What is the problem behind the frequent “flash loan attacks” in DeFi?

Recently, the DeFi market has experienced a severe test, with multiple attacks occurring one after another, causing huge asset losses. In most security incidents, the "naming" of flash loan attacks seems to have become standard. However, the truth behind it that cannot be ignored is actually the manipulation of the oracle, causing the price difference between the inside and the outside and arbitrage from it.

The so-called flash loan is actually an innovative financial tool that enables unsecured loans, but requires repayment within the same block, otherwise the transaction will be rolled back. The charm of flash loans is that they can make borrowers "rich" in seconds without any effort or cost. Of course, the huge amount of funds also indicates a strong potential for market manipulation.

In such security incidents, attackers usually "get something for nothing". They first use flash loans to obtain a large amount of funds. After having the "weight" to start the attack, they use a series of means to enter and exit various mortgage, loan, transaction and other agreements. After manipulating and distorting asset price data, they implement arbitrage and finally return the "principal".

Data shows that since 2020, the number of attacks by hackers based on reentry vulnerabilities has declined, while the proportion of attacks based on price manipulation vulnerabilities is increasing, and has caused cumulative losses of more than tens of millions of dollars.

So, what exactly is this oracle?

The "bridge" for blockchain external communication

Oracle is not a fantasy thing. It is actually a "bridge" for blockchain networks to communicate data and information with the Internet and other blockchain networks. In particular, in decentralized applications (Dapps) such as DeFi smart contracts, through Oracles, developers can call various external data resources including market prices, allowing Dapps to connect to the data environment of the external real world.

There is no doubt that oracles that can provide tamper-proof and reliable data will become an important cornerstone of DeFi development. In DeFi applications, whether they are self-configured or rely on third-party supply, oracles can obtain important information such as prices and exchange rates in various markets. For decentralized exchanges (Dex), obtaining accurate and reliable price data is even more important.

Unlike centralized exchanges, Dex market data has a more obvious tendency to be "isolated". If it does not maintain real-time linkage with external market conditions, the automated market maker (AMM) asset pool in Dex is likely to suffer price difference losses due to drastic changes in trading volume, liquidity, etc.

As the DeFi market heats up, the industry tends to think more about the number of projects, scale, and model. However, the attention paid to oracle security issues is in a tepid state. In recent times, the frequent oracle security incidents may have sounded the alarm for this. Oracle security is crucial to the orderly development of the DeFi ecosystem.

Typical Oracle Security Incidents

Event 1

The first oracle security incident happened on June 25, 2019. The oracle of DeFi derivatives platform Synthetix was abnormal, causing the platform's sKRW/sETH exchange rate to be incorrect, and more than 37 million sETH were traded at a low price, involving nearly $1 billion.

Cause of the incident

The price feed information is abnormal, the oracle fails and publishes the wrong price to the chain, and the trading robot quickly arbitrages after discovering it.

Finally, Synthetix reached a fund return agreement with the owner of the trading robot, and the huge losses were recovered. However, it is worth noting that abnormal upstream price sources may bring devastating blows to smart contracts, and the lack of validity verification of oracles has great security risks in terms of data correctness and stability.

Event 2

Among the subsequent events, the most impressive one is the "bZx continuous attack incident". In February 2020, the DeFi loan protocol bZx was attacked twice in a week, causing a loss of about $1 million.

Cause of the incident

Hackers took advantage of the price flaws in the Uniswap algorithm to manipulate related asset price data and roam across multiple DeFi protocols to conduct arbitrage.

Seven months later, bZx was attacked again, and this time it caused a loss of about $8 million. Kyle Kistner, co-founder of bZx, mentioned after the incident that it seemed to be an oracle manipulation attack. In the end, the cause of the incident was attributed to a code vulnerability.

Event 3

Recently, incidents involving oracle attacks have become more frequent, and the security situation is severe. On October 26, the DeFi project Harvest Finance was hacked, causing a loss of approximately $24 million.

