- In the latest episode of the Decrypt Daily podcast, Chainlink CEO Sergey Nazarov explained how flash credit attacks work in DeFi.
- Many projects neglect the extent of their pricing data coverage in order to save development time.
- This leads to serious security holes and opens DeFi platforms for attacks.
In the last few months, several decentralized financings from Ethereum (DeFi) Platforms became a victim of so-called “Flash credit attacks, “So that malicious actors can suck up Tens of millions of dollars in crypto. However, what we have seen so far has only been the simplest version of such raids, explained Sergey Nazarov, CEO of the oracle network Chainlink, in the last episode of Decrypt daily Podcast.
According to Nazarov, the biggest bottleneck for many DeFi projects is their pricing mechanisms. Their pricing oracles – apps that allow smart contracts to interact with external data – often use one or just a few decentralized on-chain exchanges (DEXs) as a source.
“The real nature of the attack is that there is a single pricing data provider and exchange. In the cases we are currently seeing in DeFi, for the sake of simplicity and speed of development, there have been some cases where people have used decentralized on-chain exchanges and on-chain exchange infrastructures to get the price that is triggered their DeFi application, ”explained Nazarov.
Nevertheless, an attacker must have considerable capital in order to manipulate prices on an exchange – and this is where DeFi Flash loans come into play. These mechanisms allow anyone with limited wealth to maintain good capitalization for a short period of time.
In this way, attackers can manipulate the prices of tokens in a project’s vault by distorting the data provided by the platform’s oracle – and obtaining this data on the DEX. Then attackers can quickly buy the heavily discounted tokens and repay the flash loan shortly afterwards. What makes these attacks easier and more dangerous is that they don’t even require that much technical knowledge.
“All someone has to do is manipulate this exchange’s order book, which means they don’t even have to know how to code. These attacks don’t even really require people to be very good at software development or hacks or anything right now. They just ask that people have enough money to manipulate a price on a single exchange that people thought was safe, ”continued Nazarov.
What’s worse is that sourcing their data through, say, two or five on-chain exchanges doesn’t protect the DeFi platforms from flash credit attacks. It would only make such exploits more complex and expensive – but still quite feasible, warned Nazarov.
“Since the next, more complex version of this attack is not,” I’m manipulating a single price oracle, “but” I just have to manipulate two or three exchanges and manipulate the price, “he remarked.” And instead of manipulating one exchange, which is obviously easier , the more advanced version of this attack is the manipulation of two, three or four exchanges that a DeFi protocol relies on to get their price data, and we absolutely know it is possible because we look at the price data on a daily basis. “
To counter such attacks, DeFi platforms need to significantly expand the range of price data they collect, Nazarov explained. That way, someone could only manipulate the price of an asset by actually skewing its global price – which is the “real” price at that point in time. The DeFi protocols at least reflect the reality in this case.
“And again, [more complex attacks] is something that is unfortunately to come, and our system was designed to be completely resilient from the start, pulling data from hundreds of exchanges, effectively providing market coverage, ”noted Nazarov.
He added that flash credit attacks are something that Chainlink dealt with back in 2018 and that currently “pretty much exactly, step-by-step, as we predicted.” To avoid these exploits, DeFi platforms “don’t want to use a single exchange for a prize oracle”.
As Decrypt reported hackers are Drain $ 10 million a month from DeFi on average these days, so it may actually be time to take a long, hard look at the security of Ethereum’s “killer apps”.