Warp Finance’s hack of $8 million could have been prevented with better oracles, the team says.
Warp Finance, a DeFi lending protocol that suffered an $8 million flash loan exploit shortly after release, is now gearing up for a relaunch that will include an integration with oracles by Chainlink.
The inclusion of Chainlink oracles reportedly serves as protection against similar exploits. Flash loan exploits use a feature that allows borrowing an unlimited amount of funds, as long as it is also returned within the same Ethereum block. According to the team, security experts determined that the root cause of the exploit was an exploitable price oracle.
The issue seems to have been compounded by Warp Finance’s use of liquidity provider tokens for collateral. This feature is one of the main selling points of the protocol, as it allows committing yield-bearing tokens as collateral, combining both the yield from trading fees and from borrowers using the protocol.
According to DeFi whitehat hacker Emiliano Bonassi, the exploit relied on the fact that Warp Finance oracles did not properly calculate the underlying value of the pool tokens. The new protocol will use Chainlink price feeds for all critical functions — notably the value of the LP tokens used for collateral.
Chainlink and its founder, Sergey Nazarov, have often been adamant about the fact that price oracles need to cover as much of the market as possible. Indeed, many flash loan exploits are closer to market manipulation than outright software bugs. Even when no malice is present, incidents such as Compound’s excessive liquidation event in November could have been prevented with more market coverage. Compound relied only on prices from Coinbase and Uniswap, which temporarily posted a highly inflated price for Dai.
When asked by Cointelegraph why Warp Finance did not initially use Chainlink oracles, a spokesperson replied:
“Uniswap oracles have been an option for many projects that seek price feeds for a variety of use cases. As such, we launched similarly to other lending platforms for the trial phase, with the ability to upgrade later.”
The spokesperson further noted that a significant portion of DeFi projects are not using Chainlink, and they believe that the relaunch “gives our users much greater peace of mind about the security of our protocol.”
Warp Finance also drafted a compensation plan for affected users, already having recovered 73% of the stolen funds.
Leave a Reply