AltcoinCryptocurrenciesEthereumHackersNewsSmart Contracts

Sophisticated Trading Bot Exploits Synthetix Oracle, Funds Recovered


When Ethereum-based synthetic asset issuance platform Synthetix, which allows users to mint and trade synthetic currencies in a peer-to-peer fashion, lost track of more than 37 million synthetic Ether (sETH) on June 24, the company stopped all trading on its platform. While users only lost trading access for 24 hours, the event led to trades with 1,000x profits equalling $1 billion in less than an hour. The Australian-based company’s synthetic currencies provide access to the value of certain currencies, including Bitcoin and Ether. The platform says it makes it easy for users to hold Bitcoin and Ether, without needing a crypto wallet. 

Synthetix crypto-backed synthetic asset tokens are priced against the euro, Japanese yen, Korean won, Australian dollar and gold. Launched in the summer of 2018, Synthetix also has a stablecoin that tracks the United States dollar. Since Synthetix users trade assets that are representations of their underlying assets and track the prices of those assets, if a user trades sUSD into sBTC at $10,000 per BTC and the price goes up to $12,000 per BTC, they can trade that back into $12,000 of sUSD, making a profit of $2,000 sUSD.

The idea of synthetic digital currencies is not exclusive to Synthetix. Abra offers a service whereby users can receive exposure to any fiat currency (e.g., USD, EUR, PHP) or cryptocurrencies other than Bitcoin (e.g., XRP, DGB) that Abra supports via smart contracts on the Bitcoin and Litecoin networks. If a users deposits 1 BTC into an Abra wallet and then decides to buy 10 XRP with it, Abra creates a smart contract guaranteeing the right to 10 XRP. The user can then exchange the 10 XRP back into BTC, and Abra calculates the amount of BTC the user gains.

An oracle is to blame

Essentially, oracles are used in blockchains to verify real word information and then report back the finding to the blockchain, triggering an implementation of smart contracts. In this case, a Synthetix oracle, responsible for providing external data to Synthetix’s smart contracts, transmitted false data on June 25, which a bot took advantage of. No funds were really “lost,” according to the company. One bot owner’s balance was inflated due to an incorrect sKRW price feed, which he then converted into an inflated amount of sETH. According to Kain Warwick, the founder of the platform, all the sETH were recovered, and the situation has since been resolved. The company contacted the owner of the arbitrage bot that unintentionally hacked the oracle and agreed on a bounty deal with him in order to return the funds. Warwick told Cointelegraph:

“It was a tense negotiation, but because the profit they had made in these trades is backed by SNX collateral there was insufficient collateral to cover the profits, so there would have been no way to cash out these gains. We paid them significantly more than our largest open bug bounty which is $2k, but significantly less than their nominal profit of several billion dollars.” 

The most surprising thing was the level of sophistication the bots employed to target the oracle. According to Warwick:

 “While there have been bots using the system for several months now, recently they have improved significantly. This particular bot was able to take advantage of the mispricing issue immediately, and exploit it repeatedly.”

The bot owner’s balance was inflated due to an incorrect sKRW price feed, which he then converted into an inflated amount of sETH, a synthetic asset that tracks the price of Ether by plugging into an oracle-backed price feed.

The error led to an API on the platform to report a price 1,000x higher for the rate of the Korean Won (KRW). Synthetix’s private price oracle misreported the price of KRW. The oracle had taken an average of just two remaining prices due to an earlier unrelated outage. According to the platform’s founder, there were a number of issues leading to the event. Warwick told Cointelegraph:

“Two API’s had different independent outages simultaneously, and our error handling and aggregation logic failed to handle this. The pricing error was intermittently setting the rate for KRW to 1000x more than it actually was. And this happened multiple times within a one hour window. Each price error increased the bot’s trading profit by 1000x, so after three cycles the bot had made over $1b.” 

Synthetix’s forex rate feeds have most major currencies, but they were only using three API’s for less utilized currencies like the Korean won. Warwick also believes the fact that a trader could generate so much profit so quickly speaks to both the strengths and weaknesses of the Synthetix platform: 

“Because there are no counterparties traders can make very large trades with low slippage, which means the system can handle large trading volume, potentially billions of dollars per day given the current throughput of Ethereum. But the profit potential is constrained by the SNX collateral in the system (currently around $30m USD) so profits are also effectively capped to the current total value of SNX.”

According to Synthetix, the platform has added additional redundancies to its price feeds and a more efficient exception tool to prevent errors of this type.

Source link

Show More

Related Articles

Leave a Reply