Compound Oracle Vulnerability Leads To $88m of Liquidations - Decentralise #37

What happened and why aren't protocols using Chainlink?

Here we go again. Another day, another faulty oracle.

This time it was Compound.

Compound now joins the oracle exploit hall of fame, along with Value and Origin this month.

The protocol had received criticism for using just one DAI price feed, Coinbase.

Today the limitation lead to users losing almost a hundred million dollars as the price of DAI spiked to $1.30 on this one exchange.

ChainLinkGod.eth @ChainLinkGod

@rleshner These false liquidation simply wouldn't have happened if Compound was using price feeds with proper market coverage like @chainlink I hope it's clear by now that building a secure oracle solution is much harder than it seems Please fix your oracle

ChainLinkGod.eth @ChainLinkGod

Update on @CompoundFinance's new Open Oracle System The decentralization theater is gone, it will now essentially be completely centralized using a single trusted reporter (Coinbase) with Uniswap v2 TWAP as an anchor 🤦‍♂️ $COMP #DeFi? https://t.co/Qu61XQPgpS

2:11 AM ∙ Nov 27, 2020

---

Members of the community found Compound founder Robert Leshner’s response lacking, which shifted the focus to users who “didn’t understand the risks” of their system’s design.

Perhaps it would have been better to not have had such a vulnerable design in the first place with $1.5b of assets on the platform.

🤖 Leshner @rleshner

This morning, $DAI prices on Coinbase Pro escalated rapidly, leading to the liquidation (repayment) of 85.2M DAI borrowed from Compound. 124 of 225,793 users were impacted; there are no under-collateralized accounts, and all markets are healthy.

comp.xyzDAI Liquidation EventDAI Liquidation Event The Compound protocol uses Coinbase Oracle for account liquidity calculations, anchored to within 20% of the Uniswap time-weighted average price. Any Ethereum address can post the signed/reported price on-chain, which allows for a permissionless and autonomous price feed that …

1:47 AM ∙ Nov 27, 2020

---

Of the affected users $46m belonged to one individual, the third largest account on the platform.

Read Decrypt’s full analysis for a breakdown of what exactly happened.

Although DAI was temporarily $1.30 on Coinbase this price did not reflect the true price of the asset across the market.

Liquidated users have every right to be angry here, especially when an existing solution is easily available.

Chainlink protects from this sort of event by aggregating price feeds.

ChainLinkGod.eth @ChainLinkGod

@rleshner @chainlink This is why Chainlink performs three levels of aggregation At the data provider level: aggregating from all exchanges At the node operator level: aggregating from multiple data providers At the network level: aggregating from multiple nodes

blog.chain.linkData Quality for DeFi Smart ContractsWe examine how Chainlink Price Reference Data provides the highest level of data quality to smart contracts & how to avoid large risks when building oracles.

2:14 AM ∙ Nov 27, 2020

---

While Compound users were burned, Aave has been praised for protecting borrowers with Chainlink.

DeFiGod @DeFiGod1

11/ I don't know who needs to hear this but if you don't use $LINK to secure your lending platform you're not gonna make it. $AAVE does use $LINK and was largely unaffected by this issue. $AAVE will continue to be the market leader in lending and expand its dominance, as they use

7:51 PM ∙ Nov 26, 2020

---

No Chainlink?

So why didn’t Compound use Chainlink despite members of the community having pointed out this exact vulnerability as far back as four months ago?

This has been an accident waiting to happen, especially inexcusable as Coinbase experienced a similar spike in the March Black Thursday calamity.

I’ve seen a few theories brought up, with speculation that some community members are too stubborn to admit their oversight, are bitter at missing LINK’s meteoric rise from $0.20 to $20.00 during a bear market, and are unwilling to be reliant on an external provider.

ChainLinkGod.eth @ChainLinkGod

Oh how the mighty have fallen It's a shame really, I personally warned the @compoundfinance team and @rleshner himself countless times about the risks they were taking on by rolling their own oracle Shame it had to happen this way, but let this be an expensive lesson

ChainLinkGod.eth @ChainLinkGod

.@CompoundFinance is putting #DeFi as a whole into systemic risk by rolling their own oracle system ZERO incentives for honest data/oracles and ZERO penalties for malicious data/oracles $150M of user funds at risk due to Sybil attacks on their oracle network if this went live https://t.co/g28SGQ4Ix6

4:08 PM ∙ Nov 26, 2020

---

Conclusion

Whatever the reason, the reality is that building in-house decentralised, robust oracle systems is hard work.

This is Chainlink’s entire world, and they’re doing it well.

I really hope I don’t have to cover another oracle incident any time soon.

Watch this space.