After $6 Million Hack, Value DeFi Turns to Chainlink for Help
Value DeFi, the yield farming decentralized finance protocol that last Saturday lost $6 million after someone exploited a vulnerability with its unaudited, centralized price oracle, today integrated Chainlink, a decentralized oracle network.
Value DeFi’s exploit took place the day after the launch of its MultiStables Vault, a new financial project designed to shift investors’ money around different DeFi protocols to maximize profits.
Someone managed to manipulate the price of tokens in one of its vaults through a flash-loan—an instant loan issued from Aave, a DeFi loans protocol—and then buy those tokens at a discounted rate.
The hack relied on a centralized price feed to confirm prices in the vault—making it vulnerable to manipulation. So the team decided to decentralize its price oracle to stop this from happening again. It chose Chainlink.
Value DeFi and @chainlink form strategic collaborationhttps://t.co/p9jU3ZmSVw#VALUE #ChainLink #StrategicCollaboration
— Value DeFi Protocol (@value_defi) November 19, 2020
“After many focused discussions and weighing the different options, we found Chainlink to be the best oracle solution that provides a sufficiently robust and tamper-resistant price oracle solution capable of mitigating flash loan attacks,” said Value DeFi in its blog post.
The idea is that Chainlink’s feeds are decentralized—information’s verified by disparate teams of crypto security firms—so it’s difficult for people to conspire to fake information.
Sergey Nazarov, Chainlink’s founder, told Decrypt that the issue is not with flash loans, which are often the villains in flash loan exploits. Flash loans let users borrow lots of cryptocurrency, so long as the borrower can pay all the money back in a single transaction.
"The core of the issue is price oracle security. Any well-capitalized actor is capable of committing these price oracle exploits. All a flash loan does is make it possible for anyone to become a well-capitalized actor,” he said.
In the past month, several other DeFi protocols have been the victims of flash loan-based oracle attacks: Harvest Finance lost $34 million, Cheese Bank lost $3.3 million and Akropolis suffered a $2 million loss.
“The teams making various DeFi financial products need to start viewing oracle security as seriously as they view getting their smart contracts audited,” said Nazarov. (In DeFi, smart contracts are the pieces of code that let different protocols speak to one another in a trustless manner. Bad things can happen if they go unaudited.)
Nazarov said that oracle attacks will “only increase as the value in DeFi continues to rise.”