Ukuvikela Impahla Yomsila Omude Kumaphrothokholi Okuboleka Kusuka ku-TWAP Oracle Attacks
Iningi lama-hacks ephrothokholi ebolekisayo asukela ekubeni sengozini yenkontileka ehlakaniphile, okuholela ezinkulungwaneni zezigidi zamadola ezebiwa njalo ngonyaka. Onjiniyela nabahloli bamabhuku bakhule beqaphe kakhulu ekuhlaselweni okuvamile, kuyilapho izivumelwano zithola imizuliswano eminingi yokubuyekezwa kwekhodi nezinhlelo zenzuzo yeziphazamisi. Kodwa-ke, izivumelwano zokuboleka ziphinde zibhekane nokuhlaselwa kwezomnotho ngenxa yokuntengantenga kwezimakethe kanye nezinkinga zentengo ezifana nemicimbi yokususwa kwezikhonkwane kanye nokukhohlisa kwezwi.
Ukuze uvimbele lokhu kuhlasela, amaphrothokholi amaningi aklelisa kuphela izimpahla eziwuketshezi kakhulu futhi asebenzise abahlinzeki bezinkulumo ezithembeke kakhulu, ikakhulukazi i-Chainlink. Yize izivumelwano eziningi zokuboleka zingawasebenzisi ama-oracle entengo elinganiselwe yesilinganiso sokushintshisana (TWAP), angenye yezinketho ezifinyeleleka kakhulu. Kodwa-ke, amaphrothokholi amaningi awakwazanga ukuthola indlela evikelekile yokusebenzisa lawa ma-oracle ngokuphephile, njengoba ngokuvamile ayingozi kakhulu uma kuqhathaniswa nezinye.
Ama-oracle amanani e-Uniswap V3 TWAP asetshenziswe ezivumelwaneni zokuboleka ezifana ne-Inverse Finance, i-Rari Capital ne-Euler Finance. Yize i-Uniswap nama-oracle ayo e-V3 kubhekiselwa kuwo kaningi kulo lonke umbiko, amanye amazwi e-TWAP angasebenza ngendlela efanayo. Lawa ma-oracle anenani lezinzuzo, njengokukhululeka ukuhlanganiswa kumaphrothokholi kanye nokuncika kancane kuzilawuli ezimaphakathi, kodwa ububi buvimbela ukusetshenziswa okusabalele.
Kunezibonelo eziningi lapho izibikezelo zishintshiwe, ikakhulukazi izibikezelo ze-TWAP, kanye nocwaningo oluchaza ukuthi kungani lokhu kuhlasela kwenzeka. Ngokuvamile, kuyinkinga uma imali yokukhokha inganele emthonjeni wezwi, njengechibi le-Uniswap, okushiya izivumelwano ezibolekisayo ezisebenzisa i-oracle ngezintengo ezisengozini yokuhlaselwa.
Ithimba le-Euler Finance libhale imibiko, kuhlanganise ne -Manipulating Uniswap v3 TWAP Oracles ka-Michael Bentley , futhi yakhipha ukuhlasela kwe-oracle
Abahlaseli bazozama ukunciphisa ingozi yokwehluleka ngokusebenzisa i-flash loan ukuze baqedele ukuhlasela ngaphakathi kwebhulokhi elilodwa. Yize imali mboleko ye-flash ivumela abahlaseli ukuthi basebenzise imali eningi kunaleyo abangaba nayo, imali mboleko ye-flash mancane amathuba okuthi iphumelele ezimpahleni eziwuketshezi eziningi ngaphakathi kwebhulokhi eyodwa.
Isibonelo, Umfanekiso 1 ngezansi ubonisa inani lezindleko ($598.85 billion) zokwenza ukuhlasela kwebhulokhi eyodwa ngomthelela wentengo ongu-20% ku-USDC/WETH 0.3% yenkokhelo. Ngenxa yemikhawulo yokuboleka, efana nezici zokuboleka nezesibambiso (isilinganiso se-LTV), abahlaseli ngokuvamile bazodinga ukumpompa noma balahle izintengo ngaphezu kuka-20% ukuze bazuze ukuhlasela okunenzuzo.
Ukunciphisa inani lamabhulokhi ukwenza ukuhlasela kubalulekile ngenxa yezizathu ezimbili. Okokuqala, abahlaseli basebenzisa imali mboleko edinga ukubuyiselwa ngaphakathi kwebhulokhi efanayo. Okwesibili, amabhulokhi amaningi avelayo akhulisa amathuba okuthi umhlaseli axolelwe, okuzonqamula ukuhlasela njengoba abadayisi bezobona umehluko wamanani futhi benze ukuhweba ukubuyisela intengo kokujwayelekile ngaphambi kokuthi ukuhlasela kuqedwe.
