Interesting timing for the xSNXa / xBNTa exploits which took advantage of Uniswap not having a sufficient oracle solution in place. Whatever happens ultimately I do hope UNI can find an oracle solution that makes sense so we don’t continue to see these kinds of attacks damage the reputation of the protocol. Utilizing Chainlink price feeds would be a very simple short term solution at least.
You want to use an oracle system where, in the case where an attacker buys up 51% of the oracle tokens and uses them to cause a single incorrect price to be reported, the oracle token blows up completely and goes to zero (the market value going into a fork that zeroes out the attacker).
Would this be true of UNI? If UNI accrues value by taking fees off of each trade, would one expect a bad oracle response to be that detrimental to its value? I would assume that its value would still mostly be based on the amount of volume on Uniswap, which would be pretty unrelated to its price responses.
I’m the co-founder of UMA. I think the ideas Vitalik presents here are very good.
Some context: UMA is based on Vitalik’s Schellingcoin idea from 2014. UMA implemented this idea because we think this is a critical piece of DeFi infrastructure, for many of the same reasons Vitalik already mentioned.
The UMA system has been in production for about a year now, and we’ve shown that this type of oracle design really does work in real life, for real world DeFi contracts.
A number of very smart folks (@g_dip, @Micah, adamscochran) have commented that the type of voting oracle Vitalik is suggesting doesn’t work well with current DeFi design patterns. The biggest concern is generally around how to liquidate contracts if you have to wait for a price to get verified. UMA has spend the last ~2 years figuring this out, but we haven’t done a good job communicating to the broader DeFi community how these “priceless” contract designs work.
What I would like to propose is that we (UMA) write a proposal for how a mature protocol like Maker or Compound could be written “optimistically” and be enforced with an UMA-like oracle system. This may be clarifying for this broader discussion, and help articulate the advantages of this approach.
Also @haydenadams I think it would be fun to do a “Should UNI fork UMA” panel moderated by V.
EDIT: To be clear, I think what UMA has built is quite unique and would be very difficult to fork. But I would love the opportunity to explain the virtues of the design with Hayden and V.
Looking forward to it!
Cool proposal, and I think it could get some traction/ some decent usage for the UNI token, but I think it fails for the same reason Augur sort of hasn’t taken off or Gnosis for that matter.
The way I envision it working from vitaliks post would be:
- simple uniswap oracle (twap)
- if someone thinks it’s corrupted, you can pay a fee to dispute the result
- goes to a 1 day vote
- if that vote is still wrong (or right), someone can pay more of a dispute fee to push it to the next vote (like a 2 day vote)
- the next vote costs more to initiate and is longer…and so on and so on
eventually you have everyone in the system “staking” which is the right value (which is why the cost to break is 51% of the mkt cap)
I run Tellor and we use roughly the same thing. I think you could make the argument (like Gnosis did)…why not just use a bigger mkt cap coin of ETH?
The reason is that you hope a community that votes and is active in what a “proper” value is will be a better oracle than just allowing ETH whales (exchanges) to control the vote.
Overall it never really comes down to these scenarios though. The real “oracle” problem is figuring out how to find the tradeoffs between speed, decentralization/liveness and slight manipulability (moving the price by 1%). The current Uniswap twap oracle really bangs on the first 2, but sort of falls sort on the last one. LINK rocks on 1/3 and others like Tellor find different mixes. Handling for the long tail of preventing 51% attacks of oracle coins is a job that should be done at the user level as there are a range of appetites depending on use case for waiting weeks vs liquidating or adding penalties.
The cost of such an attack is thus half the market cap of the token , minus some amount to account for very lazy holders who are not willing to participate in a vote even in an extreme emergency that could cost them their coins.
Can anyone help me understand why the cost is half market cap but not the amount of token of corrupted holders?
@phuqle Just a basic assumption in all of this crypto stuff. You assume there are no angels. Obviously if 51% of the supply is held by outstanding, incorruptible citizens of the world, you’ll be fine. But for the sake of doing complex and impressive looking security analyses/game theory, we like to model that everyone is a nihilistic degen that can be bought out at market price.
Thank you! I didn’t assume that btw. And I still don’t understand. If majority ~ >50% corrupted, then the minority forks the old chain to have the new chain and issue new tokens. I assume that the value of the new tokens = the value of the old tokens of the minority which is <50% of the old tokens market cap.
