Compound Oracle Attack Raises Concerns over Blockchain Betting
|Market manipulation and insider trading have always been major threats in traditional markets. Over the past few years, the problem has spilled over into crypto markets, becoming increasingly commonplace.|
On November 26, an illiquid market for DAI-USDC on Coinbase experienced heavy price slippage. Due to a malicious attack or an error, “stablecoin” DAI moved from $1 to $1.30, 30% away from peg.
Compound, the third-largest DeFi platform, was among the most adversely affected networks as it uses DAI-USDC Coinbase market for its price feed.
As a result, some users of Compound who had borrowed DAI suddenly found that their debt had shot up 30%. Typically, when a user borrows funds within the network, they need to provide collateral exceeding the amount borrowed. Therefore, all loans are usually over-collateralized.
However, when the oracle exploit led to a spike in DAI’s price, the loans were suddenly under-collateralized. When this happened, built-in protocol rules on Compound forced liquidations on all affected borrowers’ positions.
In total, over $100 million was liquidated on Compound following the exploit according to DeFi tracker LoanScan. This went on record as its biggest liquidation yet. Back in July, Compound saw liquidations worth $6.4 million in a span of 24 hours.
2020 Oracle Attacks in Review
Known as “Oracle attacks,” these exploits are not new. Essentially, an oracle allows a smart contract to communicate with sources that are not blockchain-based. They often provide price feeds for DeFi platforms. Exploits based on the manipulation of oracles have been on the rise during the past few months.
In February 2020, there were multiple attacks on the Ethereum-based lending project bZx. During its first flash loan-based attack, malicious actors made off with $350,000-worth of ETH. The second attack took place less than a week after, leading to the loss of ETH worth $633,000.
In October 2020, there was a similar attack on the Harvest Finance token, resulting in a collective loss of $33 million for users of the protocol. Most recently on November 14, 2020, attackers exploited an oracle vulnerability on Value DeFi, siphoning off tokens worth over $7 million.
In most of these incidents, malicious actors manipulate price oracles, creating exchange rates that allow for arbitrage. Once this happens, they get an opportunity to make off with protocol assets. And in other cases, it could be a malfunction on the part of the feed source information.
Manipulation Concerns in the Blockchain Betting Industry
No matter the underlying cause, these attacks raise concerns both within the crypto ecosystem and beyond. Concerns extend to spheres like the gambling market where the use of blockchain technology is fast gaining popularity.
Notably, it is not an issue for traditional casinos, as these usually run everything through private databases. Rather, for blockchain-based services, the moment external data is involved, system security is in trouble.
Many of the games on these sites make use of off-chain market data to determine outcomes. That is necessary because there is no feasible solution for smart contracts to look up external data on their own.
While oracles are indispensable in this implementation of blockchain technology, the security risk that they pose is considerable too. The security of a blockchain lies in the fact that there is no single point of failure. But the oracle becomes one.
Unfortunately, there is no universally accepted oracle in blockchain betting. Nick from TheBitcoinStrip said, “If blockchain gambling is to succeed, smart contract developers need to think carefully about the oracle problem.
Public blockchain gambling apps, particularly on Ethereum need to think hard about how they generate winning numbers. They have to ensure that the event results that they feed into smart contracts are trustworthy and reliable to avoid exploits.”
For the most part, smart contract casino games are not at risk. However, for those using foreign exchange prices or increasingly popular prediction markets, such as the poly market, this issue could lead to large losses if not properly mitigated.
An evaluation of feasible remediation strategies and their implementation is of utmost importance. Resolving this problem could end up being one of the most worthwhile contributions that the online betting industry makes to the blockchain.
Once the solution is found, it will get widespread applications beyond gambling and possibly trigger a true blockchain overhaul.