November 16, 2021 - 12 min read
Trustless, decentralized, and immutable are terms which have become ubiquitously associated with blockchain technology and subsequently, decentralized finance, or DeFi. These fundamentals are indeed what make the technology revolutionary and attractive in comparison with legacy systems.
However, the aforementioned principles may be undermined by major roadblocks and vulnerable attack points, DeFi oracles. One of the biggest issues in DeFi is commonly known as the oracle problem: the need to trust a third-party service in order to bring off-chain data onto blockchains.
Ignorance about the oracle problem could potentially lead to the gross misallocation of risk by those with assets locked in DeFi, particularly in the case of dApps and assets composed on top of other collateralized assets. Serious issues have already arisen in notable protocols such as MakerDAO and Synthetix, among others. In such cases, malicious attacks on oracle data caused widespread liquidations, which will be discussed in more depth below.
Unfortunately, misconceptions have formed around the decentralization and security of DeFi protocols, likely due to the biases of financial stakeholders and marketing teams wishing to present their projects in the best light. Moreover, discussion of the oracle problem is often framed in such a way that developers can be ‘working towards’ decentralization rather than currently having made it manifest in their oracles.
While DeFi protocols are often thought of as securely and trustlessly managing their asset reserve levels and keeping spot prices updated, it is likely that these same protocols share unknown counterparty risks through weaknesses in their oracles as well as their use of volatile reserve assets as collateral for loans. The risk becomes more intense with the use of algorithmic stablecoins and other composable assets, which will be detailed more completely in subsequent sections.
In addition to being flashpoints for malicious behavior, the most common criticisms levied against DeFi oracles come from one of two angles: consensus issues within the oracle protocols, and issues with deviating spot prices and slippage. These two criticisms are important to comprehend as DeFi oracle developers set goals which are universally preferable for all stakeholders involved in perpetuity, including retail end-users. An emphasis here is placed on the word ‘perpetuity’ as certain consensus models lend themselves to the formation of validator node oligarchies over time while others provide more even playing fields.
However, oracles pose a third and more profound risk to the entire DeFi space in that an exploit might trigger devastating cascade effects which could ripple across financial markets more broadly. While financial contagions have been witnessed in traditional banking and financial markets, we have yet to truly see a DeFi collapse outside of a few isolated instances. Nevertheless, even temporary failures in DeFi protocols to properly collateralize debts, handle liquidity crises, or manage counterparty risks could result in a cascading crypto collapse that spreads across dApps or perhaps worse, across chains.
Decentralization and determinism are commonly thought of as fundamentals of blockchain and cryptology. While that may be true in some cases, i.e. Bitcoin, the same cannot be said for the status quo DeFi oracles of 2021. For instance, oracle providers like Chainlink centrally curate node validators in order to allow smart contract requests to choose from ‘whitelisted’ API feeds. In other words, Chainlink centralizes and takes on the responsibility of vetting node validators and determining which ones are trustworthy with proprietary methods.
This vetting and whitelisting of validators has drawn the ire of Chainlink critics, though decentralization is not universally a top priority for oracle users. After all, simply adding cryptography and algorithmic management of data to highly centralized oracle providers is a concept which is more novel than new, meaning it may be simpler to grasp and thus quicker to be adopted compared with more decentralized oracles. Consequently, centralized oracle providers may populate the space for an extended stay until more innovative competitors have demonstrated their services to be superior.
Unfortunately, while Chainlink claims that to have a decentralized whitelisting process and that API data is aggregated to protect against excessive price deviations, users must nevertheless trust Chainlink’s whitelisting process as well as the benevolent actions of a significant percentage of node validators which are run by Chainlink Labs themselves.
That is, since node validators are rewarded for accurate price feeds with LINK tokens, that does not mean that any centralization bottlenecks present in Chainlink’s protocol will inevitably be exploited if malicious actors do in fact exist, and enough time passes.
Economic incentives and trust are the best that humans have to operate on in the world of physical finance. Despite this, it is inevitable that such trust-based DeFi oracles will be rejected by many in the DeFi community until more deterministic, open, and trustless protocols become manifest. To decentralization advocates, an ideal solution might be one which removes the requirement for users to ‘trust’ oracle protocols and their use of API nodes, while also removing doubts surrounding either the block production speed or consensus models governing their base layers. On the other hand, projects which do not consider oracles acting as middleware to be a dealbreaker have been using these protocols nonetheless, at least until better alternatives become available.
