After $100 Million Lost to Flash Loan Attacks, Curve Pushes Chainlink
2 min read
After racking up over $100 million in damages in a string of flash loan attacks, decentralized exchange Curve Finance today recommended that the decentralized finance protocols that rely on its services integrate Chainlink, a decentralized oracle network.
The recommendation comes after several attacks whereby hackers took out flash loans (instant crypto loans) from DeFi lending protocols, then used the money to temporarily crash the price of stablecoins (cryptocurrencies pegged to a real-world asset, such as the US dollar) that other DeFi protocols had invested within Curve Finance vaults.
A brief write-up on how to safely use @chainlink oracles with Curve Financehttps://t.co/U2cN9BsrrW
— Curve Finance (@CurveFinance) November 27, 2020
Attackers were able to do this because certain DeFi protocols relied on Curve’s own calculations about the price of stablecoins held within Curve.
Among recent attacks that used flash loans to manipulate the price of stablecoins held within DeFi protocols are yesterday’s attack on DeFi lending protocol Compound, which resulted in a $89 million loss; an attack on Harvest Finance that drained $34 million; one on Cheese Bank that caused $3.3 million in damages; a $2 million attack on Akropolis and a $6 million attack on Value DeFi.
Curve is the sixth largest DeFi protocol; investors have locked up $882 million worth of cryptocurrencies in its vaults, according to DeFi Pulse.
In a blog post, Curve recommended that DeFi protocols “avoid using Curve as a price oracle”—the term for its system that determines the price of stablecoins, and instead rely on “a reliable price oracle that provides an accurate picture of the global market price of the asset in a Liquidity Pool.”
Specifically, Curve recommends that DeFi protocols use Chainlink Price Feeds to “eliminate their exposure to flash loan attacks.”
Chainlink is a decentralized oracle that distributes the work of calculating prices of stablecoins across a network of nodes. This means that price feeds aren’t easily manipulated by flash loans attacks.
“This validates what we’ve been saying all along: using a DEX as a centralized price oracle is not a sufficient way to protect against oracle exploits and attacks,” Johann Eid, Product Manager at Chainlink Labs, told Decrypt.
“Oracles need exposure to full market coverage and decentralization at both the oracle node layer and the data source layer,” he added.
Several DeFi protocols already use Chainlink. DeFi lending protocol Aave uses it, and yearn.finance, a kind of DeFi robo-advisor, uses its oracles to rebalance vaults.
Chainlink’s price is currently $12.22. It has fallen by 4% in the past 24 hours, in tune with the decline of the entire crypto economy.
