It seems like we hear news about a different DeFi project every week hacked or abused. The latest crop of victims includes projects such as Harvest financing, Acropolis, Value DeFi, Origin and of course Compound.
When exploits occur, it usually involves manipulating the reference price such as ETH / DAI on a data source such as Curve, Kyber or Coinbase Pro. Sometimes it’s a mistake, like in the SNX case where the Korean was Won quoted with the wrong decimal.
As decentralized funding increases, the potential for exploits will certainly increase. DeFi becomes more complex as more assets are accepted as collateral. Complexity will also increase as indexes become more common and options are settled fair market value reach their potential. The success of these results depends on accurate, secure data that is free from manipulation.
So, what chance do these less liquid benchmarks have of fending off attacks when something like ETH / DAI is so subject to manipulation? Some of these are traded in a few locations and almost entirely on decentralized exchanges. Others are calculated values that depend on third parties.
Reduce the risk of hacks and exploits for DeFi
Multiple oracles. Each oracle is structured differently in its preferred data sources; how they reach consensus about the data; and how they calculate those prices. One possible option when dealing with less liquid pairs is to use multiple oracles. While this entails additional costs, new emerging oracles have made great strides in lowering costs compared to older oracles.
Define borders around prices would act as a health check. For stablecoins we can place minimum and maximum values to limit the potential exploit. For example, one could set the price of Dai between $ 0.97 and $ 1.03.
Circuit breakers. For cryptocurrency pairs other than range bound stablecoins, we can set trading ranges. And if this bandwidth is exceeded, we can set a cooling-off period. This would work in much the same way as the circuit breakers used by Nasdaq and other traditional financial markets. Only after the cooling-off period can one restart.
Averages. Time-weighted average price and / or volume-weighted average price for different time periods, depending on the use case of the DeFi project, can also mitigate attacks for less liquid prices. By using averages over time and volume, a sudden and temporary price shock has less impact on the reference price. Andre Cronje goes to extremes in his Keep3r oracle, where he uses the daily average price.
Market internals. When attacks do occur, they often only use one side of the internal market, such as only bidding. Large and sudden swings in bid / ask spreads should be a sign that something could be wrong. As an industry, we need to keep an eye out for these events and program alerts as they occur.
Volatility index. Implied volatility, or IV, plays a critical function in the financial world. It is the basis on which options are priced. Even in mature and liquid markets like the CBOE Volatility Index, a volatility index covering the $ 30 trillion S&P 500, manipulation attempts are still taking place. The current DeFi implied volatility calculations are based on the IV in Deribit’s European option prices. Using different methods, implied volatility is hedged based on the option price, the term, the strike price, the spot price and the prevailing interest rates. Implied volatility should be monitored for abnormal shocks, such as a sudden rise or fall in IV values relative to the underlying asset or relative to the market in general. While IV is an indication of future volatility expectations, there are usually correlations with the underlying and / or market volatility in general. In addition, time- or volume-weighted IV should also be considered, especially when it is close to maturity for cash-settled options.
Better oracles for a better DeFi ecosystem
In an ideal world, we can collect data from multiple sources that are difficult and / or expensive to manipulate.
For starters, existing oracles only support the largest cryptocurrency pairs and often don’t refresh the price often enough. For example, Compound chose to use Coinbase Pro instead of Chainlink, which may have seemed like a mind-boggling choice to many.
But even Chainlink only updates the Dai contract once every 24 hours or if the price moves by 2%. Compound was therefore forced to make a choice between fresh / vibrant data or data free from manipulation. Had they chosen Chainlink over Coinbase Pro, it is still possible they would have suffered losses while Dai’s price was manipulated to swing within the 2% range. But it would have been a thousand deaths instead of the catastrophic cut they ended up suffering.
Many cryptocurrencies are only traded on one or two exchanges, sometimes only on decentralized exchanges, and have very little liquidity and high volatility. In situations like this and in other situations, DeFi projects need to work with oracles who can provide the breadth of the data they need along with the vibrancy of the data that is essential.
Every DeFi project deals with a unique and different set of variables. Therefore, not all proposed solutions are suitable for every project. A project must consider its unique data requirements and what trade-offs are appropriate for their needs.
The views, thoughts and opinions expressed here are the sole ones of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Samuel Kim is one of the founders of Umbrella Network, a layer two oracle that enables the next generation of DeFi applications. Previously, he was the founder and CEO of Lucidity, a blockchain-based transparency solution for digital ads, and co-founder of Gimbal, a mobile advertising platform. He is a graduate of Columbia University and received his MBA from Chicago Booth School of Business where he focused on analytical finance.