The Decrypt Daily: Bitcoin & Cryptocurrency News Podcast - Nov 23: Sergey Nazarov, Co-founder of Chainlink on Flash Loan Attacks

Follow The Decrypt Daily Twitter: @decryptmedia Website: Decrypt.co Follow me on : Twitter: @MatthewADiemer IG: @MatthewADiemer FB Page: https://www.facebook.com/thedecryptdaily FB Group: https://www.facebook.com/groups/thedecryptdaily Email: MatthewAaron@Decrypt.co —————————————————————— Links: Link to the blog post to the section Sergey flagged: https://blog.chain.link/the-importance-of-data-quality-for-defi/#the-major-risks-of-improperly-leveraging-oracle-flexibility-when-sourcing-data

  • Play Speed:
Content Keywords: Oracle arrow Bitcoin
00:00:00
From the Crypt media, this is Richard Daley in my name is Matthew Aaron today on the show. We welcome CEO of chain link Sergey nazarov to talk about Flash loan attacks, very important conversation from deep space coming up under the crib daily.

00:00:18
Welcome back. Everyone. Today is Monday November 23rd 2020 before we get started. I want to say thank you to everyone who writes comments and leave this ratings on Apple podcast. I make a request at the end of the most shows to say Please Subscribe like share and leave a comment it helps if they visible and sometimes I see those come up it takes a while for them to process to the Apple sphere the ecosystem a but I do notice and I do read every comment and I want to say thank you very much for taking time out of your day to do that for all the people who love comments it is so appreciate it. And if you haven't done it and you do like the show, please take a couple minutes go to Apple podcast subscribe get some five stars and leave us a comment. It helps people find the news coming into the bull you want people to get the news about what's happening in the space. And what is happening is prices and those prices are booming. Let's take a look.

00:01:15
here Wego Money Talks I'm recording this at 3:10 Eastern Standard Time Bitcoin to send that 8000 know it's not in that $18,401 that's up 1.7% from my report yesterday morning ethereum is boom boom up 13.1% from yesterday sitting at $598 across the Cinemark today hip hop back down it pops back up it popped back down again but we are hovering right around that 600 Mark Litecoin with a $6 game from yesterday Center at 8718 6.5% yet he dropped a couple rankings on total market cap it's now sitting at number seven for total market cap behind chain-link and Bitcoin cash Bitcoin cash is actually kind of Boom today up 8.6% at 3:14 chain link is at 1497 up 4.2% and xrp the

00:02:15
Leader again. I mean at this point we might see $587 xrp we have no clue. This is insane up 24% from yesterday morning sitting at 53.9 cents total market cap of cryptocurrency. We are at 548.1 billion dollars with a BTC dominance of 62.2%

00:02:42
in the first and only conversation today. We have CEO of chain link Sergey nazarov talking about Flash loan attacks and why it's so important not to have a d v SWAT project or defy or decentralized exchange uses one price point for an oracle that uses only one or two price points to make their prices. This gets deep. I just start understanding this today. So bear with it Sergei the brain not as rough. How you doing. Welcome back to the show. I'm doing well. Thank you for having a conversation that's been going around on the internet on Twitter at crypto Twitter about the faulty Oracle that might be behind the next crypto hats. Look FIFA has been suffering a lot of facts and oracle's could be part of that. Can you please tell me about how the industry has been recently hit with several attacks using flash loans and can you please tell me about what a flash on his first and how that Timmy can prevent those attacks sure so that the nature of the issue here is really people's exposure.

00:03:42
Data sources and price Oracle mechanisms that can be manipulated so that the flash loan is really the tool that makes a certain tax after possible. It allows anybody with relatively little funds to become well-capitalized and these types of attacks these types of Oracle manipulation attacks require Capital. So it would have last known what he does is it makes any one participant or anyone adversary a really well capitalised adversary for for a small amount of transactions for small amount of blocks and that's that's really not the problem because the attack could be carried out by any well-capitalized adversary or anybody who could become all capitalized or whatever other means whether it's a flash going or something else the true nature of the attack is that there's a single-price data provider. There's a single Exchange in this Caton in the cases were sitting right now in define basically for the sake of ease and speed of development.

00:04:39
There has been some cases where people have used on chain dex's. So I'm chained decentralized exchanges and a non-chain basically exchange exchange infrastructure to retrieve the price that triggers their defy application. There's two very large problems here that the first very large problem is that you're using a single exchange to derive your prices that in and of itself is a very large problem is it actually doesn't matter that much if it's a single exchange on as an Unchained X or a single exchange as a very well-known auction centralized exchange because there was consistently have all kinds of price issues flash crashes market manipulations for their to delete rated Market. The problem here is one that we've been talking about since 2008. We put out a lot of information about it in mm start in 2018. You put out a lot of information about it in 2019. It's it's now coming to pass pretty much exactly step-by-step The Way We Were

