Proposal to Integrate Chainlink Price Feeds

This post is response to the recent DAI Liquidation Event and was originally intended to be a response to that thread, but is still awaiting moderator approval so I am posting my comment here on the proposal board.

Compound needs to integrate Chainlink Price Feeds. I am writing this as a daily DeFi user and as someone who only wants the best for the DeFi ecosystem as a whole, especially as the value secured rises. The false liquidation of ~$90M in user funds recently was a serious issue that was directly caused by Compound’s centralized oracle solution which pulls market data from only a single exchange, Coinbase, with Uniswap TWAP used as a backstop. Compound’s price feeds provide data that only reflects a small subset of the total crypto trading market and fundamentally cannot provide sufficient market coverage. This in turn lowers the cost of market manipulation and exposes the protocol to inaccurate pricing from large trades.

Specifically, Coinbase has an extensive history of downtime and flash crashes, so I am surprised this was not immediately seen during development as being a huge single point of failure. Using Uniswap TWAP as a backstop is better than no backstop in this situation, but it introduces a false sense of security as it too can trivially be manipulated (as we saw during this event). This lack of market coverage allowed a malicious actor to manipulate just two exchanges to skew the price data delivered to the Compound protocol and falsely liquidate users and yield farmers using DAI as debt or collateral. The core issues of price feeds without market coverage are covered extensively in this blog post here which provides context about the importance of data quality for oracles.

1533×900 108 KB

However, none of this information I mention above is new, as I have previously pointed out the numerous and specific vulnerabilities in the design of Compound’s oracle that were not and still have yet to be fixed. Here is a tweet thread I wrote on July 21st 2020 on my concerns regarding the Compound oracle and the likelihood of Coinbase experiencing market manipulation/flash crashes, the ability to manipulate Uniswap TWAP, and why taking a simple median across pre-selected exchanges does not solve the issue adequately either. Compound’s price oracles are still highly vulnerable to these issues as we speak, leaving over $3B in user deposited funds at risk of further catastrophic losses, and needs to be fixed immediately. Compound’s price oracle simply does not provide adequate market coverage as it exists today. Moreover, because it requires exchanges to change their API infrastructure to provide signed data that is compatible with Ethereum, the Compound oracle will continue to be inherently limited in the amount of market coverage it can ever achieve.

Chainlink Price Feeds provide an immediate solution to this problem, allowing the Compound protocol to fully mitigate these oracle related issues going forward. Aave, another decentralized money market on Ethereum experienced no price oracle issues during this event or any false liquidations. There is a very simple reason for this; instead of rolling their own oracle, exposing them to wide range of nuanced attack vectors, they simply integrated Chainlink oracles, which has successfully provided Aave users with the true market wide price of both DAI and every other asset on the platform since launch, as well as during this Coinbase/Uniswap outlier flash crash. I implore you to consider the following sections as I describe how Chainlink is resilient to these attack vectors.

Chainlink’s Decentralized Price Feeds are highly accurate and resistant to exchange distortions because they provide full market coverage by using multiple layers of aggregation that smooth outliers and prevent manipulated data from being delivered to smart contracts. This ensures market manipulation on a select few exchanges have no effect on the final data point generated and delivered to contracts. Specifically, Chainlink has three levels of aggregation to prevent the exact issues Compound’s price oracles experienced today.

