The recent hack of the Mango Markets decentralised crypto exchange has again raised questions about the robustness of pricing mechanisms within the market. Issues like these are causing much of the institutional capital which the crypto market knows it needs, to sit on the sidelines waiting for things to get better.
The attack on Mango Markets occurred using two accounts that were funded with USCD, a stable coin. These accounts took long and short positions in Mango perps on the Mango DEX. The attacker manipulated the price of MNGO on spot markets, which are used by Pyth, an oracle network, to draw data which is then used to make the MNGO price.
The profits that were made from the price manipulation activity were not realised, but instead used as collateral for a loan of around $100m in several tokens. The entire scam took around half an hour to complete. Mango has investigated the case and on 15 October said some assets were being returned to the DAO.
“DeFi hacks and exploits are among the worst possible adverts for the digital asset industry, which, let’s face it, can struggle with its reputation at the best of times,” said Ken Odeluga, Head of Research at CF Benchmarks. “It’s way past time we talked about the use of blockchain oracles as price sources for certain crypto tokens.”
Why oracles are important for Web3
Oracles are important to Web3 as they help to create hybrid smart contracts, where on-chain code and off-chain infrastructure combine to support advanced decentralised applications (aka dApps). These can react to real world events, and importantly they are supposed to interoperate with traditional systems. For example, an oracle can be used to provide off-chain market data which in turn informs the price of a smart contract.
Odeluga says oracles use less than watertight pricing methodologies which can have disastrous consequences for investors. In this case a blockchain oracle was being used to value the MNGO token. Pyth Network, which was responsible for the aggregate prices, is not using real time prices, but instead prices calculated within a specific window. This left it vulnerable to the original price manipulation attack.
Sacrificing accuracy for availability
Decentralisation brings with the lack of oversight, and this is where some of the issues with the Mango hack lie. Market participants are also sacrificing accuracy for availability.
“By averaging out your data you are creating opportunities for hackers,” says Jason Shubrook, CEO at Crypto Data Live. “If you are using multiple data sources, you iron out that risk of redundancy, but there is no proper oversight. Manipulation like this could not be achieved on a centralised crypto exchange.”
Crypto Data Live provides real time data on dozens of coins but does not take third party pricing. “We work hard to make sure these prices are correct,” says Shubrook. “We do all the due diligence on the data ourselves; if we mixed that with other sources, we’d lose the accuracy, and the oversight. People like the idea of no oversight until something like this happens.”