In May 2022, the value of Terraform Labs’ UST and LUNA tokens fell dramatically.  As a result of uncertainty about the current market value of these tokens, multiple DeFi projects were exploited by attackers, resulting in multi-million dollar losses.

Inside the Attack

DeFi smart contracts face significant challenges in properly pricing tokens to support trading.  Performing price calculations on-chain creates potential price manipulation vulnerabilities and leaves them exposed to flash loan attacks.  As a result, it is considered best practice to use off-chain price oracles like Chainlink to accurately value tokens.

However, in exceptional situations like the LUNA price dip, reliance on price oracles can also create problems.  Due to the extreme volatility in the price of LUNA tokens, Chainlink froze pricing information for the token.  As a result, the price information provided to DeFi contracts for the LUNA token was significantly higher than the actual market value of the token.

Attackers exploited this discrepancy to exploit multiple DeFi projects, including Venus Protocol and Blizz Finance.  Venus Finance lost an estimated $11.2 million in tokens, while Blizz Finance likely lost about $8.28 million.

Lessons Learned From the Attack

Venus Protocol and Blizz Finance followed best practice by using off-chain pricing oracles, protecting them against flash loan exploits.  However, reliance on a single, centralized source of price information also can cause problems.  In this case, once Chainlink stopped updating price data for the LUNA token, DeFi projects relying on inaccurate pricing data were vulnerable to multi-million dollar exploits.

Rob Behnke
05.13.2022