image1600×457 148 KB

• Firstly, Chainlink uses professional data providers (CoinGecko, BraveNewCoin, Amberdata, Kaiko, CryptoCompare, Alpha Vantage, CoinApi, CoinPaprika, CryptoAPIs, and more) who whose entire business model revolves around generating high quality data using refined aggregation methodologies. These data providers produce reference prices for cryptocurrencies that reflect the market-wide price by tracking hundreds of exchanges (both on-chain DEXs and off-chain CEXs), taking into account volume, liquidity, time, and other shifting differences across exchanges, preventing any single source of truth.
• Secondly, there are the security reviewed Chainlink node operators (T-Systems, LinkPool, Certus.One, Stake.fish, Chainlayer, Chorus,one, SNZ, Huobi, and dozens more) operated by professional DevOps and blockchain infrastructure teams who aggregate price data from multiple data aggregators and take the median off-chain before delivering the data point on-chain, preventing any single source of truth. These Chainlink nodes are paid for their services in LINK, not only covering their gas costs, ensuring timely and incentivized updates, but providing a source of profit. This creates crypto-economic security by creating a large opportunity cost for malicious activity. Additionally, multiple data providers already operate their own Chainlink oracle node and provide cryptographically signed data.
• Thirdly, there are the Chainlink oracle networks (feeds.chain.link) which are on-chain reference contracts that aggregate data from multiple node operators, again preventing any single source of truth. Each Price Feed is updated based on a threshold deviation and a heartbeat frequency, ensuring fresh data that follows market volatility is always available to contracts. These Price Feeds are a shared public good funded by many DeFi projects and already secure over $4B in user funds.

What I am proposing here is quite simple. By integrating Chainlink Price Feeds as the primary oracle solution for the Compound protocol, these market coverage issues simply disappear and users can be assured they will not be falsely liquidated (just as Aave can today). Chainlink already supports all of the price feeds the Compound protocol needs on mainnet and integration would be straight-forward, only requiring a few lines of code (docs.chain.link). Additionally, Chainlink Price Feeds can also be used in replacement of Uniswap as the backstop, providing a much more tamper-resistant solution, though being the primary oracle is ideal as it would completely stop these exploits from occurring and ensure there is no period without accurate data. I am writing this as a concerned DeFi user who does not want to see more user funds falsely liquidated due to entirely preventable oracle issues. We are all in this together and I believe that the DeFi community can come together to ensure all protocols are using oracle solutions that are sufficiently secure for the value they secure.

Please take what I say with consideration as the value locked in DeFi continues to grow in orders of magnitude. By fixing the issue at its source now, Compound development and governance can focus on and innovate around what assets should be listed and the risk parameters, rather than worrying about how to refund users in the wake of another price oracle exploit.

I think using Chainlink for price feeds is a very good idea. I would also like to add two additional benefits, which would come with the integration:

1. When adding new coins to Compound you are not limited to the coins which are offered by the Coinbase API. Chainlink offers prices for a much large range of coins.
2. You are no longer dependent on volunteers to post the current prices to the blockchain, which leads to outdated prices. With Chainlink prices are updated regularly automatically.

I think using Chainlink price feeds can not only help us fix the immediate problems with Compound’s oracle mechanism, but I think it will help us scale Compound. We need Compound to be more nimble, and the current oracle mechanism is not developed enough to support an acceleration in asset listings across different cryptos and asset types. I’m not sure we should keep kicking this can down the road.

I whole heartedly agree that the liquidation event was caused by a fundamental lack of market coverage from the Compound oracle. Full market coverage can be achieved by using Chainlink oracles because they pull from a range of data sources both CEX/DEX.

This is simply the highest quality solution for the long-term. I wonder why it has not already been taken into consideration? Are there any negative implications for Chainlink integration?

As already stated by ChainlinkGod above, Chainlink’s multiple forms of data aggregation at the data source, individual node response, and oracle network level will provide Compound with the strong levels of market coverage needed to mitigate price oracle attacks as experienced by the DAI liquidation event. Outside of the technical considerations around better market coverage, I think there are a few other benefits from integrating Chainlink that the Compound community should consider, which can help Compound scale to support larger lending markets across a wider array of assets, both at a cheaper price and with broader community support.

• Chainlink provides an oracle solution that is already live on mainnet and proven to secure major protocols like Aave and Synthetix over an extensive period of time. As such, Chainlink can be quickly integrated across all of Compound’s existing markets to swiftly fix this price oracle vulnerability, saving the community considerable time, money, and mental energy that would otherwise be spent thinking about, debating, building, and testing an in-house solution that isn’t guaranteed to be successful.