And how does it link to the cost of the fork is half of the old tokens market cap?
Forking doesn’t assume control, it creates an entirely new chain which Uniswap would not be using. Assuming that the devs then swapped to the new chain, you’ve still just suffered a massive attack that has debilitated the platform by draining its funds and leaving users having lost trust. You can’t just fork problems away
And he wasn’t saying you assume no angels, he was saying when modeling out possibilities such as threats in crypto, the general assumption is that people have the worst intentions. If you are prepared for the worst, then you are prepared for the best as well. Given the stakes, that’s the safest way to do this. Of course, Uni’s TWAP oracle has clear vulnerabilities and is just one of many attempts at solving something but missing potential threats, so it’s easier said to assume these things than it is in practice. Hard to account for everything in design, which generally speaking is why most companies do NOT try to build their own version of a product where a suitable, affordable version of what they need already exists. It’s very high risk to spend that many resources just to fail. Even after all the time spent on oracles for the uni team they have to go back to the drawing board completely if they want to get it right on their own, and it’s another risk. When you’re talking about people’s money “most of the time it works” is not good enough. The TWAP oracles simply are not robust enough. Uni needs to make a choice to abandon their dex and try to compete as an oracle (idiotic) or adopt an existing, functional oracle solution which suits the needs of DeFi. And there is currently only one option, for better or for worse. I really don’t get the adversity some projects have to using Chainlink, they have proven time and time again to prevent losses in case of attacks and the network has only gotten better with time. Even Maker who refused to use Chainlink now indirectly uses Chainlink because all of their feed providers do. Compound is adopting Chainlink in conjunction with Uni’s oracle (Uni’s oracle not needed but another case of ego where Compound’s founder simply can’t admit that Chainlink got it right where they could not on their own). Uni is the last bastion of DeFi that is fighting Chainlink. For what? Going to kill the network.
I’m not saying that there shouldn’t be alternatives, I’m all for that. But developing a robust, useful oracle system is not an overnight task. It’s not a 1 month task. it’s not a 1 quarter or 1 year task. It will take all of Uni’s dev resources multiple years to do this properly. In what world would that be the right decision unless they wanted to fully pivot?
I have an FX multi-bank trading platform background and for me “Oracle problem” is very similar to a price-fixing problem on FX market. (ex. google: “Global banks admit guilt in forex probe, fined nearly $6 billion”)
The solution for FX was to move away from fixings as price Oracles, where there might be some particular interests that can be in billion of $$$, and focus more on the tradeable price. Even if $10 billion would be at stake to get 50%+1 on price Oracle, we are never sure, if the interest is not bigger than $10 billion (imagine Crypto Market Cap of $100 trillion).
This brings me to a basic question: how to create better link between the value of ERC-20 token and the value of USD/EUR/GBP/JPY/… to get more people using smart contracts in the real economy?
From my perspective, the real race to bring more trust to a stable coin market is not a race between price Oracles (we learned from FX that they are vulnerable by its nature), but how to make Tether-like projects (ERC-20 to FIAT “bridges”) big enough to compete with CLS settlement system. If we will get the settlement right (from ERC-20 to FIAT), the instrument price will always follow. Arbitrage will do the rest even if the price of all tokens would drop 99% in 1 minute. This would not be the case for price Oracles.
Currently, CLS is big enough to get the trust of $2 trillion per day (google: “CLS FX TRADING ACTIVITY march 2021”), if Tether-like solutions will get closer to CLS, the interbank market will follow and then a Crypto Market Cap of $100 trillion will become possible. CLS has achieved scale in fully CENTRALIZED way. Our job is to do it in a fully DECENTRALIZED way.
To fully integrate ERC-20 with FIAT we can copy one popular pattern from FIAT:
It is common to see wealthy people putting money in 50-100 banks to get credit risk distributed (done usually by family office). It is not possible to avoid counterparty risk in FIAT, but government deposits insurance of $100k-250k for each individual bank is at least addressing some part of the risk. Having it in different jurisdictions is reducing the risk even more.
