It has been reported that the inclusion of Chainlink oracles reportedly serves as protection against similar exploits. Flash loan exploits use a feature that allows borrowing an unlimited amount of funds, as long as it is also returned within the same Ethereum block.
According to the team, security experts determined that the root cause of the exploit was an exploitable price oracle.
The report said that the issue seems to have been compounded by Warp Finance’s use of liquidity provider tokens for collateral. This feature is one of the main selling points of the protocol, as it allows committing yield-bearing tokens as collateral, combining both the yield from trading fees and from borrowers using the protocol.
Defi protocol, Warp Finance, is relaunching using @Chainlink oracles. With a much-needed security upgrade, they hope to prevent any future flash loan attacks like the one that drained $8 million from their protocol earlier this year.https://t.co/ViUOgFCrzQ — Cointelegraph (@Cointelegraph) January 9, 2021
Emiliano Bonassi, the DeFi whitehat hacker, said that the exploit relied on the fact that Warp Finance oracles did not properly calculate the underlying value of the pool tokens. The new protocol will use Chainlink price feeds for all critical functions, notably the value of the LP tokens used for collateral.
Taking a look…https://t.co/UzyDETcmur This is the second attack whish uses multiple flash liquidity, flash swaps via Uniswap and flash loans via dYdX We will see very complex things via @AaveAave V2 batch flash loans 🙂 https://t.co/jAjWa3WAi6 — Emiliano Bonassi | emiliano.eth (@emilianobonassi) December 17, 2020
Likewise, Sergey Nazarov, the founder of Chainlink, have often been adamant about the fact that price oracles need to cover as much of the market as possible. Indeed, many flash loan exploits are closer to market manipulation than outright software bugs.
Even when no malice is present, incidents such as Compound’s excessive liquidation event in November could have been prevented with more market coverage. Compound relied only on prices from Coinbase and Uniswap, which temporarily posted a highly inflated price for Dai.
A spokesperson said:
“Uniswap oracles have been an option for many projects that seek price feeds for a variety of use cases. As such, we launched similarly to other lending platforms for the trial phase, with the ability to upgrade later.”
The spokesperson further noted that a significant portion of DeFi projects are not using Chainlink, and they believe that the relaunch “gives our users much greater peace of mind about the security of our protocol.”
Thus, Warp Finance also drafted a compensation plan for affected users, already having recovered 73% of the stolen funds.