In brief
- Value DeFi has integrated Chainlink.
- That's after a $6 million flash loans exploit.
- Several other platforms have fallen prey to similar hacks.
Value DeFi, the yield farming decentralized finance protocol that last Saturday lost $6 million after someone exploited a vulnerability with its unaudited, centralized price oracle, today integrated Chainlink, a decentralized oracle network.
Value DeFi’s exploit took place the day after the launch of its MultiStables Vault, a new financial project designed to shift investors’ money around different DeFi protocols to maximize profits.
Someone managed to manipulate the price of tokens in one of its vaults through a flash-loan—an instant loan issued from Aave, a DeFi loans protocol—and then buy those tokens at a discounted rate.
The hack relied on a centralized price feed to confirm prices in the vault—making it vulnerable to manipulation. So the team decided to decentralize its price oracle to stop this from happening again. It chose Chainlink.
Value DeFi and @chainlink form strategic collaborationhttps://t.co/p9jU3ZmSVw#VALUE #ChainLink #StrategicCollaboration
— Value DeFi Protocol (@value_defi) November 19, 2020
“After many focused discussions and weighing the different options, we found Chainlink to be the best oracle solution that provides a sufficiently robust and tamper-resistant price oracle solution capable of mitigating flash loan attacks,” said Value DeFi in its blog post.
The idea is that Chainlink’s feeds are decentralized—information’s verified by disparate teams of crypto security firms—so it’s difficult for people to conspire to fake information.
Sergey Nazarov, Chainlink’s founder, told Decrypt that the issue is not with flash loans, which are often the villains in flash loan exploits. Flash loans let users borrow lots of cryptocurrency, so long as the borrower can pay all the money back in a single transaction.
"Saddest Hack in Crypto": Value DeFi Hacked for $6 Million
This one is upsetting. Yesterday, decentralized finance protocol Value DeFi tweeted that it is "very excited with our most recent innovation, the MultiStables Vault, and we strive to ensure your funds are always SAFU with our vaults." Lots of emojis, lots of pride in one's work. Then today: "The MultiStables vault was the subject of a complex attack that resulted in a net loss of $6M. We are currently working on a postmortem and are exploring ways to mitigate the impact on our users." The Mul...
"The core of the issue is price oracle security. Any well-capitalized actor is capable of committing these price oracle exploits. All a flash loan does is make it possible for anyone to become a well-capitalized actor,” he said.
In the past month, several other DeFi protocols have been the victims of flash loan-based oracle attacks: Harvest Finance lost $34 million, Cheese Bank lost $3.3 million and Akropolis suffered a $2 million loss.
“The teams making various DeFi financial products need to start viewing oracle security as seriously as they view getting their smart contracts audited,” said Nazarov. (In DeFi, smart contracts are the pieces of code that let different protocols speak to one another in a trustless manner. Bad things can happen if they go unaudited.)
Nazarov said that oracle attacks will “only increase as the value in DeFi continues to rise.”
