Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Decentralized Finance (DeFi) is great eco-system for opening up everyone to many financial instruments. You know what's not great? DeFi hacks. A large percentage of these occur from manipulating the oracle or pricer of the assets in some way to purchase/sell assets at a bad price for the other party. This article talks about how to fix this problem.

First, the author mentions primitive protocols. This is contracts that have no governance, no upgradeability and no oracles. Why? If the main contract gets manipulated, then everything gets manipulated, since it's an underlying protocol for everything.

The argument is that if everything is self-contained, then oracle manipulation from other protocols subtleties is not possible. The only true example of this is Uniswap but it's now upgradable, which is a double-edged sword.

What about lending protocols? There are several cases of lending protocols being being oracle-free. Instead of the collateral factors being set by oracles like Chainlink, the lenders are responsible for evaluating the risks and deciding how much collateral they want from the borrower.

To me, this feels like a cop out though. The safety of the protocol goes onto the lender instead of the protocol. If a bad rate was set by a lender, it would immediately be swept up and stolen. The solution to this is having a good user interface that sets these automatically. How does it get these quotes though? A price oracle, but off-chain, which prevents serious manipulation.

The article is a tad odd to me but made some good points. Oracles cannot be manipulated if the values are set by the lenders. By having this off-chain, a subtle flaw in a contract doesn't destroy the whole eco-system. Thanks for writing up your thoughts friend!