• Compound will undoubtedly look to scale to support more assets in the future and potentially even go beyond traditional cryptocurrencies/tokens, such as digital commodities, NFTs, and more. Being able to quickly innovate and launch new markets will be important to all DeFi protocols as a means of retaining and growing market share in an increasingly competitive environment for yield. By offloading oracles to Chainlink, which specializes solely on oracles and has both a strong academic research team to continually innovate better oracle solutions and a full-time engineering team to ensure all projects have round the clock internal and external monitoring, Compound can focus on its core business model of lending/borrowing and launch more markets across a variety of different asset classes at an accelerated rate. This will help Compound retain its position as the leading lending protocol in an increasingly competitive DeFi market, which is only going to continue as traditional players enter and vie for market share.

• With Chainlink Price Feeds already being widely used by the DeFi ecosystem, they offer a shared cost model where a variety of independent protocols/projects collectively support and fund commonly used price feeds. For example, the Chainlink ETH/USD Price Feed already has 26 projects collectively using and supporting it. This financing model lowers the per-user costs as more users join the network, which is likely to rapidly increase as Chainlink continues to be adopted across a variety of use case verticals and blockchain networks. This extends the shared cost model beyond just Ethereum projects, but to projects operating across all blockchains. Also, the Chainlink team has expressed their intention of employing a decentralized governance model in the future, in which Compound could and should clearly have a voice in should they integrate Chainlink.

• Integrating Chainlink doesn’t mean that Compound has to remove its circuit breaker mechanism either. Compound can integrate Chainlink as its primary oracle solution, with its own oracle mechanism and/or the Uniswap oracle serving as its circuit breaker protection against the outside chance that Chainlink experiences any issues. This way Compound benefits from the market coverage that Chainlink provides, while still retaining the circuit breaker safety net should the community feel it’s important to keep in place. As such, Compound gets all the benefits of Chainlink, with the added guarantee that at the very least it won’t be any less reliable than your circuit breaker.

• While I know there has been some competitive energy between the Chainlink and Compound communities that may at times rub some people the wrong way on both sides, I think ultimately we are all in this together and have a lot of shared interests in seeing DeFi succeed as a whole as well as the success of each other’s protocols. Having been a part of the LINK community for a while, one thing I do know is that they are quick to put the past behind and support teams entering the Chainlink ecosystem, even if there was bad blood or mixed feelings beforehand. While the LINK Marines may be a little eccentric at times, I think the Compound protocol could benefit from the LINK community’s passionate energy as a means of furthering Compound’s brand and awareness as a leading on-chain money market. This clearly benefited Aave, as upon its Chainlink integration they were able to innovate quickly and grow in market share/awareness, with LINK becoming the largest market by value locked. Not only do I believe that Compound could benefit from this Link Marine effect, but I think it’s a perfect way to launch a LINK market on Compound that has a chance of being immediately adopted by a community with deep knowledge in the DeFi space and the funds to engage in these protocols. LINK is increasingly being seen as a reliable form of collateral, but the LINK community tends to only trust protocols that use Chainlink to secure their oracles.

In short, I think such a collaboration between the two would benefit both ecosystems. Compound could innovate / launch new markets faster, obtain more price oracle security, and utilize social support from the LINK marine community to help it reach wider audiences. At the same time, Chainlink could clearly benefit from supporting Compound, as Compound is undoubtedly an OG in DeFi, secures a large amount of value, and has a community of many smart and innovative thinkers that could contribute to the continued development of Chainlink to the benefit of both projects. While competition may be intense at times, it’s drawn from the passion and drive both communities have around winning, and I think combining those two forces would lead to an accelerated amount of winning for both ecosystems than what would otherwise occur as separate entities.

If anyone is willing to start an Autonomous proposal, I’d be willing to delegate my comp (although I do not have alot, some other’s might also join) in line with this initiative.

Agreed, I think creating an autonomous proposal for replacing the Open Oracle System with Chainlink Price Feeds would be a good idea, especially given the Compound protocol as it exists today is still entirely exposed to these price oracle vulnerabilities and it only a matter of time before another market coverage related oracle issue occurs again. This is something I am seriously worried about, because as Compound grows in TVL alongside the rapid growth of DeFi, the incentives to manipulate the oracle mechanism grows as well.

