Decentralized Finance Has A $1.4Bn Problem

By Joshua Tobkin, CEO and co-founder of SupraOracles

Decentralized Finance is the fastest growing sector of the crypto market. With promises of a consumer-centric, open source, and permissionless financial system that is transparent to all, DeFi stands to change the trajectory of consumer and institutional finance. Borrowing, lending, insurance, and direct peer-to-peer exchange are just a few of the use cases that are being disrupted by this new financial paradigm, taking out costly intermediaries and delivering more value to end consumers.

Don’t just take our word for it. In one year alone, DeFi has gone from ~$25B in total value locked (TVL) to nearly $100B Total Value Locked.

DeFi, laden with consumer success, has its next target in sight — institutional adoption. Institutions are circling. Seeing first-hand the success individuals have had they are eager to deploy colossal sums of capital into these new financial applications. Before DeFi can secure these huge pools of capital, however, it has to face its primary challenge: smart contract exploits and Oracle vulnerabilities, a problem that has cost the decentralized finance movement over $1.4B in stolen capital

The Oracle Dilemma (and its cost)

For all their power, blockchain networks today operate largely as closed loop systems. Data flows within blockchains seamlessly, but bridging to the outside world of today’s digital data proves a challenge (and immense opportunity).

Oracles are the solution to this challenge. Stated briefly, oracles connect blockchain networks to ‘real world’ data, so that applications within blockchains can respond to that information. Some examples include: cryptocurrency prices, fiat currency prices, traditional financial data, sports and weather data, et al.

Oracles stand on the precipice of unlocking the floodgates for immensely powerful decentralized financial applications and services that leverage real-world data. Oracles are not, however, without their faults. Collusion can allow a few actors to change incoming data, network latency can cause delays in data availability, a lack of consensus on inputted data can cause smart contracts, which are deterministic and composable, to experience cascading failures since the faulty data entered the system.

In June 2019, an oracle for the Synthetix protocol mis-reported prices of the Korean Won as 1000x higher than its true rate to price their sKRW token (synthetic Korean Won). The result was $1B in lost funds (they were eventually returned). The attacker used a sophisticated trading bot to profit from the arbitrage created by the misprice in sKRW. This enabled the ability to create a few thousand trades, each having a profit for a few thousand dollars — equaling close to $1 billion in siphoned funds in close to an hour’s time. 

In November 2020, Cheese Bank, an Ethereum-based decentralized digital bank, lost $3.3m to an oracle attack. The attacker was able to instantaneously borrow, swap, deposit and again borrow a large number of tokens. This allowed the attacker to heavily manipulate the price of a specific token on a single exchange. As a result, it created an arbitrage opportunity between the amount borrowed at the previous price, and a new manipulated oracle price to repay, allowing this particular hack to drain the DeFi project of $3.3 million in “borrowed” funds. 

In the very same month, nearly $90m was liquidated on the lending protocol Compound. A malicious actor appears to have manipulated the price of a token on Coinbase Pro, which the Compound protocol used to set its own prices. This token was used as collateral for a loan, and the oracle manipulation caused Compound smart contracts to believe that many loans using this token as collateral had exceeded the collateralization-ratio thresholds. In turn, this caused the protocol to mistakenly liquidate over $89 million in loans by users of the service. The third largest user of the protocol was one of the victims, and was liquidated for $46 million. Just because Coinbase Pro was cryptographically signing their reported data, technically only means that someone had access to their private key – not that the data delivered was actually correct! This goes to show the importance of removing any single points of failure in oracle designs. 

As the DeFi ecosystem grows more complex and more composable, oracle risks will only escalate. That is, without a viable alternative solution.

The existing oracle landscape is dominated by solutions that struggle to balance decentralization, speed, and security — with some market incumbents erroneously focusing too much on speed, while they sacrifice both decentralization and security in the process. The result of those frankly wreckless designs are going to pave the way for additional performance failures, security breaches, and exploits that cannot chauffeur in the mass institutional adoption of decentralized technologies on open networks. 

Looming just beyond the immediate needs of decentralization, security, and speed is interoperability. Across the Web3 landscape, people are collectively calling for a multi-chain future, in which a constellation of decentralized networks integrate together to create a seamless technical mesh for all users and institutions. Any oracle solution that seriously hopes to take its place beside (or take the place of) traditional tech stacks must prepare for this interoperable future.

Each of these issues present a major opportunity in solving the Oracle Dilemma. By solving these issues, we can bolster the security of DeFi. This will enable this burgeoning industry to be opened to new large pools of traditional financial capital to help continue the exponential growth of this new permissionless, open financial paradigm. Collectively, if we don’t secure the Oracle Layer, we don’t deserve to be the stewards of the future of finance. We must do better.

Joshua Tobkin is the CEO and co-founder of SupraOracles, a blockchain organization striving to bridge the gap between traditional capital markets and the Web3.0 ecosystem. He is the architect of the Supra BFT Consensus Algorithm, a blockchain designer & developer, and a lateral thinker. Previously to SupraOracles, Josh was building SaaS companies for over 10 years and now looks to use his experience to empower the developer community with a novel oracle toolset so that they may conveniently create, deploy, and manage data applications with superior performance, robustness, and agility.

Join the SupraOracles’ community and receive the latest updates:

Website | Twitter | Announcements

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

Other Topics