would be difficult or expensive to manipulate.
For one thing, existing oracles only support the largest cryptocurrency trading pairs and dont refresh prices often enough. For example, Compound opted to use Coinbase Pro over Chainlink, which may seem like a confusing choice to many.
However, even if Chainlink only updates the Dai contract every 24 hours, or a 2% price increase. Compound is thus forced to choose between data that is up-to-date or highly variable, or data that is free from manipulation. If they had chosen Chainlink over Coinbase Pro, they could still have lost money when the price of Dai was manipulated in the 2% range. But that would be the end of thousands of sustained deaths, not catastrophic casualties.
Many cryptocurrencies are only traded on one or two exchanges, and sometimes only on decentralized exchanges. Liquidity is extremely low and volatility is high. In these and other cases, DeFi projects must partner with oracles that can provide the breadth of data needed and the real-time nature of data that is essential.
Every DeFi project faces a unique and unique set of variables. Therefore, not all suggested solutions are suitable for every project. Projects should consider their unique data requirements and the compromises that fit their needs.