Let’s try to replicate this on blockchain:
- Every regulated crypto broker/crypto bank that has access to FIAT system should issue its own stable coins in all supported currencies. The stable coin would represent a deposit with this particular broker/bank. Each broker/bank could have its own rules on how deposit works (ex. if this would be a bank, it would be probably willing to use this FIAT money for its own lending activity, the same way as in case of regular FIAT deposit)
- The only function of the broker/bank would be to redeem their stable coins for FIAT (they don’t need to make markets → this will be done by market participants)
- This would result in 200-300 stable coins in all possible currencies issued by different brokers/banks
- Stable Coin Baskets would be created via smart contracts (ETF like products with stable coin basket redemption to allow arbitrage via FIAT settlement)
- Stable Coin Baskets would compete with each other for the best basket of stable coins/best smart contract structure/best governance
- Even if one or the other stable coin issuer will stop redeeming its own stable coins for one or the other reason the whole system should survive.
- Each Stable Coin Basket/Basket of Baskets can have its own protocol fees and Treasury that would compancate when some coin in the basket would become “insolvent” (= not convertable to FIAT).
Our first task: make it very simple for regulated crypto brokers/crypto banks to issue their own stable coins
I’ve expanded upon my thoughts on this proposal in this Twitter thread here. In my opinion, this proposal would require a serious pivot from the Uniswap team from being a decentralized exchange to also creating a dedicated oracle protocol, a multi-year full-time task to accomplish. Projects specializing in building a specific piece of composable smart contract infrastructure is the beauty of the DeFi stack, it leads to efficient usage of limited developer resources.
To note, the Chainlink Network is already cryptoeconomically secured by the $46B FDV LINK token through implicit incentives (oracle nodes are paid in and hold native tokens whose value is derived from the health of the network as a whole). This form of cryptoeconomic security is already seen with the Bitcoin and Ethereum networks today (miners hold and are paid in native coins) and is why the honest majority assumption works, it’s backed by economic incentives and penalties. Additional cryptoeconomic security through explicit staking (the slashing of deposited stake from malicious nodes) is being worked on and will be implemented with Chainlink 2.0, discussed in the recent whitepaper.
These approaches raise the cost of attack, which is why I believe Chainlink Price Feeds are already well suited for securing high-value DeFi smart contracts like Aave, Synthetix, and algorithmic stablecoins like Reflexer, Ampleforth, etc.
Thanks for elaborating on forking and the risks Uni’s oracle might face. However I still don’t understand this, maybe I’m just too dumb
Any links/resources to read in order to understand it is very much appreciated
I guess the assumption is nobody will continue to trade on uniswap if UNI is used to break oracles. And then UNI price crashes to zero. Not sure how well it holds up because uniswap is trustless.
So how does chainlink implement this cryptoeconomic security? To my knowledge there is no penalty system in place. Remember this one time where a node operator by accident swapped the gold price feed with that of silver. Some users on synthetix profited hugely from this, while the nodes still had their LINK payouts (no penalties applied). Point is that a node can serve just about any data no matter the quality. There is no mechanism to judge on whether this data is correct and penalize accordingly. Probably this is what Vitalik meant with ‘incentives are not clear’.
I can expand upon Chainlink’s cryptoeconomic security for clarity. Chainlink oracle networks are cryptoeconomically secured today through implicit incentives. Each Chainlink node in the network holds and is paid in LINK tokens for their oracle services. The value of LINK itself is derived from the health, adoption, and reputation of the network as a whole, creating a strong economic incentive for each node to provide a secure and reliable source of external data (e.g. ETH/USD) in order to uphold the value of not only their current LINK holdings but also their future revenue (which is denominated in LINK).
We see implicit incentives in existing networks like Bitcoin and Ethereum. Because Ethereum miners hold and are paid in ETH, they operate the protocol faithfully because a corrupted network would result in the devaluation of ETH due to the destroyed trust of the network, creating financial harm to themselves. In the Chainlink Network, a successful collusion attack between the most reputable and profitable nodes that ends up results in a significant loss/exploits for DeFi protocols would likewise destroy trust in the network, resulting in a devaluation of the value of LINK.
In addition, each individual Chainlink node is a publicly identifiable entity with their individual future revenue, reputation, and off-chain business on the line. Chainlink nodes operated by enterprises like Deutsche Telekom and data providers like Kaiko have significant revenue both within and outside of the Chainlink network, which would be forfeited through malicious activity. Therefore, for economically rational nodes, it is more profitable to be honest, which is why the honest majority assumption works for networks like Bitcoin, Ethereum, Chainlink, etc.
