An "Oracle Attack" Hits Compound: What Happened?

An "Oracle Attack" Hits Compound: What Happened?

On November 26th, the cryptocurrency market suffered a sharp collapse that caused the prices of Bitcoin and much of the market to plummet.
In these cases when traders rush to "get out", the value of the stablecoins increases as demand increases.
Obviously we are talking about increases of 1% therefore very slight.
In yesterday's crash, however, the effect became particularly pronounced on Dai (DAI), which traded briefly for $ 1.34 between 7 and 8 AM UTC.
In particular, DAI has assumed this value only on Coinbase and Uniswap, while on other exchanges (including Kraken and Bitfinex) there seems to have been no problems.
Coinbase and Uniswap are the two exchanges used by Compound's "Open Price Feed" oracle. The former acts as a baseline, while the latter is used as an integrity check and anchor. However, Uniswap appears to have failed in its function and recorded a much higher value than normal.
The serious damage caused by this situation occurred on Compound where $ 89 million was paid, of which approximately $ 52 million came from DAI (DuneAnalytics) and on dYdX ($ 8 million).
According to researcher Sam Priestley, this liquidation was performed on a leveraged COMP farmer using USDC and DAI (as collateral) resulting in leverage power of the same currencies. The apparent increase in the price of the DAI has brought everything below the liquidation threshold.
2.4 billion cDAI were liquidated, worth approximately $ 50 million.
The transaction in question involved the use of a flash swap from Uniswap and the request to update the Compound Oracle. Four more transactions issued by the same liquidator removed an additional $ 6 million in debt.


But what happened? Compound allows users to borrow funds, including DAI. In all cases, an amount borrowed should always be less than the collateral provided (loans should always be over-secured). If I block Ethereum to take $ 1000 of DAI, I must block $ 1300 of Ethereum.
In today's case, the liquidations took place because the price of DAI momentarily increased by 30% on Coinbase (source of the Compound pricing oracle), which led to collateralized loans on the protocol. In other words, the increase in the price of the DAI also increased the value of the DAI borrowed on Compound, compared to the collateral provided.
In fact if I borrowed 1,000 DAI to $ 1 DAI, which is a total of $ 1,000 but the price of the DAI increased to $ 1.30 during a loan period, the amount borrowed by the user increased to $ 1,300. At this point, Compound would consider this loan as under-secured and liquidation takes place.
One farmer lost $ 46 million. Obviously, this system aims to "protect" liquidity providers.

The event highlighted the dangers of relying on little data for oracles, Chainlink (LINK) founder Sergey Nazarov told Cointelegraph:

"DeFi protocols which rely on centralized oracles extracting data from single exchanges, DEX or otherwise, are putting user funds at risk. The Chainlink network was not affected by this exploit because we receive data from multiple leading data providers. and hundreds of exchanges, making sure we get the real price of a cryptocurrency through adequate market coverage"

Although there is no evidence to suggest active manipulation, the fact that the DAI price jumped specifically on the trades used by the Compound oracles could raise suspicion.


More likely it was an "oracle attack" that manipulated the price of DAI on the Coinbase Pro exchange, in order to fool the blockchain, through its oracles, into believing that the current price of DAI had really increased. The Compound Ecosystem believing that Dai had reached $ 1.30 cleared all the loans.
Aave and Maker took no damage because their system uses multiple oracles.


I love Deep Web & Crypto ⠀⠀⠀⠀⠀⠀⠀⠀


The main topics will be: 🄳🄴🄴🄿 🅆🄴🄱 and 🅒🅡🅨🅟🅣🅞⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.