Guy @atlabs_ - Twitter Profile

atlabs_ retweeted

Griffin Anderson 🟠

@andergri

over 1 year ago

We wonder why there are so few women in tech. We need more diversity in AI. @elizaOS @ai16zdao https://t.co/HPTixtiDJj

2

17

3

1

2K

atlabs_ retweeted

Carter L. Woetzel ❎

@l_woetzel

over 2 years ago

🧵 Sophisticated Cosmos DeFi attack hits @Levana_protocol built on Osmosis - let's break down what happened👇 There are two kinds of oracles: 1⃣ Enshrined oracles (built into block production) 2⃣ Smart contract oracles (on-chain tx updates state) In the case of 2⃣ off-chain services submit a tx every X number of blocks to update the oracle price of an underlying asset. Once updated, pricing is no longer stale; reducing the delta (difference between actual prices & oracle prices). Protocols have a problem when using 2⃣ - the higher the frequency of updates, the greater the gas cost that is incurred to maintain accurate pricing. In Levana's case, non attacking txs actually trigger a oracle update: this adds in nice defensive entropy as normal users are helping update the pricing for everyone. However, the clever attacker found a way around this via a congestion attack... ------------------------------------------------------ The Attack ------------------------------------------------------ 1⃣ Spam txs such that no oracle update txs can get through (from either users or Levana infra) 2⃣ DDoS backend infra tied to regularly scheduled oracle update txs 3⃣ Have an intelligent system tracking the delta🔺between the stale data and the actual market pricing that is ready to get pushed 4⃣ Use a multiexecute tx to go long or short + update the stale data to market pricing - guaranteeing profit for the attacker as they know exactly what the stale price of the oracle is about to get updated to within their multiexecute tx while also comboing it with a long or short guaranteed to be directionally correct. 5⃣ Because the attacker was the source of congestion, they knew precisely where to submit txs such that they would get accepted by the nodes ------------------------------------------------------ Saving Graces ------------------------------------------------------ ✅ Delta neutrality limitations of Levana made it so that the size the attacker was able to leverage was limited (resulting in only ~10% drained) ✅ Appears the logic for positions already opened was decoupled from new positions (I'm still figuring out this one, was briefly mentioned in the blog) ------------------------------------------------------ This is BY FAR (in my opinion) the most complex attack on a DeFi protocol in Cosmos to date. The Levana team responded rapidly, and are updating the protocol to be safe from this attack by decoupling the placement of orders from the execution of orders using a queue that awaits the next oracle pricing update before executing txs. This unfortunately creates a worse UX, but guarantees better security. Overall, I think advances in L1 enshrined oracle services that are not on the smart contract level (but rather a part of regular block production) is going to be key to the long term DeFi security success of Cosmos. My heart goes out to the @Levana_protocol team - this was a complicated & targeted attack. Looking forward to the protocol continuing to become more resilient. Building DeFi is not easy folks. Apologies in advance if I mistated or missed anything. $LVN $OSMO #Cosmos https://t.co/0c6xZ4Ep1v

28

288

71

51

87K

Guy

@atlabs_

Who to follow

Last Seen Users on Sotwe

Trends for you

Most Popular Users