From popular stars to the high-risk zone of DeFi, how should we prevent oracle security issues?

This article was published on December 14, 2020, by WebX Lab, authored by W ebX Lab

One after another, the emergence of multi-million dollar asset liquidation events involving Compound has turned the once highly regarded oracle into a target of criticism. Moreover, the series of flash loan attacks has created a worsening vicious demonstration, from a series of events, it appears that the exploitation of reentrancy vulnerabilities has decreased in recent years, while the exploitation rate based on oracle price manipulation is now on the rise, making oracles a high-risk area.

Why are Oracles an Important Role in DeFi?

Oracles primarily revolve around how blockchain protocols collect data from third-party sources in a reliable and trustworthy manner, then feed this data back to highly networked and automated decentralized applications (DApps) and smart contracts, facilitating the communication of information sources and data sources from the off-chain world, thereby establishing authoritative facts on-chain.

The introduction of this external data serves as a crucial basis for triggering on-chain smart contracts. Taking Compound as an example, they need oracle prices to determine borrowing capacity and collateral requirements, as well as for all functions that require calculating account values to decide whether to liquidate the assets of an account to meet collateral needs. For some DEXs that use AMM solutions, due to small trade sizes and insufficient depth, their market prices can be easily influenced by large trades, leading to significant volatility, which also requires oracles to provide data from mainstream exchanges to avoid such volatility.

At this point, you might think that oracles are merely a single auxiliary component, only serving the purpose of introducing external data. In fact, the opposite is true. The pricing function of oracles or the reliable support of data sources is just an early form; in the long run, oracles will serve as a comprehensive aggregator of various elements from the real world, including data, information, credit, and assets. The accuracy of the data or information provided, the degree of decentralization in technical implementation, and the level of intelligence in modular scripts will all significantly impact the future connection between the blockchain world and the real world.

From Rising Star to High-Risk Point: The Oracle

Oracles gained significant fame during the summer boom of DeFi this year, with projects like Chainlink and NEST Protocol becoming market darlings. However, the earlier hype sharply contrasts with the recent month’s shift in public opinion, pushing oracles into a different direction of scrutiny.

The reason is that oracles have increasingly become the breakthrough point for flash loan attacks, Compound liquidations, and other incidents. Compound CEO Robert Leshner responded, "The Compound protocol itself does not appear to have suffered losses; it is unclear whether the oracle attack was intentional or accidental, or a combination of both."

Looking back at the earlier Synthetix attack, the core logic was that on Synthetix, users could synthesize other currency assets. Synthetix (at the time) relied on a custom off-chain pricing mechanism to calculate a total price from a set of secret price feeds and publish it on-chain at fixed intervals. Then, based on the calculated price, users were allowed to trade long or short on the assets.

Synthetix MKR Manipulation Demonstration

Then, at the end of June 2019, one of the price feeds relied upon by Synthetix incorrectly reported the price of the Korean won, quoting it at 1000 times the real exchange rate, which was accepted by the system and published on-chain. A trading bot quickly executed buy and sell orders in the sKRW market, profiting from the interest rate differential. Although Synthetix extracted prices from multiple sources, a single erroneous quote led to a catastrophic blow to the entire platform.

The principle of earlier flash loan attacks was quite simple: the perpetrator borrowed a massive amount of funds from a flash loan to trade in exchanges or pools with low depth or volume, which could manipulate asset prices in a short period. This artificially manipulated data fluctuation would provide oracles with incorrect inputs and outputs, allowing the perpetrator to profit easily from these errors. More straightforwardly, the attacker had almost complete control over the price during the transaction, while the victims could only passively accept losses. Similarly, in the Compound liquidation event, the price of the stablecoin DAI on the Coinbase Pro platform was temporarily driven up to $1.30, leading to large-scale liquidations in the DeFi protocol Compound that relied on oracle price feed information from that platform.

The "culprit" behind the DAI price surge was that Coinbase Pro uses an order book model, which makes it easy to manipulate prices when liquidity is insufficient. The attacker had calculated the amount needed to manipulate the DAI price on the Coinbase Pro platform and the profits that could be gained by liquidating Compound whales, completing the attack in a short time.

It appears that oracles, which serve as crucial references, largely cannot guarantee the authenticity or validity of data sources. The oracle price data source on the Compound platform is centralized and singular, and centralized sources can easily be forged, tampered with, modified, or hidden. Using any single centralized data source as a price oracle is unwise and extremely dangerous; the ingestion of corrupted or invalid data by oracles could lead to significant disasters for downstream users.

On the other hand, off-chain data generally reacts slowly to price fluctuations and lacks intelligence. The underlying reason is the need to trust that privileged users pushing on-chain data will not go bad or be coerced into pushing harmful updates. This trust in pushing does not allow any privileged party access, meaning that even if attacked, they can only sit and wait, leading to repeated asset losses. Essentially, the attackers' manipulation methods are not sophisticated; they simply exploit the current lack of intelligence in oracles, making it difficult to respond and defend in a timely manner. A relatively mature oracle in the future should be an authoritative source of truth for protocols regarding asset prices, market conditions, and crisis event handling.

To Save DeFi Security, We Must First Save Oracles

Since the vulnerabilities of oracles have been mentioned above, especially after suffering numerous painful costs, the shortcomings of oracles have been laid bare. Therefore, to enhance the security of DeFi, the first step should be in the selection of data source suppliers; oracles themselves must ensure that price data is generated on-chain in a decentralized manner that complies with blockchain consensus mechanisms. This is the only feasible correct logic, rather than simply taking the median from a few nodes of a centralized data source to feed prices on-chain.

In addition, oracles should seek more protective measures, which can rely on more secure third-party institutions to further reduce the likelihood of crisis vulnerabilities occurring. In terms of pricing, oracles should aggregate data from multiple nodes, reserve processing mechanisms for price deviations, and update synchronously over time to ensure that the data provided to smart contracts is reliable, trustworthy, and resistant to interference. Mechanisms for data verification and anomaly alerts should also be implemented in oracles.

Most importantly, in handling abnormal data, how to provide timely feedback and prevent incidents is crucial. We can appropriately increase some human intervention, such as setting up dedicated reporters to manually publish updates on-chain during significant market fluctuations, abnormal on-chain performance, or slow price updates. A more intelligent way to prevent abnormal data occurrences can be referenced from the Nest oracle project, which has established a game-theoretic mechanism between decentralized validators and pricing miners, forming a method for generating bilateral quotes on-chain through pledged pricing, directly preventing erroneous data from being adopted.

Whether in the development of DeFi or the expansion of new blockchain fields, the exchange of on-chain and off-chain data is imperative, and the role of oracles cannot be underestimated. As the types of data handled by oracles continue to grow, their influence and critical role will become increasingly important. Oracles will evolve from price oracles to event oracles, with industries such as gambling, government affairs, and gaming already adopting and promoting event oracles. It is believed that after enduring many trials, oracles will continue to serve as a powerful weapon for bridging the on-chain and off-chain worlds, though it will require time to mature.