At the end of 2021, major protocols still must arbitrarily choose tradeoffs in one domain or another in order to provide enough security for users to attract capital while handling enough transactions per second, and adequately keep updated on relevant spot price changes. As previously mentioned, Chainlink is often criticized for its centrality due to its using trusted nodes and even proposing using off-chain identities to boost on-chain reputation as validators, in addition to the amount of LINK staked on their protocol.
This could incentivize centrality, and privileged access to smart contract requests might put specific nodes at risk for DDoS or other malicious attacks. These coordinated attacks are often meant to cause flash crashes, or temporary deviations between off-chain price and the data being fed on-chain from the corrupted node. Another example of centrality risks comes from the proof-of-stake (PoS) models utilized by other oracle providers which, by their very nature, promote and sustain the formation of oligarchical structures if careful measures are not taken.
For example, protocols which use token-weighted on-chain governance risk the formation of a few plutocratic nodes absorbing too much capital, disproportionately gaining the ability to align protocol incentives to favor themselves. This of course disincentivizes smaller nodes from participating through ceaselessly diminishing returns, and raises eyebrows when governance token distribution remains heavily under the control of only a few pools of validators.
A key and often overlooked facet of oracle technology is time to finality. That is to say, that the time for a block to be produced after the oracle node tells the smart contract what the spot price is at that time. For instance, let us assume that crude oil (WTI) is going through a massive wall of selling volume and the price falls dramatically. At some point during the fall, WTI’s price will meet a key resistance level where buyers aggressively begin overwhelming the selling pressure, causing a dramatic rebound in the price, this time to the upside.
If the oracle nodes which track the spot price of crude use an inefficient consensus model or congested blockchain layer, then the time it takes to produce enough blocks for a price confirmation is too slow to track the spot price without causing losses for their users. This is called slippage, and can be frustrating in even mundane circumstances, though the consequences of slippage may also be catastrophic.
Just to illustrate a mildly consequential incident of slippage, consider the following:
If an investor had placed a limit buy order on an exchange to purchase WTI futures at a given price discount and then the price fell to the desired price, one would expect the order to be filled, and the investor happy with glee. However, if the price oracles which feed the spot price WTI futures were too slow, the order would not be filled, and the investor would miss taking advantage of the dramatic price rebound, thwarting intentions.
At present, spot price deviations ranging from 1-5% are common, with various oracle providers claiming to minimize spot price deviations using various workarounds. For example, staggering the refresh times of many oracle nodes and using the aggregate means of their price feeds better represents the actual off-chain value of the assets the nodes track. This reduces the risk of a single point or several isolated points of node failure, while still keeping spot prices refreshed and deviations kept under control. However, the stakes may be too high for many to risk their capital until oracle and blockchain technology matures
As previously illustrated, if spot prices deviate too far from reality due to exploits, congested networks, or black swan events, the volatile nature of crypto could leave DeFi users missing out on gains. As a more benign example was already covered, more serious threats cast shadows over DeFi lending platforms without robust oracle infrastructure. For example, oracle attacks or throughput limitations causing excessive price deviations could spark forced liquidations if the price of collateral assets were to fall sharply.
More specifically, collateral asset price volatility or deviations caused by malicious attacks can create problems with crypto-collateralized or algorithmic stablecoins. These coins either are burned or minted as a direct result of collateralization levels backed by crypto, which of course rely on price oracles and the constant integrity of their data.
For example, the amount of stablecoins one can mint on a platform may be directly related to the amount of ETH one has deposited as collateral. If the price of ETH rises, more stablecoins may be minted for use, while as the price falls, they must be burned in order to re-adjust the LTV ratio using the new value of the deposited ETH collateral.
Another issue with spot price deviations is that it makes smart-contract auditing impossible in the way that blockchain purists have come to appreciate. By aggregating price data from multiple nodes and tolerating a 1-5% range of spot price deviations, it is difficult to objectively determine and evaluate the quality of an oracle service as a whole or definitively determine liability in a black swan liquidation event.