Chainlink provides an immediate solution today and there is really no downside because the Compound community can always revert back if it doesn’t end up working for whatever reason, but the status quo of doing nothing does not fix the issue at hand. Even if every exchange begins cryptographically signing their APIs (an idealistic but monumental and time consuming task), it still wouldn’t provide proper market coverage because taking a simple median across exchanges doesn’t take into account volume and liquidity differences like the data aggregators Chainlink uses do, which is required for actual market coverage.

The autonomous proposal can even keep Uniswap as the circuit breaker to protect against black swan events as it does today, providing the best of both worlds (Chainlink for full market coverage and Uniswap as an always-on circuit breaker).

What would be the next steps to creating an autonomous proposal for a Chainlink Price Feed integration?

That’s interesting to know. I always had the impression, the decision not to use Chainlink was not driven by technical aspects but by feelings and ego.

In general it would be a good idea to create an autonomous proposal. But I think the chances, that it will go through, are very low. So I don’t think it’s worth the efforts.

If you want to understand the reason why, check here. Compound is not governed by a democracy, but is in the hands of a few. The top 6 together have more than 50% voting power. These are Compound investors, are affiliated with the Compound founders or are the Compound founders. It seems, that the Compound founders are not willing to switch to Chainlink and I’m pretty sure, that the other 4 won’t vote against them.

I would disagree, as your post seems to be merely a conjecture?
An autonomous proposal has already passed before, namely this

If the top holders reject a proposal to use a better oracle without submitting an alternative solution, I would probably be weary of leaving and keeping holdings in the platform.

So certainly after this DAI debacle, a solution needs to be put forward.

I don’t say, that autonomous proposals haven’t a chance to pass in general. I meant this specific proposal. Perhaps you are right, that it’s worth trying it and make it transparent that way, what the different parties think about it.

And yes, the oracle needs to be fixed asap.

In the first step at least 100,000 delegated votes are needed, so the autonomous proposal can be converted into a governance proposal. Not sure, if it is already necessary to have the needed code changes available. Would be great, if someone who knows this exactly, would give some hints.

This has already been discussed and explained at length here.

Chainlink is not a good oracle design, as the company is incentivezed to obfuscates a clear problem, by adding unnecessary layers (aggregators, nodes) that increase the attack surface of any system that integrates with them. With regards to improving the Open Oracle, the path forward is to add more high-liquidity exchange reporters to the current oracle view. This should not be the highest priority action, as it does not address the security issue at hand which can only be resolved by reducing the amount DAI outstanding debt in the system.

As I already explained to you here, none of these claims about Chainlink is true. I will repost my comment here to provide context to everyone.

This is simply not true and a bit disingenuous. Chainlink simply wants to provide the DeFi ecosystem with the most secure price oracle solution with the highest quality data and this involves pulling from data aggregators who have full time monitoring teams to ensure manipulation is prevented 24/7. Taking a simple median from a select few exchanges is simply not an adequate oracle solution as it will always be vulnerable to market coverage issues and manipulation attacks around volume shifts and consolidations. As I described in the post linked above, the three layers of aggregation (data level, node level, network level) prevents any single source of truth. Relying on a single source of true is what played a significant factor in the $100M false liquidations of Compound users, and at the very least made the attack much easier and cheaper to pull off.

These are not “unnecessary layers” but layers of redundancy to ensure smart contracts always receive price data that reflects the true market wide price and not that of a single or a few exchanges. As I described in my proposal, Chainlink is directly secured by cryptoeconomics through an opportunity cost of losing future income if a node is malicious, as well as losing their reputation as an DevOps infrastructure provider. This is why we have never seen a successful attack against the Chainlink network, because the incentives work and ensure correct data is always posted on-chain.

As I also described, taking a simple median across a select few exchanges who change their infrastructure to support signed data compatible with Ethereum still does not provide adequate market coverage because it doesn’t take into account volume and liquidity differences across exchanges like data aggregators do. Here is a repost of my comment for more context.

I think you’re missing the key point of market coverage. The issue with Compound’s oracle during this DAI manipulation attack was that it did not report the true market wide price. If an attacker manipulates the entire market (across every single exchange), then yes all oracles would be affected at that point, but that’s only because the true market wide price was changed, but that’s not what happened during this event, only a single exchange (Coinbase) was manipulated. That’s the nuance here, market coverage raises the cost of attack to highest degree possible, and while it doesn’t prevent market manipulation altogether, but does make it as expensive as possible and ensures protocols always receive the true market wide price.