Cause of the incident

The protocol fToken uses the Curve y pool as the price feed source when minting coins. The attacker manipulates price data and controls the number of coins minted through large-scale exchanges, thereby making multiple arbitrage profits.

Officials revealed that hackers attacked through the Curve Y pool, causing the price of stablecoins in Curve to exceed 387.9% abnormally, and arbitrage multiple times within 7 minutes. Affected by this, the price of Harvest token FARM plummeted by 65% ​​in a short period of time.

Event 4

On November 14, the Value DeFi protocol was hacked, also through a series of inter-protocol operations, ultimately resulting in a loss of more than $7 million.

Cause of the incident

The attacker exploited a price oracle vulnerability to manipulate the price of the Curve asset pool, stealing excess 3CRV and exchanging it for DAI for arbitrage.

Sadly, the hacker finally returned 2 million DAI and left a sarcastic message: "Do you really understand flash loans?" This was in response to the team's previous tweet claiming that it could prevent flash loan attacks.

In recent times, the total loss of assets caused by oracle attacks alone has exceeded 30 million US dollars. In such incidents, hackers manipulated the oracle to create an arbitrageable exchange rate, and finally used the price difference to steal the protocol assets.

Therefore, the most systemic risk factor in the DeFi ecosystem is the oracle that is susceptible to price manipulation, rather than financial instruments such as flash loans.

Exploration of solutions

Oracles have a wide range of application scenarios. Dapps that need to interact with off-chain data can use oracles to realize their functions and values. Typical application scenarios include Dex, derivatives, stablecoins, lending platforms, games, insurance, prediction markets, etc. Facing this "data fortress", oracles are expected to provide better services through iterative upgrades, security testing, etc.

Since the blockchain itself does not have the function of verifying whether the data is fair and reasonable, those erroneous external data will be returned indiscriminately by the oracle under the decentralized mechanism, and this "making the best of a bad situation" can easily cause various losses.

The iterative upgrade of the oracle should realize the connection between the on-chain and off-chain trusted data to ensure that the data environment is normal, stable and orderly. In terms of quotation, the oracle should try to aggregate data from multiple nodes, reserve a processing mechanism for price deviations, and update synchronously according to time to ensure that the data provided to the smart contract is reliable, trustworthy and anti-interference.

In Dex, the oracle should maintain and adjust the weight of the AMM while providing quote updates to ensure that the internal exchange rate matches the external market price, and effectively intercept attackers' manipulation of prices and exchange rates through verification mechanisms and abnormal alarm mechanisms to prevent the creation of arbitrage space.

On the other hand, DeFi developers should strengthen targeted testing of oracles, especially before the project goes online, simulate various scenarios of price manipulation attacks as much as possible, discover problems and find solutions in a timely manner, and effectively improve the project's ability to resist oracle attacks.

After the project is launched, developers should choose to connect to third-party oracle services, security testing services, etc. according to the situation; organize relevant vulnerability bounty activities to promptly check for deficiencies and fill them in, optimize the overall structure, and minimize the possibility of similar incidents occurring again.

Conclusion

The two sides of a coin can always be reflected in all aspects. Flash loans are an innovative financial tool that can efficiently provide large amounts of funds and promote value circulation. However, they have been used by attackers and turned into a powerful weapon for stealing assets.

Whether it is the development of DeFi or the expansion of new areas of blockchain, data exchange on and off the chain is imperative, and the role of oracles cannot be underestimated. In fact, the attacker's manipulation methods are not sophisticated, but at this stage, oracles are not smart enough and it is difficult to respond and resist in time.

Similarly, the road of development is always tortuous. After suffering many painful costs, the "shortcomings" of the oracle are exposed. For the sake of blockchain ecological security, before the birth of a completely resistant oracle to manipulation attacks, it is imperative to strengthen the verification and detection of multiple technologies and prevent attacks before they happen.