How Konomi prevents and eliminates Oracle attacks
We believe that many users have heard that the Konomi Oracle will be launching soon through our various social media channels. Inferring from different community conversations, we have found that there are a lot of concerns regarding the security measure of the Konomi Oracle. Hence, this article will provide answers to these questions.
It is widely known that the Price Oracle has always been an essential part of DeFi, and a Price Oracle that can provide price feeding securely, accurately and quickly is an important prerequisite for a well-functioning DeFi ecosystem. As seen from the past, many attackers have exploited the Oracles’ vulnerabilities in various DeFi projects, resulting in significant losses of user assets.
In simple terms, a Price Oracle is a tool that asks different sources for prices and aggregates them to arrive at the most appropriate price for the item. For example, Sam wants to purchase a laptop now and decides to ask the salesman for the cash equivalent of the laptop, at which point the salesman acts as a Price Oracle. In the blockchain space, Price Oracles are based on smart contracts, and the Konomi Price Oracle mainly obtains information in two ways, either by taking existing off-chain price data from a price API or exchange and bringing it to the chain, or by consulting the on-chain DEX to calculate the real-time price.
The first incident related to Oracle security issues occurred in June 2019, when a failure in the derivatives platform Synthetix Oracle caused errors in the platform’s sKRW/Seth exchange rate, resulting in over 37 million sETH being traded at low prices and users losing approximately $1 billion. Since then, contracts including bZx, Harvest Finance and Value DeFi have all suffered from Oracle attacks.
Through analysing these historical attacks, the Konomi technical team found that in such security incidents, attackers usually use “Flash Loans” to carry out non-existent trading operations. First, they use Flash Loans to obtain a large amount of funds to commence the starting point of the attack. After obtaining a large amount of capital to start the attack, the attackers then artificially distort the asset price data by means including, but not limited to, pledging, borrowing, and trading in large quantities, causing the Oracle to misquote the asset prices, thus allowing them to arbitrage.
In order for users to better understand how the Konomi Oracle prevents and eliminates attacks, we will articulate using a mock example simulated during our development process. Suppose user Jack uses Konomi Lend to use BTC as collateral to borrow USDT, the current price of BTC is $40,000 per piece and the LTV of BTC is 66%. This means that if Jack now deposits 1 BTC, his deposited collateral is worth $40,000 and he can borrow $26,400 USDT, at which point Jack has 5 bitcoins. If Jack, as a malicious user, chooses to exchange against the BTC/USDT Pair (BTC: 100 USDT: 4,000,000) on Uniswap to purchase Bitcoin for $2,000,000, at which point the price of Bitcoin in this pair goes up to $120,000. Now, Jack’s 5 bitcoins would be able to borrow $450,000 worth of assets from the platform. Eventually, Jack only needs to return $2 million worth of bitcoins to the trading pool to reset the price, but the platform users will lose $450,000 worth of assets.
From the above case study, if the decentralized exchange is simply used as the only source of obtaining price feeds, it is easy for an attacker to take complete control of the price in a transaction. Hence, attempting to read the exact price before the attacker’s trade settles is almost impossible.
In order to protect the users’ assets from unpredictable losses, the Konomi Oracle will implement the following measures.
(1) Increase the minimum latency
Arbitrageurs often choose to complete price distortions in a single transaction to reduce their risks when attacking, so if a minimum latency is added whenever a price is obtained from a data source, the attacker’s cost of attack will be significantly increased, thus avoiding effectively preventing malicious attacks.
(2) Semi-centralized operations
The Konomi Oracle will analyze each currency based on its historical trading volume and deviation values. If there is an abnormal price fluctuation in a data source, the price of the abnormal data source will be compared with the arithmetic mean of the prices of other data sources. Should the difference exceed 5%, a “circuit breaker mechanism” will be carried out on the price of the data source. Manual confirmation would have to be implemented before it can be brought back online.
(3) Time-weighted average
Uniswap V2 has demonstrated that time weighted averaging will be very defensible for large asset pools but is not able to react to prices in a timely manner in the event of strong market fluctuations. Therefore, for larger pools, the Konomi Oracle will use time-weighted average price.
(4) Adding trusted whitelist data sources
For some currencies that launch on the top centralized exchanges like Binance and Coinbase, it will be significantly more difficult to manipulate the prices of these currencies than on decentralized exchanges. Hence, Konomi Oracle will include Binance and Coinbase as trustworthy whitelists in the early stages of its launch. If the prices from other data sources deviates by more than 5% from the prices on the trusted whitelist, then the price of this data source will be ignored for a short period of time.
(5) Additional security measures for “shallow markets”
The Konomi Oracle will add additional security measures for tokens with a market capitalization of less than 10M USD, including: (1) Adding additional validation measures by including a short price feed delay for data feeds that deviate momentarily from the three-month average, and waiting for manual confirmation on the relevant information before the price feed proceeds. (2) Provide security warnings to users for tokens with low data feeds, alerting them of the potential risks of an Oracle attack. (3) Changing the time-weighted average algorithm for such tokens will significantly reduce the short-term price weighting and increase the long-term price weighting.
The Konomi Oracle has now completed the code audit process and is expected to launch in September. The launch of the Konomi Oracle heralds a more complete Konomi lending ecosystem, while third-party users will be able to use our Oracle by paying a certain amount of Kono as transaction fee, which will then give Kono more applicational uses.
About Konomi Network
Konomi is a decentralized money market protocol built using Polkadot’s Substrate. Konomi is working to provide active money markets across the entirety of the Polkadot ecosystem, as well as expand and integrate into cross-chain networks. By introducing a fluid market for cross-chain crypto assets, Konomi hopes to provide an overall better user experience that is accessible regardless of the native network the end user prefers.
Stay in touch with us through:
Telegram Announcements: https://t.me/konominetworkchannel
Telegram (Vietnam): https://t.me/konominetwork_vn