Like we discussed at length in the governance discord channel, the DAI liquidation event was a mixture of two factors. Too much DAI debt taken out AND a lack of price oracle market coverage. Coinbase is not the only liquid market for DAI and the DAI/USD Coinbase trading pair only tracks 4.75% of DAI’s daily volume according to CoinGecko. The vast majority of the volume is from Uniswap, which Chainlink adequately tracks today through its usage of data aggregators. Both of these factors (debt and market coverage) need to be solved, but we shouldn’t be ignoring the latter whatsoever. We can solve both issues at the same time, because market coverage played a significant factor in the false liquidation of $100M in user funds. The longer the Compound protocol goes without ensuring market coverage, the more exposed user funds are to further oracle manipulation.

If only alot more high-liquidity exchanges had/adopted the open oracle reporting api. Seems your solutions is to make this high liquidity exchanges provide tooling for us, what incentive is there for them to spend resources for this?? I know coinbase has, because they’re an early investor to compound.

How do you intend to do that? By artificially limiting market size?

How do you intend to do that? By artificially limiting market size?

This is being discussed in this thread DAI Market Risk - #21 by wario

This is all incorrect and outright false advertising from a company with obvious interests. Adding layers of obfuscation to what should be a simple and transparent oracle design is detrimental to security. I’ll restate what I’ve said numerous times before “Full market coverage” is a silly idea, in reality most markets are low volume/liquidity and a lot of CEXs have fake volume and liquidity. You want to be very careful in selecting what markets to include in a price feed, and medianizing the set of carefully selected high-liquidity exchanges is the best possible way to do this.

A bit off-topic, but It’s qiute lamentable, and time-consuming, that this industry has to deal now with a clear and obvious campaign of aggressive astroturfing by a company to promote a subpar technical solution constantly and everywhere. The arguments on this topic have become repetitive and tiresome, so I’ll just leave it at that.

I don’t the gaslighting here is necessary, this is simply a conversation where we can discuss market coverage and why Compound’s current oracle is not sufficient for the value it secures today. The Chainlink network doesn’t obfuscate anything, but is incredibly transparent into its operation (feeds.chain.link, market.link, reputation.link). The usage of data aggregators ensures price data tracks all trading environments, preventing market coverage issues and this includes tracking fake volume and market manipulation. You want multiple layers of redundancy to ensure there is no single point of failure.

I’m not going to repeat myself on the importance of market coverage because Chainlink has already proven its ability to properly secure a wide range of dApps like Aave and Synthetix for long periods of time, which have never experienced market coverage or data quality issues like Compound did. This isn’t a Chainlink shill, this is “please fix your oracle before it breaks again and users lose more money” plea that’s coming from someone who has seen these oracle manipulation issues time and time again. Taking a median across exchanges where volume can shift overnight to exchanges not being tracked doesn’t solve the problem.

My biggest concern is that an event involving the current oracle system will happen again. If Chainlink provides a solution that prevents this from occurring in the future, we should take a hard look at it. As a user, I want to make sure that I’m protected from this from happening in the future and that my positions aren’t liquidated when they should not have been.

Chainlink had better market coverage, which is obvious because it did not report this crazy DAI price. The bottom line is Compound’s current infrastructure got us here, and something needs to change.

I don’t know of any successful protocol that recognizes a problem and does not seek to address it.

I don’t understand your concerns about obfuscation. All nodes are run by known, established entities and you can see each price update they post on-chain. It’s not like they can post prices then hide from everyone, as they would be immediately identifiable. Full market coverage also doesn’t mean you are just taking an average of all exchanges. It means you are taking in data from all exchanges and then weighting it by volume, while also removing outliers, fake exchange volume, etc. By having such a setup, you can account for volume shifts between exchanges or if it starts flowing to a new exchange. This is much more scalable and doesn’t require constant shifts in the underlying price calculation to account for changes in the trading market.

Also, Compound can still keep a circuit breaker in place should they want a fallback mechanism, similar to what they have today in Uniswap.