90 million US dollars was liquidated, what should we pay attention to when we go to the DeFi platform to borrow money

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

90 million US dollars was liquidated, what should we pay attention to when we go to the DeFi platform to borrow money

知矿大学

2020-11-30 05:03

本文约2988字，阅读全文需要约12分钟

The neglected oracle and security.

Editor's Note: This article comes fromZhikuang University (ID: gh_37c9e0eaf00a), reprinted by Odaily with authorization.

Editor's Note: This article comes from

Zhikuang University (ID: gh_37c9e0eaf00a)

, reprinted by Odaily with authorization.https://defipulse.com

On the afternoon of November 26, Compound, a decentralized lending platform, was hacked, and encrypted assets worth about $90 million were forced to liquidate by the system. In addition to users who loan DAI with unstable encrypted assets such as ETH, users who mortgage other stablecoins to borrow DAI are also affected.

Compound has pioneered DeFi liquidity mining this year. Currently, the total encrypted assets locked on the platform are as high as 1.47 billion US dollars, slightly higher than Aave but lower than Maker, ranking second among DeFi lending platforms.

image description

Figure: DeFi lending platform TLV ranking; source:

1. What is an oracle?

What is an oracle?

2. How did the hacker manipulate the data source of the oracle machine, resulting in a huge liquidation of Compound?

3. How can ordinary users protect themselves?

secondary title

What is an oracle?

When it comes to oracles, you may immediately think of prediction markets. In fact, the oracle machine does not make any predictions, on the contrary, it is just a bridge that provides data and information.

Give a common example from life. You just woke up in the morning and opened your eyes, wondering if it’s raining outside, you say “Hi Siri, what’s the weather today, will it rain?” the voice assistant Siri replies: “Master, it’s raining outside now , please remember to bring an umbrella when you go out.”

In the field of blockchain, the most common one is the price oracle, which provides price information of encrypted assets for blockchain applications.

It should be noted that the oracle machine itself does not have data. It collects data from different channels and then processes it. Other applications call the data information processed by the oracle machine. Just like in the above example, Siri itself does not know the weather conditions outside, it collects the real-time weather data from the weather service provider, and we call the weather data obtained by Siri.

Price oracle machines can be divided into two types according to the way of obtaining prices: one is to obtain the real-time price of encrypted assets through the centralized exchange API, and bring this off-chain price data to the blockchain; the other is to directly Read real-time data from decentralized exchanges (DEX) to get prices. Both approaches have pros and cons.

This time Compound triggered a huge amount of liquidation due to the sharp fluctuations in the price of DAI. The oracle machine it used was the price information of DAI collected from the centralized exchange.

secondary title

Before introducing how hackers manipulate the oracle data source to cause Compound to trigger huge liquidation, let's first understand the lending rules of the DeFi lending platform.
liquidation threshold

Whether it is Compound, Maker, or Aave, the main business is mortgage loans, that is, you need to have encrypted assets as collateral before taking out a loan. This is easy to understand. In real life, when you go to the bank for a loan, you also need mortgages (such as houses, cars, etc.). If you fail to repay the bank loan, the bank will auction off your collateral (house, car, etc.), and use the auction money to pay off your debt. The same is true for DeFi lending platforms. If you fail to pay back, the platform will sell your mortgaged encrypted assets to repay the debt.

DeFi is a decentralized application that is automatically executed by smart contracts. In order to prevent risks, these DeFi lending platforms will set up:

Mortgage rate

liquidation threshold

Mortgage rate refers to what percentage of other assets you can lend out after you mortgage your encrypted assets. Different encrypted assets may have different maximum mortgage rates due to their volatility and market recognition. For example, on Compound and Aave, the maximum mortgage rate of ETH is 75%, that is, if you mortgage $100 worth of ETH to Compound or Aave, you can lend up to $75 worth of other encrypted assets; UNI (Uniswap The maximum mortgage rate is 60% on Compound and 40% on Aave, that is, UNI with a mortgage value of US$100 can be loaned to other encrypted assets worth US$60 on Compound, while Aave can only loan a maximum of US$40.

The liquidation threshold means that after the ratio of your debt to your mortgaged assets reaches a certain value, the platform will force you to sell your mortgaged assets to repay the debt. Similarly, different encrypted assets may have different liquidation thresholds due to their different volatility and market recognition. For example, the liquidation threshold of ETH on the Aave platform is 80%, which means that when your debt (loan + interest) reaches 80% of the value of the mortgage asset, the system will sell your mortgage asset to pay off the debt.

Next is the huge liquidation of Compound that happened yesterday.

The DAI price on Compound is derived from an oracle, and the DAI price of the oracle is collected from a single exchange - Coinbase Pro. According to the current analysis, hackers manipulated the price of DAI on Coinbase Pro. As we can see in the figure below, the price of DAI has been pulled up to 1.34USD in a short period of time.

The increase in the price of DAI on the Coinbase Pro exchange increased the debt of users who mortgaged other assets to lend DAI on Compound. Some users with high leverage (including a large user) triggered the liquidation threshold and were liquidated by Compound. At this time, the hacker played the role of The role of the liquidator is to obtain the 5% liquidation reward given by the system, and the final profit is about 3.55 million US dollars.

Sam Priestley analyzed in a tweet: When your account is being liquidated, the liquidator can choose to accept any collateral from you in exchange for repaying your debt. So the liquidator (that is, the hacker this time) took the DAI. Borrow DAI from Uniswap, repay DAI debt, get more DAI from liquidation, repay Uniswap, and collect profits.

secondary title

How should we ordinary people protect ourselves?

For us ordinary people, when using a lending platform, we must first understand the oracle data source of the lending platform. The more data sources, the more difficult it is for hackers to control the oracle machine, and the more secure it is relatively speaking.

References:

In addition, when mortgage borrowing, reduce your mortgage rate appropriately. The price of encrypted assets fluctuates violently. Hackers manipulate prices or smash the market in just a few minutes. If the mortgage rate is high, many people have no time to increase asset mortgages, and the result can only be liquidated.

Finally, and the most important piece of advice, if you can borrow off-site, don't borrow on-site. There are countless examples of on-site lending, on-site leverage, malicious manipulation, and malicious liquidation.

Risk warning: The content of this article is only the author's personal opinion, and does not represent the views or positions of Zhikuang University, nor does it constitute any investment opinions or suggestions.

References: