Coinbase & The Oracle

We can never see past the choices we don't understand.

Recent attacks have seen hackers returning millions of dollars to their victims, or simply leaving money on the table when they could have taken more.

Various methods have been used to steal funds in the recent hack epidemic, but one character has played a role throughout...

According to Morpheus, The Oracle has been in the service of the resistance "since the beginning”. She is a sentient program that aids the human resistance in freeing humanity from the oppression of the Machines.

Recently, The Oracle has been under constant attack by anonymous agents who aim to manipulate her perception of reality in order to maximise their profits.

NEO: I suppose the most obvious question is, how can I trust you?

ORACLE: It’s a pickle, no doubt about it.

Trust issues are common with price oracles, which can either be on or off-chain.

As samczsun wrote:

In one approach, you can simply take the existing off-chain price data from price APIs or exchanges and bring it on-chain. In the other, you can calculate the instantaneous price by consulting on-chain decentralized exchanges.

Both options have their advantages and disadvantages.

On-chain price oracles such as Uniswap, Kyber, or Balancer don’t require any privileged access and are always up-to-date, however, this means they are easily manipulated by attackers.

Off-chain oracles such as Coinbase are usuallyslower to react to volatility, and they also require

privileged users to push the data on-chain, so you have to trust that they won’t turn evil and can’t be coerced into pushing bad updates.

Today’s mass liquidation was due to an error, or manipulation, of the Coinbase oracle.

We saw over $110m of loan liquidations on Compound Finance due to their reliance on Coinbase as a single oracle.

The popular yield farming pair DAI/USDC came off peg as the DAI price spiked to $1.3, causing mass liquidations and huge profits for the anonymous agents who were waiting to liquidate these positions.

Sam Priestley explains how liquidation can occur and how people can profit from it.

Someone got liquidated for $49m on compound today. Liquidator got $3.7m just for calling a method.

The victim was a leveraged comp farmer. They were lending DAI and USDC and borrowing DAI and USDC. When the price of DAI changed it pushed their account into liquidation. If they had kept DAI and USDC in separate wallets this wouldn't have happened.

When your account is in liquidation the liquidator can choose to take any of your collateral in exchange for repaying your debt. So the liquidator took DAI. Borrow DAI from Uniswap. Repay DAI debt. Get more DAI from liquidation. Repay Uniswap. Profit.

The whale may have thought they were safe because they never called 'enter-markets' function on USDC. But by borrowing USDC they activated USDC as collateral for their DAI debt.

Thank you to @arbingsam for the analysis.

The below graph shows the DAI price spike - a massive fluctuation for a supposedly stable coin.

When Coinbase introduced their Oracle they were aware of the issues that come with reliance on off chain oracles;

Using data from an off-chain source requires trusting the publisher to post correct prices and keep the signing key safe

However, rather than attempt to reduce the need for trust, they just reassured the reader that they were worthy of this trust.

Coinbase is one of the most trusted companies in the crypto space and a major part of our mission is growing the cryptoeconomy. A highly reliable price feed anchored into Coinbase’s secure infrastructure can help make the DeFi ecosystem safer, reduce systemic risks and unlock the next wave of growth and adoption.

It seems that Robert Leshner believed them, as he said at the time;

Coinbase price oracle will increase the security and decentralization of Compound’s price feed, which is mission-critical to the protocol and the ecosystem of applications built on top of Compound. We’re not alone — the rest of DeFi will benefit with faster development, consistent data, and shared standards.

— Robert Leshner, Compound CEO

So what went wrong?

If “off-chain oracles require privileged users to push the data on-chain”, how did this happen?

The Coinbase status page currently shows the following:

Coinbase Oracle has had “issues” in the past, which always seem to lead to highly profitable situations for certain actors.

Whether this was a manipulation or a technical issue isn’t yet clear, but we do know that no flash loans were used. To manipulate the Coinbase order book to such a state would have cost 100k DAI, as the order book had 300k of depth, and the off peg price reached $1.3.

Was this malicious, careless, or expired tech? Either way, those liquidation bots profited from this incident.

Using any singular centralised data source as a price oracle is unwise, and Coinbase is particularly bad, especially if you can wipe the order book with 100k.

There are programs running all over the place. The ones doing their job, doing what they were meant to do, are invisible. You’d never even know they were here. But the other ones, well, we hear about them all the time.

And don’t worry about the vase.

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.