This post is response to the recent DAI Liquidation Event and was originally intended to be a response to that thread, but is still awaiting moderator approval so I am posting my comment here on the proposal board.
Compound needs to integrate Chainlink Price Feeds. I am writing this as a daily DeFi user and as someone who only wants the best for the DeFi ecosystem as a whole, especially as the value secured rises. The false liquidation of ~$90M in user funds recently was a serious issue that was directly caused by Compound’s centralized oracle solution which pulls market data from only a single exchange, Coinbase, with Uniswap TWAP used as a backstop. Compound’s price feeds provide data that only reflects a small subset of the total crypto trading market and fundamentally cannot provide sufficient market coverage. This in turn lowers the cost of market manipulation and exposes the protocol to inaccurate pricing from large trades.
Specifically, Coinbase has an extensive history of downtime and flash crashes, so I am surprised this was not immediately seen during development as being a huge single point of failure. Using Uniswap TWAP as a backstop is better than no backstop in this situation, but it introduces a false sense of security as it too can trivially be manipulated (as we saw during this event). This lack of market coverage allowed a malicious actor to manipulate just two exchanges to skew the price data delivered to the Compound protocol and falsely liquidate users and yield farmers using DAI as debt or collateral. The core issues of price feeds without market coverage are covered extensively in this blog post here which provides context about the importance of data quality for oracles.
Coinbase was the only major exchange that experienced such a drastic price deviation, other major exchanges were unaffected.
However, none of this information I mention above is new, as I have previously pointed out the numerous and specific vulnerabilities in the design of Compound’s oracle that were not and still have yet to be fixed. Here is a tweet thread I wrote on July 21st 2020 on my concerns regarding the Compound oracle and the likelihood of Coinbase experiencing market manipulation/flash crashes, the ability to manipulate Uniswap TWAP, and why taking a simple median across pre-selected exchanges does not solve the issue adequately either. Compound’s price oracles are still highly vulnerable to these issues as we speak, leaving over $3B in user deposited funds at risk of further catastrophic losses, and needs to be fixed immediately. Compound’s price oracle simply does not provide adequate market coverage as it exists today. Moreover, because it requires exchanges to change their API infrastructure to provide signed data that is compatible with Ethereum, the Compound oracle will continue to be inherently limited in the amount of market coverage it can ever achieve.
Chainlink Price Feeds provide an immediate solution to this problem, allowing the Compound protocol to fully mitigate these oracle related issues going forward. Aave, another decentralized money market on Ethereum experienced no price oracle issues during this event or any false liquidations. There is a very simple reason for this; instead of rolling their own oracle, exposing them to wide range of nuanced attack vectors, they simply integrated Chainlink oracles, which has successfully provided Aave users with the true market wide price of both DAI and every other asset on the platform since launch, as well as during this Coinbase/Uniswap outlier flash crash. I implore you to consider the following sections as I describe how Chainlink is resilient to these attack vectors.
Chainlink’s Decentralized Price Feeds are highly accurate and resistant to exchange distortions because they provide full market coverage by using multiple layers of aggregation that smooth outliers and prevent manipulated data from being delivered to smart contracts. This ensures market manipulation on a select few exchanges have no effect on the final data point generated and delivered to contracts. Specifically, Chainlink has three levels of aggregation to prevent the exact issues Compound’s price oracles experienced today.
- Firstly, Chainlink uses professional data providers (CoinGecko, BraveNewCoin, Amberdata, Kaiko, CryptoCompare, Alpha Vantage, CoinApi, CoinPaprika, CryptoAPIs, and more) who whose entire business model revolves around generating high quality data using refined aggregation methodologies. These data providers produce reference prices for cryptocurrencies that reflect the market-wide price by tracking hundreds of exchanges (both on-chain DEXs and off-chain CEXs), taking into account volume, liquidity, time, and other shifting differences across exchanges, preventing any single source of truth.
- Secondly, there are the security reviewed Chainlink node operators (T-Systems, LinkPool, Certus.One, Stake.fish, Chainlayer, Chorus,one, SNZ, Huobi, and dozens more) operated by professional DevOps and blockchain infrastructure teams who aggregate price data from multiple data aggregators and take the median off-chain before delivering the data point on-chain, preventing any single source of truth. These Chainlink nodes are paid for their services in LINK, not only covering their gas costs, ensuring timely and incentivized updates, but providing a source of profit. This creates crypto-economic security by creating a large opportunity cost for malicious activity. Additionally, multiple data providers already operate their own Chainlink oracle node and provide cryptographically signed data.
- Thirdly, there are the Chainlink oracle networks (feeds.chain.link) which are on-chain reference contracts that aggregate data from multiple node operators, again preventing any single source of truth. Each Price Feed is updated based on a threshold deviation and a heartbeat frequency, ensuring fresh data that follows market volatility is always available to contracts. These Price Feeds are a shared public good funded by many DeFi projects and already secure over $4B in user funds.
What I am proposing here is quite simple. By integrating Chainlink Price Feeds as the primary oracle solution for the Compound protocol, these market coverage issues simply disappear and users can be assured they will not be falsely liquidated (just as Aave can today). Chainlink already supports all of the price feeds the Compound protocol needs on mainnet and integration would be straight-forward, only requiring a few lines of code (docs.chain.link). Additionally, Chainlink Price Feeds can also be used in replacement of Uniswap as the backstop, providing a much more tamper-resistant solution, though being the primary oracle is ideal as it would completely stop these exploits from occurring and ensure there is no period without accurate data. I am writing this as a concerned DeFi user who does not want to see more user funds falsely liquidated due to entirely preventable oracle issues. We are all in this together and I believe that the DeFi community can come together to ensure all protocols are using oracle solutions that are sufficiently secure for the value they secure.
Please take what I say with consideration as the value locked in DeFi continues to grow in orders of magnitude. By fixing the issue at its source now, Compound development and governance can focus on and innovate around what assets should be listed and the risk parameters, rather than worrying about how to refund users in the wake of another price oracle exploit.