00:05:39
so the real nature of the problem is not even Unchained X has its using a single exchange you don't want to use a single exchange for a price Oracle. And the reason is that that's single exchange wallet might have high amounts of volume trading volume on one day the next day or the week after that volume could shift to a different exchange and now all someone has to do is manipulate that one exchanges order book which means they don't even need to know how to code these attacks right now don't even really require people to be very good at software development or hacks or or anything they just require people to have enough money to manipulate a price on a single exchange that people thought would be secure with which is which is the whole point of Highly reliable Oracle mechanisms is that a single exchange won't be secure weather decentralized as a DEX or whether it's centralized as a single exchange that's the First Fundamental problem that is it goes beyond X's & Beyond flash on the version that we're seeing is the simplest version of

00:06:39
Of this attack where some people have chosen to use on chained x's and Unchained exes are exposed and Unchained kind of price Discovery mechanisms of all kind are exposed to Flashlight because last ones are on chain and the price Discovery mechanism is on chain. Not only is there a mistake a fundamental mistake and hey, I was just use one exchange and it'll be fine, but then there's a second mistake and hey, I'm out using on chain price Discovery mechanism. How could that go wrong? Well, it turns out that the permission list nature of those mechanisms means that that that people can go get flash loans and manipulate the price but a damn today with what four of the five kind of flash gold-related attacks that recently happened. We're about they were about using the flash loan as a mechanism to manipulate a simile treated and easy to manipulate on chain price Discovery Source conversely at in chain links case, we Source data from hundreds of exchanges. So we provide something called Market coverage and I and I spoke about this in-depth

00:07:39
At the Ethereal presentation editorial conference earlier this year and we've released Also earlier this year a very long block post called the importance of data quality in defy. I suggest that people interested in these in these topics and problems watch that presentation. I begin teaching more into these problems somewhere in the middle of it if you want to skip skip the first part and then also the importance of data quality in Define towards the middle of the end of the presentation. We actually have caution messages that expressly tell people not to use a single exchange has their price or right now if there's a Define protocol that's using one or two or three exchanges. They are taking serious risk with with user funds because the more sophisticated version of this attack is to look at the protocols that use one or two or three exchanges and instead of manipulating One exchange, which is obviously easier, right the more advanced version of this attack is is the manipulation of the two three or four

00:08:39
Or exchanges that a defy protocol relies on to Source their price data and we we absolutely no that's possible because we look at Price data on a daily basis from the cryptomarkets to provide inside and assurances that the date of that we're sourcing from over 10 different data providers that cover hundreds of different cryptocurrency exchanges is representing the world inaccurate Market coverage based way the people right now that have a single Oracle whether it's a centralized exchange or a Unchained X. If it's an Unchained X that they should immediately called an internal meeting and discuss, you know the risks and their level of comfort with those risks if it's a centralized exchange it it has larger volume. They should seriously consider what the manipulable nature of that volume is has that ever volume ever dropped and become able to get manipulated and you know, if it hasn't how how how did the other attacks actors fit in there? Cuz they definitely fit in there such as flash crashes and various other things that happened on the bed.

00:09:39
And then the third category of people that I think should think very deeply are the people that say I have I have 225 exchanges that I'm connected to directly and that means I've successfully created Market coverage over all of the crypto landscape where price Discovery can happen that is a serious miscalculation that I think the people relying on anywhere from their 225 single oracle's going to their 225 exchanges. Did they happen to like the day when they made the Oracle and dad are not monitoring for manipulation or volume shift to exchanges that aren't covered is something that people should very seriously review because the next more sophisticated version of this attack is not I can manipulate a single-price Oracle is I manipulate single exchange and therefore the price I die. Now. All I need to do is manipulate two or three exchanges and I manipulate the price. And once again, this is something that unfortunately is coming and that our system was architected to be complete.

00:10:39
Resisting to from the beginning by sourcing data from hundreds of exchanges effectively creating Market coverage effectively making sure that the only way that someone can and when he played the price is my actually changing the global price, which is the actual price and therefore the view by protocol is still reflect the reality real quick question before we get off today. I want to know how much of Defy is exposed to these attacks. Unfortunately, it's it's a substantial. It's a substantial portion of defy. Unfortunately. I see two Dynamics one Dynamic is Dad. There are people that for the sake of speed, you know, they spend time on security audit smart contract. It's which is very good. But then the Oracle side of it they kind of say, oh, you know, I can get a price here and it's fine and it's an Unchained price Discovery mechanism like a pool or Dexter or whatever it is and they kind of Say it'll be fine. You know, they have their well-known. They they function well just because a deck store on chain price Discovery mechanism functions for its purposes.

