It seems like we hear news every week from a different DeFi project that has been hacked or exploited. The most recent casualty includes projects like Harvest Finance, Akropolis, Value DeFi, Origin and of course Compound.
When violations occur, they usually have to manipulate the reference price like ETH / DAI in a data source like Curve, Kyber or Coinbase Pro. Sometimes this is an error, as in the case of SNX where the Korean won was given to the wrong decimal place.
Related: Finances Redefined: They Get Hacked, They Get Hacked, Everyone Get Hacked, 11-18 November
As the DeFi ecosystem grows, the potential for security breaches will undoubtedly increase. DeFi becomes more complex when more assets are accepted as collateral. Complexity will also increase as indices become more frequent and fair value options reach their potential. The success of these results depends on the data being accurate, secure, and tamper-free.
So, How likely is it that these less liquid benchmarks will ward off attacks if something like the ETH / DAI pair is so manipulated? Some of them are only traded in a few places and almost exclusively on decentralized exchanges. Others are calculated values that depend on third parties.
Mitigating the risk of hacking and DeFi compromises
Several oracles. Each oracle is structured differently in its preferred data sources, how a consensus is reached on the data and how it calculates these prices. One possible option when it comes to fewer fluid pairs is to use multiple oracles. While this will incur additional costs, the emerging oracles have made great strides in reducing costs compared to previous oracles.
Price restrictions would serve as a medical check. In the case of stablecoins, we can set minimum and maximum values to reduce the possible violation. For example, the price of the Dai could be anywhere from $ 0.97 to $ 1.03.
Automatic switches. For cryptocurrency pairs other than Range Stablecoins, we can set trading areas. And when those areas break, we can implement a cooldown. This would work in a similar way to the switches or short circuits used by the Nasdaq and other traditional financial markets. It should only be restarted after the cooling phase.
Averages The time-weighted average price and / or the volume-weighted average price over different periods of time can, depending on the application of the DeFi project, also weaken attacks on less liquid prices. By using averages over time and volume, a sudden and temporary price shock has less of an impact on the reference price. André Cronje brings this to the extreme in his Keep3r oracle, where he uses the daily average price.
Domestic market. When attacks occur, they often only take advantage of one side of the domestic market, e.g. B. only shops. Sudden, sharp fluctuations in buy / sell spreads should be a sign that something is wrong. As an industry, we need to be vigilant about these events and plan alerts as to when they will occur.
Volatility index. Implied volatility, IV for short, plays a crucial role in financing. It is the basis on which options are valued. Even in mature and liquid markets like the CBOE Volatility Index, a volatility index that spans the $ 30 trillion of the SP 500, there are still attempts at manipulation. The current volatility calculations imposed by DeFi are based on the IV in the European Deribit option prices. Various methods are used to support implied volatility based on the option price, the time to expiration, the exercise price, the spot price and the applicable interest rates. The implied volatility should be checked for abnormal shocks, e.g. E.g. a sudden increase or decrease in IV values relative to the underlying asset or the market in general. While the IV is an indication of future volatility expectations, there are usually correlations with underlying asset and / or market volatility in general. In addition, time-weighted or volume-weighted IVs should be taken into account, especially with cash-settled options that are about to expire.
Better oracles for a better DeFi ecosystem
In an ideal world, we can collect data from multiple sources that are difficult and / or expensive to manipulate.
On the one hand, Existing oracles only support the largest cryptocurrency pairs and often don’t update the price often enough. For example, Compound chose Coinbase Pro instead of Chainlink, which seemed a puzzling choice to many.
Even Chainlink only updates the Dai contract once every 24 hours or when the price moves 2%. Therefore, Compound had to choose between fresh / live data or manipulation-free data. If they had chosen Chainlink instead of Coinbase Pro, it would still be possible that they would have suffered losses as Dai’s price was rigged to fluctuate within the 2% range. But it would have been a death by a thousand cuts instead of the catastrophic part they suffered from.
Many cryptocurrencies are only listed on one or two exchanges, sometimes only on decentralized exchanges, and they have very little liquidity and suffer from high volatility. In such and other situations, DeFi projects need to work with oracles that provide the breadth of data needed, as well as the liveliness of the data that are essential to them.
Every DeFi project is faced with a unique and different set of variables. Therefore, not all proposed solutions are suitable for every project. A project must consider its unique data requirements and determine which tradeoffs are appropriate for its requirements.
The views, thoughts, and opinions expressed herein are solely those of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.