In brief
- In the latest episode of the Decrypt Daily podcast, Chainlink co-founder Sergey Nazarov explained how flash loan attacks work in DeFi.
- Many projects neglect the scope of their price data coverage to save development time, he noted.
- This results in serious vulnerabilities and opens DeFi platforms to attacks.
Over the past months, several of Ethereum’s decentralized finance (DeFi) platforms became victims of so-called “flash loan attacks,” allowing malicious actors to siphon tens of millions of dollars in crypto. However, what we saw so far was just the simplest version of such incursions, Sergey Nazarov, co-founder of oracle network Chainlink, explained during the latest episode of the Decrypt Daily podcast.
According to Nazarov, the biggest bottleneck of many DeFi projects is their price discovery mechanisms. Namely, their price oracles—apps that allow smart contracts to interact with external data—are often using one or just a couple of on-chain decentralized exchanges (DEXs) as their source.
“The true nature of the attack is that there's a single price data provider, there's a single exchange. In the cases we're seeing right now in DeFi, basically, for the sake of ease and speed of development, there have been some cases where people have used on-chain decentralized exchanges and on-chain exchange infrastructure to retrieve the price that triggers their DeFi application,” Nazarov explained.
Still, an attacker must have a sizable capital to manipulate prices even on one exchange—and this is where DeFi flash loans come into play. These mechanisms allow anyone who has even a small amount of assets to become well capitalized for a short period of time.
This way, attackers can manipulate prices of tokens in a project’s vault by skewing the data provided by the platform’s oracle—and on the DEX it sources this data from. Then, attackers can quickly buy the sharply cheapened tokens and repay the flash loan shortly after. What makes these attacks easier and more dangerous is that they don’t even require as much technical knowledge.
“All someone has to do is manipulate that one exchange’s order book, which means they don't even need to know how to code. These attacks right now don't even really require people to be very good at software development or hacks or anything. They just require people to have enough money to manipulate a price on a single exchange that people thought would be secure,” Nazarov continued.
What’s worse is that sourcing their data even from two or five on-chain exchanges, for example, won’t protect DeFi platforms against flash loan attacks. It would only make such exploits more complex and expensive to execute—but still perfectly viable, Nazarov warned.
“Because the next, more sophisticated version of this attack is not ‘I manipulate a single price oracle,’ it's, ‘All I need to do is manipulate two or three exchanges, and I manipulate the price,” he noted. “And instead of manipulating one exchange, which is obviously easier, the more advanced version of this attack is the manipulation of two, three or four exchanges that a DeFi protocol relies on to source their price data. And we absolutely know that's possible because we look at price data on a daily basis.”
To counter such attacks, DeFi platforms must significantly expand the range of price data they are collecting, Nazarov explained. This way, someone would be able to manipulate the price of an asset only by actually skewing its global price—which is the “real” price at that point—and DeFi protocols will at least reflect the reality in this case.
“And once again, [more complex attacks] is something that, unfortunately, is coming, and our system was architected to be completely resistant to from the beginning by sourcing data from hundreds of exchanges, effectively creating market coverage,” Nazarov noted.
He added that flash loan attacks are something that Chainlink was concerned with back in 2018 and is currently happening “pretty much exactly step by step the way we predicted.” To avoid these exploits, DeFi platforms “don't want to use a single exchange for a price oracle, period.”
As Decrypt reported, hackers are draining $10 million per month from DeFi on average these days, so perhaps the time has come indeed to take a long, hard look at the security of Ethereum’s “killer apps.”