What you noted about the gold price feed from a year ago wasn’t an attack on the network but a misconfiguration of a single feed that resulted in minimal issues. If tens of billions of dollars had been stolen as a result, the value of LINK would have certainly been significantly affected here, creating a financial penalty. The devaluation of the native token depends on the severity of the network issue/attack. The Chainlink network has been significantly hardened since then and uses an entirely different oracle network model, so such issues have not occurred since, but the security of the Chainlink network is not static and continues to evolve.
The Chainlink 2.0 whitepaper was recently published which modeled an explicit staking mechanism where nodes stake their LINK tokens in a service agreement and can be slashed for providing manipulated data. Here, a two-tier oracle network model is used, with a low-cost first-tier that continuously generates oracle reports and a higher-cost maximum-security second tier used for settling disputes, which creates a super-linear staking impact where the cost of attack is significantly greater (quadratic in the number of first-tier nodes) than the sum of all deposits within that network.
The first-tier consists of nodes explicitly staking LINK while the second-tier consists of the most reputable, reliable, and profitable nodes in the Chainlink network who have the greatest financial exposure to LINK and as rational economic actors resolve the rare disputes accurately in order to uphold the value of their LINK holdings, LINK staked in other first-tier networks, future LINK revenue, and individual reputation. The whitepaper goes much deeper into this mechanism than I can cover here, but this mechanism would provide slashing-based cryptoeconomic security in addition to the existing implicit incentives-based cryptoeconomic security.
Reposting this from another forum to add to the discussion (not my opinions)
This is a good thread so I will drop some alpha
Vita|ik makes UNI oracle thread
intentionally designed as |ow-frequency/high-latency oracle
speci?cally mentions Optimism
mentions lots of weird quirky constraints that it will need to have which don’t make sense on
Here is the deal. Optimisms business model is to Auction off MEV. Every single block on
Optimism will need to have near optimal MEV extraction for this to be economical.
This presents a problem when we think about oracles. If you are the block sequencer on
Optimism, where will you put the oracle update transactions? Where ever they are most
pro?table for you. And in extreme cases you can actually censor them. Yes I know some
Optimism fag will tell you how they added some feature to prevent censorship, but without
disclosing specifics I am categorically telling you they cannot promise true censorship resistance
on Optimism in it’s current design.
This is a huge problem for oracles obviously.
The reason for the high-latency nature of Vitalik’s oracle is to make the oracle update window
span far enough into the future that the MEV aspect happens less frequently. How ever,
whichever lucky sequencer manages to catch the occasional oracle update gets a nearly
guaranteed fat arbitrage, as it has been hours or potentially days since the last oracle update,
so the arbs will be fucking huge.
The fatass giga arb is what will incentivize the sequencers to actually include the oracle update
in the block. Othenlvise they would just keep trading on grossly mispriced assets.
This setup provides nearly guaranteed MEV against protoools which use oracles. Optimism
needs MEV to fuel their revenue. If this kind of design was not used, the MEV could potentially
dry up as protocols get smarter at designing around MEV and actually giving a shit about their
This is a bit of a dirty secret, but idgaf. The truth will set us free.
There is currently no way for a consumer to steer a data curation process or incentivize the chainlink network to add more weight to a specific datasource. Having a honest majority is a fair starting point, but it’s not enough. There can be all sorts of other data quality issues down the line that you have to monitor constantly. Data usage is always context dependent and some consumers might prefer some feeds over others in their aggregation .
I think that CL ideally should hand over the curation to the protocol actors instead of managing it themselves. This feed misconfiguration is a good example that this is a pain point to be improved upon. This is needed to make it more decentralized and censorship resistant.
This also the reason why the proposal for the UNI oracle makes sense to me. You want have data quality control in the protocol user’s hands by adding a dispute governance process. I’m not sure how the disputes are resolved in chainlink 2.0 but it does sound like a good way forward.
Chainlink is a framework for building oracle networks, so anyone can create a network that uses and weights any selection data sources desired for their use case, which we have seen in the creation of different oracle networks for different dApps. The management of the Price Feeds used by the larger DeFi projects like Aave and Synthetix was already been improved upon with the hiring of Ben Chan a year ago to lead engineering at Chainlink Labs (who was previously CTO of the multisig firm BitGo and co-architect of WBTC) to improve the processes around specific parameter changes, as well as an expansion of the multisig participants to include the larger ecosystem users as signers.
If maximizing market cap is the goal for security, why not use an oracle that fully operates on the blockchain’s native currency e.g. ETH?