After DeFi Lost $100 Million to Flash Loan Attacks, Curve Pushes Chainlink

Attackers took out flash loans to manipulate prices in Curve Finance liquidity pools. Curve wants to stop that.

By Robert Stevens

3 min read

Editor's note: This article has been updated with comments from Chainlink's co-founder, Sergey Nazarov. It clarifies that Curve was not at fault.

After DeFi protocols lost $100 million in damages in a string of flash loan attacks, due in part to the misappropriation of technology from decentralized exchange Curve Finance, Curve today recommended that the decentralized finance protocols that rely on its services integrate Chainlink, a decentralized oracle network, instead.

The recommendation comes after several attacks, whereby hackers took out flash loans (instant crypto loans) from DeFi lending protocols to briefly manipulate Curve Liquidity Pools that several DeFi projects had used as price oracles.

Attackers were able to do this because certain DeFi protocols relied on Curve’s own calculations about the price of crypto held in its liquidity pools. 

Among recent attacks that used flash loans to manipulate the price of stablecoins held within DeFi protocols are yesterday’s attack on DeFi lending protocol Compound, which resulted in a $89 million loss; an attack on Harvest Finance that drained $34 million; one on Cheese Bank that caused $3.3 million in damages; a $2 million attack on Akropolis and a $6 million attack on Value DeFi

Sergey Nazarov, the co-founder of Chainlink, told Decrypt that the problem doesn't lie with Curve, but with the misappropriation of Curve's technology by DeFi projects rushing to get their products online.

Those projects "misused" liquidity pools as price oracles, said Nazarov—something that "shouldn't be used as a price oracle." Nazarov compared it to trying to use "a hammer as a screwdriver."

Nazarov said that these projects used Curve's liquidity pools as price oracles in part due to the rapid pace at which they built these protocols. "It was a quicker solution to their need for a price oracle," he said, "and maybe they didn't expect that they would acquire so much value so quickly."

Curve is the sixth-largest DeFi protocol; investors have locked up $882 million worth of cryptocurrencies in its vaults, according to DeFi Pulse

In a blog post, Curve recommended that DeFi protocols “avoid using Curve as a price oracle”—the term for its system that determines the price of stablecoins, and instead rely on “a reliable price oracle that provides an accurate picture of the global market price of the asset in a Liquidity Pool.”

Specifically, Curve recommends that DeFi protocols use Chainlink Price Feeds to “eliminate their exposure to flash loan attacks.” 

Chainlink is a decentralized oracle that distributes the work of calculating prices of stablecoins across a network of nodes. This means that price feeds aren’t easily manipulated by flash loans attacks.

“This validates what we’ve been saying all along: using a DEX as a centralized price oracle is not a sufficient way to protect against oracle exploits and attacks,” Johann Eid, Product Manager at Chainlink Labs, told Decrypt

“Oracles need exposure to full market coverage and decentralization at both the oracle node layer and the data source layer,” he added.

Several DeFi protocols already use Chainlink. DeFi lending protocol Aave uses it, and yearn.finance, a kind of DeFi robo-advisor, uses its oracles to rebalance vaults.

Chainlink’s price is currently $12.22. It has fallen by 4% in the past 24 hours, in tune with the decline of the entire crypto economy. 

Get crypto news straight to your inbox--

sign up for the Decrypt Daily below. (It’s free).

Recommended News