Flash loan attacks on DeFi will worsen, warns Chainlink co-founder
- In the latest episode of the Decrypt Daily podcast, Chainlink co-founder Sergey Nazarov discussed how flash loan attacks work in DeFi.
- Many projects overlook the extent of their price data coverage to save development time, he noted.
- This leads to serious vulnerabilities and opens up DeFi platforms to attacks.
In recent months, several Ethereum decentralized finance (Challenge) platforms became victims of so-called “flash loan attacks, allowing malicious actors to siphon off tens of millions of dollars in crypto. However, what we’ve seen so far was just the simplest version of such forays, explained Sergey Nazarov, co-founder of the Oracle Chainlink network, in the last episode of the Decrypt daily Podcast.
According to Nazarov, the biggest bottleneck in many DeFi projects is their price discovery mechanisms. Namely, their price oracles – apps that allow smart contracts to interact with external data – often use one or a few decentralized on-chain exchanges (DEXs) as their source.
“The real nature of the attack is that there is only one provider of price data, that there is only one exchange. In the cases that we are currently seeing in DeFi, essentially for the sake of ease and speed of development, there have been cases where people have used decentralized on-chain exchanges and on-chain exchange infrastructure to grab the price that triggers their DeFi application, ”explained Nazarov.
Yet an attacker must have significant capital to manipulate prices, even on a single exchange, and this is where DeFi flash loans come in. These mechanisms allow anyone with even minimal assets to capitalize well over a short period.
In this way, attackers can manipulate the prices of tokens in a project’s vault by distorting the data provided by the platform’s oracle and on the DEX from which that data is extracted. Then attackers can quickly buy the heavily cheap tokens and pay off the flash loan soon after. What makes these attacks easier and more dangerous is that they don’t even require as much technical knowledge.
“All someone has to do is fiddle with this exchange’s order book, which means they don’t even have to know how to code. These attacks right now don’t even really require people to be very good at software development or hacks or anything. They just demand that people have enough money to manipulate a price on a single exchange that people thought was safe, ”Nazarov continued.
The worst part is that provisioning their data, even from two or five on-chain exchanges, for example, will not protect DeFi platforms from flash loan attacks. This would only make such feats more complex and expensive to perform, but still perfectly viable, warned Nazarov.
“Because the next more sophisticated version of this attack isn’t” I manipulate a single oracle price “, it’s” all I have to do is manipulate two or three exchanges, and I manipulate the price. ” , he noted. “And instead of manipulating an exchange, which is obviously easier, the more advanced version of that attack is the manipulation of two, three, or four exchanges that a DeFi protocol relies on. to get their price data. And we absolutely know it’s possible because we look at the price data on a daily basis. “
To counter such attacks, DeFi platforms must dramatically expand the range of price data they collect, Nazarov explained. That way, someone could only manipulate the price of an asset by actually skewing its overall price – which is the “real” price at this point – and DeFi protocols will at least reflect reality in this case.
” And once again, [more complex attacks] is something that unfortunately is coming, and our system was designed to be completely resilient from the start looking for data from hundreds of exchanges, thus creating market coverage, ”Nazarov noted.
He added that flash loan attacks were something Chainlink had been concerned about in 2018 and are currently going “pretty much exactly step by step as we expected.” To avoid these exploits, DeFi platforms “don’t want to use a single exchange for a price oracle, period.”
As Decrypt reported, hackers are draining $ 10 million per month DeFi’s on average these days, so perhaps now is the time to take a long and careful look at the security of Ethereum’s “killer apps”.