FTX CEO Sam Bankman-Fried took to Twitter on Wednesday to unpack the lessons from Tuesday’s Mango Markets hack. And he had DeFi oracles in his crosshairs.
"When it comes to oracles, you just have to make up your own damn mind," he said.
Oracles take off-chain, real-world data and make it usable on a blockchain. Oracles open smart contracts—programs that trigger when a criteria is met—and have various applications, including investing and trading digital assets, prediction markets, and even carbon taxes.
On Tuesday, an attacker stole $100 million worth of funds from the Mango Markets Solana DeFi trading platform. The attacker used a flaw in Mango Market's design to show they had more collateral than they actually did, drove up the price of the MNGO token, and was then able to talk out a $100 million loan based on the data provided by the platform's oracle.
1) When it comes to oracles,
you just have to make up your own damn mind pic.twitter.com/7kZATSLpQM
— SBF (@SBF_FTX) October 12, 2022
"So, what went wrong?" he asked. "Did the oracle fuck up?"
Not really, he explained, saying that it depends on what the oracle's specifications were.
"The oracle accurately reported the current price of MNGO," he said. "It's just that the 'current price' wasn't really anything close to the 'fair price.'"
The reason for this, he explained, is that significant positions—especially in illiquid tokens—can have a massive impact. Some positions, like with MNGO, are large and illiquid enough that the risk engine—software that provides measurements for market risks and analysis of investments—forces the position to be fully collateralized.
Fully collateralized means that throughout the loan, the borrower provides collateral. In this case, the collateral was cryptocurrency. Mango Markets required an initial collateral ratio of 120% and a maintenance collateral ratio of 110%. The account would be liquidated if the user's collateral ratio drops below 110%.
"So even before hitting position limits, the risk engine ensures that the collateral backing a position is sufficient," he said. The Mango Market attacker used an exploit to mimic having enough collateral.
"If an oracle reports ‘MNGO: $0.40,’ is it wrong?" he asked. "It depends on what it's promising."
"If it's just promising to tell you what MNGO is currently trading at," he said. "And, for a brief period, on some exchanges, MNGO was in fact trading at $0.40." The problem, he added, was using the raw oracle price.
"The oracle tells you everything and nothing—the history and current state of markets," he said. "It's the risk engine's job to consume that information, and decide what positions are safe."
Sometimes the risk engine can't just regurgitate what the oracle is saying, he said. "Sometimes it has to make up its mind."