DeFi protocols are growing in the amount of on-chain value they secure, and as a result malicious adversaries are more financially incentivized to exploit any potential attack vectors. As warned about in our blogpost earlier this year The Importance of Data Quality for DeFi Smart Contracts, the largest vulnerability in DeFi are protocols reliant on price oracles with poor data quality, such as on-chain price oracles generated by AMM-based DEXs. These single source price oracles are increasingly being manipulated by flash loans due to their lower volume and/or lack of market coverage, with the DeFi protocols relying on them getting their smart contracts exploited, ultimately resulting in a loss of user funds.
While AMM-based DEXs have brought great value to the space as trading environments with instant access to liquidity, they absolutely are not designed to be a reliable oracle mechanism responsible for securing millions to billions of dollars for users. The very nature of AMMs create moments where there are strong distortions in the value of the asset reserves held in a pool, thus generating the arbitrage opportunities recently exploited by flash loan attacks.
While Curve is a valuable AMM-based DEX, a recent flash loan exploit has further demonstrated that it should not be used as a price oracle by other DeFi protocols, even to price Curve LP tokens against other on-chain assets when used as collateral. Instead, we encourage all DeFi protocols needing to price Curve LP tokens in stablecoins or cryptocurrencies to use Chainlink Price Feeds, which have been purpose built to avoid these attack vectors as proven by the many DeFi applications using Chainlink Price Feeds to secure billions of dollars and remaining unaffected.
We already have the following price feeds live on mainnet: USDC/ETH, TUSD/ETH, USDT/ETH, and DAI/ETH, which can be used to calculate the value of Curve LP tokens. These Price Feeds are consistently updated to follow price volatility, stored directly on-chain, and can be easily referenced in a single call to obtain a trusted price for Curve LP tokens.
To understand why Chainlink Price Feeds are an optimal solution for DeFi protocols using Curve LP tokens, let’s quickly examine the specific features we incorporated to prevent flash loan attacks and showcase how developers can quickly integrate these decentralized price oracles into their applications today.
Flash Loan Attack Vulnerabilities and How Chainlink Prevents Them
Curve Finance’s hybrid Automated Market Maker (AMM) is designed to offer low slippage swaps between like-kind assets like stablecoins using two-sided on-chain liquidity pools. While exchange rates between stablecoins are relatively stable, the price can be distorted temporarily in relation to the wider market price for those assets when a large trade is executed on Curve. This price distortion can then be used to exploit a DeFi protocol that offers Curve LP tokens as collateral and relies on Curve itself as the oracle to price those tokens.
Given the permissionless nature of DeFi and the rise of multiple flash loan providers, the barriers to accessing the capital needed to pull off such an attack are much lower. With Curve LP tokens increasingly being leveraged within DeFi protocols, it’s critical these projects use oracles like Chainlink with extensive market coverage in order to protect their users from temporary price distortions by way of flash loans and/or large trades made on the Curve protocol.
Each Chainlink Price Feed is secured by a decentralized network of Sybil-resistant oracle node operators run by leading security and blockchain DevOps teams. The oracle nodes source price data from multiple off-chain data aggregators, meaning each price point has strong volume-adjusted market coverage reflective of all trading environments. All nodes’ responses are then aggregated to form a single price update, further enhancing the data’s availability and resistance to manipulation from any one node or data source.
Importantly, Chainlink also maintains strong economic incentives, routinely keeping oracle networks live during network outages like Infura and posting fresh prices even during volatile market conditions with high gas prices. This is all verifiable by users via on-chain visualizations and node listing services, which allow users to monitor the real-time and historical performances of oracle networks and the individual node operators.
As Curve continues to be a widely used AMM for stablecoin liquidity, we encourage all DeFi protocols to use Chainlink Price Feed oracles as a mechanism to price the Curve LP tokens held by their users. A key component of scaling DeFi is scaling of the security underpinning it, especially the oracles that ultimately trigger the outcomes of smart contracts. We remain committed to providing the most secure and reliable price oracles in the market, and look forward to furthering the use of Curve LP tokens by giving DeFi protocols access to consistently accurate on-chain valuations that are resistant to data manipulation attacks.
How to Build Flash Loan-Resistant Valuation Mechanisms for LP Tokens
If you are a builder looking to price Curve LP tokens in your DeFi protocol, here is a short explanation on how to integrate Chainlink Price Feeds to ensure fair market valuations.
1. Find the correct Price Feeds for your LP token
First, you need to identify the appropriate Chainlink Price Feeds for each LP token. For example, if you want to price the 3pool in ETH, you should use the respective feeds for each token within the pool, which in this case would be DAI, USDT and USDC. As such, you would start using the DAI/ETH, USDT/ETH and USDC/ETH Price Feeds.
2. Get the Price Feed addresses for your contract
You can find each Price Feed and their respective addresses here. We also encourage developers to reach out to our integration team at [email protected] in order to get an in-depth introduction on the price feed mechanisms and the best ways to leverage them.
3. Query the latest price from each feed and take the minimum price
Once you have found the right addresses, you can get the prices from each feed as explained in this section of the Chainlink docs. After you have queried the prices, take the minimum value among those, which is represented by min_value = min (price1, price2 … priceN)
4. Get the virtual price for your LP token and multiply it with the minimum value obtained earlier
The virtual price in Curve is obtained through taking the invariance of the pool, which by default takes every stablecoin as valued at 1.00 USD. You can get the virtual price of each pool by calling the get_virtual_price function for it. Once you’ve gotten this price, you can now multiply it with the min_value obtained earlier. Hence, min_lp_price = min_value * virtual_price. Finally, add re-entrance checks when your contract calls get_virtual_price, as the Curve virtual price is susceptible to such an attack.
You can now use the price we just calculated as a lower bound on the value of LP tokens in your applications, which is both reliable and resistant against any kind of flash loan attack. For any queries on this implementation, please contact us and we are happy to help you incorporate this reliable pricing mechanism into your application.