00:11:39
Doesn't mean it's a manipulation resistance price Discovery mechanism for you to put the value of your defy protocol against and this is the thing that people need to really really understand because for the sake of speed, you know, if you have anywhere over $1000000 or over $500,000 in your defy protocol and you're using a non chain price Discovery mechanism. I think that people should should should seriously look at look at look at the risks and and seriously, look at how the tweets that the second category that's actually more concerning for me are the people who have tried have have consistent to try to bake their own oracles and they have one or two developers working on it. Those developers don't have a background in Secure systems design or distributed systems are cryptography, you know, they've never built a data product and what they basically have is it was one developer trying to build a data provider that prays Market coverage which they usually do do the saying all I'm just going to have one two three exchanges as my data source.

00:12:39
And then also build an oral mechanism at the same time both of which are immensely difficult problems that we have, you know, well over seventy people working on with oversight from people like Ari juels who used to be the chief scientist of RSA. So these are these are not trivial problems. These are these are very serious problems. Both of them. How do I properly stores data to accurately represent market prices in the crypto landscape? And then how do I securely deliver that data both really big problems and the people that continue to bake their own oracle's with an understaffed under resource kind of system that continues to rely on one or two or three single exchanges that they happen to like because they think those exchanges are our great exchanges. They might be great exchanges that they might be great places for people to exchange cryptocurrency. It doesn't mean that they're immune to manipulation. It it it doesn't mean that somebody with enough resources can't go there and manipulate the price.

00:13:39
Does one or two exchanges and therefore manipulate the price controlling the defy protocol in which use our funds are are held and so I think that what we all want to avoid as an industry is any kind of larger failure and and what we want to do is make sure that people designing these in the early stages in the middle stages and in the late stages all consider the data quality the collection of data sources feeding their price and the Oracle mechanism generating that kind of input into the into a chain and both of those are very big problem that need to be seriously thought through if they want to discuss it with us at chain link. We're glad to Simply give them an overview of what the risks are and what are the key considerations day should be making up a security perspective and then they can make their own informed decision about you know, how they want to approach those risks. But at this point using a single on chain price Discovery mechanism, especially in Unchained X that can get manipulated by flash loans or even an off chain centralized exchange or even two or three of them, I think

00:14:39
Is it serious risk that people should seriously reconsider and that we're glad to discuss with them and glad to Think Through in more detail went whenever they liked what I want to say. Thank you very much for taking the time to explain to a flagstone attacks. And if anybody who is listening right now wants to know more about it. I will link the Ethereal conference talk that you gave in our Sonos whoever's listening can go right to our Sonos and watch their gay talk more about this issue Sergey nazarov CEO of dealing. Thank you very much for coming out of the crypt daily, and I hope to talk to you again soon and don't work too hard, sir. Thank you.

00:15:14
And in other news net $53,000 in just 30 minutes when you're in finance Creator and recalling a tweet about his new credit lending and Loan product Dura swap today a bunch of scammers jumped into the ride out this immediate popularity today after his wife was released the first such scam pool. So an attacker issue fake guap token Supply that use my pool with 72.4. F conduct a few trays attract a little traitors and exit the entire pool with 162.3 f in about 20 minutes or so. This process netted scammer my BF worth over $53,000 at current prices, ethereum, 2.0 is tentatively slated to launch December 1st, according to the theory of Foundations previous approximation for this to happen to me to be 16384 validators on the network by November 24th, each of them mistake 32f for a total of 524000.

00:16:14
188f or around 3:10 billion dollars 50% there and if this doesn't happen that means the launch of f 2.0 might be pushed back and you know what we're counting on it.

00:16:27
Bitcoin prices going through the roof as companies continue to buy to asset in large amounts PayPal and cash app are already buying more than 100% of the newly issued big ones when other large financial institutions probably lead to supply scarcity will become even more imbalance Pantera Capital said there could be a Bitcoin shortage but experts say don't worry because the average person was still be able to buy in store $100,000 of Bitcoin value at whatever the prices look even if you are buying up all the Bitcoin right now at 18,000 or $19,000 if it goes up to $100,000 then if you don't have $18,000 in Bitcoin, and it goes up to a million dollars and you only have $18,000 to buy whatever that is 002 Bitcoin regardless, there is zero four days. I'm not worried about it.

00:17:15
And finally ciphertrace a blockchain forensic firm has filed patent applications and its bid to decipher Monero secretory cells bees and time and arrow Technologies to the US government which is kind of pissed off by the volume of Alyssa trays. I'm an arrow and wants to track them down mineral is the 15th largest cryptocurrency according to market cap for the total capitalization about 2.2 billion dollars crypto exchanges have not listed it that betrays by the way during our weekend update has evaluation out of 1 billion dollars which means governments and large companies organization or government agencies are finding that it's very very valuable to track cryptocurrencies.

00:18:01
Thank you for listening to this episode of the decrypt daily. My name is Matthew Aaron Diemer guys. Didn't know my last name. Did you know there? It is Matthew and Redeemer. I just said it by the way. We have a Facebook or I put videos of the conversations that we have, and I also sure my foot. So if you want we can go to my Twitter and add me at Matthew a beamer timer, or you can join our Facebook page after the Crypt. I'll see you tomorrow, Happy Hollow.
Translate the current page