Izimpahla ezisetshenziswa kakhulu njenge-USDC, i-USDT, ne-WETH ngokuvamile ziwuketshezi ngokwanele ukuze kuvinjelwe ukuhlaselwa kwe-TWAP oracle manipulation, ikakhulukazi emalimboleko ye-flash. Lokhu kubonakala kakhulu ku-mainnet ye-Ethereum njengoba iningi lamaketanga ongqimba lwesibili namanye ane-liquidity encane ngokuqhathaniswa. Izivumelwano zokuboleka ngokuvamile zizosebenzisa amazwi entengo e-Chainlink kuma-chip aluhlaza okwesibhakabhaka noma kunjalo, njengoba kufaneleka kakhulu izindleko zokuvikela lezi zimpahla, ezivame ukumiswa njengezimpahla zesibambiso.
Ngisho noma amachibi amaningi oketshezi angenawo uketshezi olwanele, akhona amanye amachibi amaningi ku-Uniswap, namanye ama-DEX, aveza amathuba asheshayo e-arbitrage. Umehluko enanini phakathi kwamathokheni amabili oketshezi oluningi kakhulu kumachibi ahlukene uzolungiswa abahwebi ngokuzitholela ithuba le-arbitrage, ama-bots, ama-aggregators, noma okungenzeka kakhulu ukuthi abakwa-Uniswap
I-Auto Router izothola intengo engcono kakhulu etholakalayo ngokuhlukanisa ukuhweba phakathi kwamachibi amaningi. Lokhu kusho ukuthi uma umhlaseli ethola ichibi lokuboleka elinediphozithi enkulu esebenzise ivolumu ephansi, ichibi lemali ephansi ku-Uniswap V3 njenge-oracle yayo, ukuhlasela kusengahluleka uma amanye amachibi ethokheni enevolumu ephezulu kanye ne-liquidity ngoba okulandelayo. ukuhweba nge-Auto Router kuzosebenzisa ithuba le-arbitrage. Kunzima nakakhulu ukuthi ukuhlasela kuphumelele njengoba i-Auto Router ingaphinda ihlukanise imizila yamanye amathokheni angahlobene.
Ukuqagela okufanayo kungase futhi kwenziwe mayelana noketshezi oluphansi, amachibi omthamo omkhulu futhi. Ngokusebenzisa uketshezi oluphansi, i-oracle ye-pool ingaba ithagethi esengozini. Kodwa-ke, ngenxa yevolumu ephawulekayo, abahwebi bazohlala belungisa intengo ngenani lemakethe. Ngakho-ke, kungase kungenzeki ukuba ukuhlasela kuphumelele.
Umhlaseli uzodinga futhi ukucabangela ukusabalala kwe-liquidity ku-Uniswap V3, njengoba abahlinzeki be-Liquidity benganikeza ububanzi obugcwele bemali noma ukukhokha okugxilile. I-liquidity yebanga eligcwele, elengeza amathokheni nhlangothi zombili ngebanga lentengo eligcwele ukusuka kuqanda ukuya kokungapheli, kwandisa izindleko zokuhlasela. Izimali ezigxilile, ububanzi obuthile obungaba uhlangothi olulodwa kuphela, zinganyusa noma zehlise izindleko kuye ngentengo yamanje kanye nokwabiwa kwemali phakathi kwebanga. I-Wonderland CTO 0xGorilla ingena eminye imininingwane ngalokhu esihlokweni sayo
Iphuli ye-Uniswap 'ephephile' ayidingi ukuba namathokheni anenani lezigidigidi zamadola' asabalale ebangeni eligcwele ukuze i-oracle yentengo iphephe. Cabanga ngomfanekiso woku-1 ngenhla, lapho kubiza amabhiliyoni angu-598.85 ukuhambisa intengo ngo-20% endaweni eyodwa, futhi kusazobiza cishe amaRandi ayizigidi ezingu-200 kuwo wonke amabhulokhi ayishumi. Le pool inenani elicishe libe yizigidi ezingama-R70 enani elikhiyiwe. Kodwa-ke, ukusabalala kwaleli chibi akukona nje kuphela uhla oluphelele, njengoba uketshezi oluningi lugxilile, okungase kwenyuse ingozi.
Ithuluzi le-Euler oracle lingabonisa futhi ukuthi amaRandi ayizigidi ezingu-10 azohambisa intengo cishe ngo-14% phansi ngezindleko ze-$ 1 million futhi cishe i-56% phezulu ngezindleko ze-$ 1.7 million yaleli chibi. Lokhu kungenzeka kumayelana nokusetshenziswa njenge-oracle, kodwa leli chibi elingu-0.3% cishe bekungeke kube yichibi eliyinhloko elisetshenziselwa izivumelwano zokuboleka njengoba i-0.05% yemali ekhokhwayo iqukethe amaRandi ayizigidi ezingu-129 ku-TVL kanye namaRandi ayizigidi eziyizinkulungwane ezingu-2.4 ngevolumu yezinsuku ezingu-7, ngokusho kombiko. Idatha ye-Uniswap.