Such flash liquidations have already become manifest with familiar DeFi heavy-hitters like Compound, Aave, and MakerDAO, among others. In June of 2021 researchers at University College London used Compound’s protocol to model massive liquidation events using stress-tests of just 3% deviations in the price of DAI.
Unfortunately, oracle and blockchain technology still has several stages of evolution to go through before price deviations and slippage can be reduced to near-zero. Perhaps the most fundamental development has to do with the consensus mechanism used at the base layer, and the speed at which an acceptable finality threshold has been met. Nevertheless, the risks current oracles pose to DeFi lending platforms will be discussed in the following section in more depth, as they could be catastrophic.
The final and most paramount issue DeFi oracles face is the financial contagion risk that they pose if any one of several black swan events were to occur. The term financial contagion is used in this sense to describe a phenomenon in which DeFi protocols share unknown liquidity and counterparty risks outside of their own protocols, and are thus vulnerable to liquidity shocks that can not be properly managed by collateralized assets held by its users. In particular, overcollateralized stablecoins like Maker’s DAI or Synthetix’s sUSD could become illiquid and unable to sustain losses if the reserve asset were to experience a sharp and sustained drop in price, causing a massive liquidation by the lender.
As mentioned, lending protocols are particularly vulnerable to illiquidity and under-collateralization events, a vulnerability which is exacerbated by the layering of assets collateralized by often volatile crypto assets. For instance, a user might deposit $15,000 worth of ETH and then be able to borrow up to $6,000 worth of DAI using your collateral, assuming a 150% collateralization rate.
This overcollateralization is to compensate for the risk of a volatile and sustained drop in the price of the collateral deposits, in this case ETH. Collateralization of sUSD is at a staggering 600% to compensate for its price fluctuations as well.
Nevertheless, the composability of crypto assets makes it more likely that crises may spread across platforms if the assets are traded across protocols and share unknown, latent counterparty risks. That is to say, that the composability of DeFi applications and governance tokens, which is often sold as a feature, may be a source of great peril. This risk is exacerbated by the vulnerability of oracles, as compromised oracle nodes could be the genesis of such an event if an attacker tricked the oracle into ‘lying’ to the DeFi protocol, thus manipulating the price and causing liquidation.
To demonstrate, in 2020 researchers in the Department of Computing at Imperial College London published the outcomes of of various DeFi stress tests outlining several weaknesses in the protocols, including potential vectors of attacks on MakerDAO’s oracles. Among many shocking realizations, they found that given substantial but feasible illiquidity conditions, a DeFi lending protocol with a debt of over $400 million USD could become undercollateralized in as little as nineteen days.
In other words, blue chip names in DeFi are still quite liable to a variety of attack vectors which might reap havoc on overextended speculators using these lending protocols. On the bright side, such crashes would present buying opportunities for the watchful, value investors.
Given the aforementioned deficiencies in the DeFi oracle space, it appears that the field is wide open for new developments to emerge and unknown players to enter the fray. Crypto investors are fleeing centralized monetary systems which hyperinflate their fiat currencies, and funnel capital into their ‘trusted’ financial centers.
On Wall Street, institutional whales whitelist and trade favors amongst themselves while retail investors are left to funnel their capital and place orders with gatekeepers with financial conflicts of interest. In other words, the status quo simply will not do, and decentralization cannot be a value that DeFi users are willing to compromise on or sacrifice entirely. The aim of developers must be to make the games as fair and democratic as possible.
Furthermore, the base layers on which current oracles are built upon are still themselves works in progress. As previously mentioned, Ethereum and Cosmos have their own strengths and limitations, but neither are wholly satisfactory in their present manifestations.
Ethereum provides not only security, but leverages the network’s ubiquitousness, facilitating liquidity and compatibility; nevertheless, its scaling problems will plague any projects built on top of it. Cosmos reaches consensus more quickly, but could be more vulnerable to attacks and has a destabilizing rewards system which poses a centrality threat to its governance.
On a more optimistic note, markets tend to respond when niches need filling, and it should be expected that innovative oracle and blockchain providers will enter the space specifically for these reasons, and deliver the supply that this market demands.
Sign up for the Supra newsletter for company news, industry insights, and more. You’ll also be the first to know when we come out of stealth mode.