DeFi auditing needs finance guys & security guys in the same room
The recent story around the bZx incident has pushed the whole DeFi ecosystem into a completely new dimension. People are more concerned now than before while putting money on a decentralized platform.
It’s an irony. The bZx incident happened on a decentralized platform that is connected to a decentralized platform for liquidity, leverage, lending. Still, price feed was entirely from a single source: Kyber (very much likely as the centralized endpoint). Incident was the exploitation of price data provider dependency on a decentralized exchange (DEX) in terms of price feed. It not only resulted in losing Eth but also created a trust issue in the trustless ecosystem.
A smart contract is smart and dumb both at the same time. It will only do the things which it’s allowed to do. If it’s coded to feed to data from a single source, then it will feed the data from a single source. No matter what’s the ultimate results.
How to de-risk these kinds of the issue?
Instead of feeding data from a single source of truth, one can feed the data from multiple sources of truth or references. It’s always difficult to code a whole system standalone when it comes to taking data from outside and architecture in the system in the right way. Oracle helps in solving these issues.
The source of the data provider is one of the major components along with security audits when it comes the de-risk the chances of losing assets.
What are the possible solutions around it?
There are a few projects like Razor Network, ChainLink, Band Protocol, and UMA, which are working on solving the oracle in multiple ways when it comes to the attack vectors attacks or data feed in the smart contract.
Razor is a fully decentralized oracle which mode of operation is both automated & manual. One has the flexibility to choose how fast they want to solve resolution. Some use cases like recursive prediction market around sports, which needs faster resolution suits best to Razor. It use’sSchellingcoin mechanism, which is robust against various game-theoretical attacks and has a quick response time, making it suitable for DeFi applications. Ethereum blog has a beautiful piece of article on it.
It’s also advisable to use Neo oracle as a plugin. Its basically a median oracle value from other oracle providers (Razor Network, Chainlink, Band, UMA, others). This is considered a better solution. But again, there is a trade-off in terms of the timing of making a decision. When we are feeding them the data from multiple sources of truth, It’s usually slow because of various dependencies. It needed to be fast, automated, and intelligent enough to make decisions. The best use case would binary trading where buy/sell happens on the spot price, and that price also needs to be decentralized and intelligent enough.
Disclaimer: All contents presented here are research-based and for educational purposes only. Please, don’t take this article as formal investment advice.
Follow me on 👇