Abasebenzisi kufanele baqaphele amaphrofayli ahlukene asakazwayo we-liquidity ukuze baqonde kangcono ubungozi bokufaka imali kumaphrothokholi wokuboleka asebenzisa amazwi entengo e-Uniswap V3 TWAP. Amagrafu akuMfanekiso 2 abonisa amaphrofayli ahlukahlukene okusebenzisa imali umsebenzisi angase awathole kumachibi e-Uniswap.
Igrafu LP 1 engezansi ibonisa iphrofayili yemali evame ukucatshangwa ngamachibi e-Uniswap V3. I-Liquidity (L) ivamise ukugxiliswa enanini lamanje (P) kodwa ihlehla kakhulu ohlangothini ngalunye lwamathokheni amabili, i-Token01 ne-Token02.
I-LP 2 ibonisa iphrofayili evamile ye-stablecoin, njenge-USDC/USDT, lapho ukuthengwa kwezimali kugxile kakhulu kumakhizane amaningana ngentengo yamanje.
I-LP 3 ibonisa ukuthi i-pool yebanga eligcwele ingabukeka kanjani ngaphandle kwemikhaza egxilile ye-liquidity.
I-liquidity ku-LP 4 igxile ohlangothini lwe-Token01 lwentengo yamanje, okwenza kubize ukulahla kodwa kushibhile ukupompa, kuyilapho i-LP 5 ibonisa okuphambene.
Uma iphrothokholi yokuboleka ivumela womabili amathokheni njengesibambiso, umhlaseli angakhetha ukupompa noma ukulahla kunoma iyiphi indlela engabizi kakhulu futhi enenzuzo enkulu. Uma impahla eyodwa ihlukanisiwe, futhi ingakwazi ukusetshenziswa njengesibambiso, umhlaseli angakwazi ukuyilahla ukuze enze inzuzo. Kukhona ezinye izindlela zokwenza inzuzo ngokumpompa impahla engayodwa, kodwa ingase ibe yinkimbinkimbi kakhulu, ibize kakhulu, noma ibe yingozi uma iqhathaniswa nokulahla nje impahla engayodwa ekuhlaselweni kwezwi noma ukuthembela kwezinye izinhlobo zendlela yokuxhaphaza.
I-LP 6 ikhombisa lokhu kusebenza, njengoba bekungaba izindleko eziphansi ukulahla ithokheni enanini elidala (P1) ePhoyinti A ukuya enanini elisha (P0) ePhoyinti B.
Abasebenzisi badinga ukuqaphela amazinga emali, ukusabalala, kanye nevolumu yokwenziwe uma umthetho olandelwayo wokuboleka usebenzisa amazwi entengo e-Uniswap V3 TWAP kumachibi ayo. Ichibi le-Uniswap elisengozini enkulu yomhlaseli lingaba nemali ephansi yemali, ivolumu ephansi, imali yemali engenayo egxiliswe kude nenani eliqondiwe kanye nenani lamanje, futhi awekho amanye amachibi ku-Uniswap namanye ama-DEX, noma okungenani amachibi akhiwe ngendlela efanayo.
Amachibi amafa omsila omude ngokuvamile anemali ephansi kanye nezindleko eziphansi zokuhlasela, kodwa hhayi ubungozi obuncane bomhlaseli. Nakuba ivolumu ephansi inciphisa amathuba okuba i-arbitrage iphazamise ukuhlasela, kungase kube khona imali egxilile kakhulu kanye nenani eliphansi lamathokheni azungeza emakethe evulekile ukuze atholele ukuhlasela. Lokhu kungenza kungenzeki kumhlaseli ukuthola inzuzo.
Inzuzo yokuhlasela kwamabhulokhi amaningi incike enanini lamathokheni echibini le-Uniswap libe lincane kunevelu ye-liquidity ephulini eliqondiwe lephrothokholi yokuboleka. Ukunqunywa kwevelu ye-Uniswap pool kufanele futhi kucabangele izindleko zokukhohlisa i-oracle uma inani lentengo yethokheni yamanje liphezulu kakhulu. Ngakho-ke inani le-Uniswap pool lingase libe phezulu kunenani lephuli yephrothokholi yokuboleka, kodwa uma izindleko zokuhlehlisa lokhu zingaphansi kwenani le-pool yephrothokholi yokuboleka, khona-ke ukuhlasela kungase kube inzuzo.
Uma umhlaseli esenqume ukuthi bazokwazi ukuzuza, bangakwazi ukuthola ukuthi kusebenza kahle yini ukuthenga amathokheni adingekayo okuhlasela noma ukuwaboleka. Okokuqala, babezokhipha izindleko zokuthenga amathokheni ezinzuzweni zokuwathengisa ku-Uniswap ekuhlaselweni. Lokhu kungase kube ukulahlekelwa ngenxa yokushelela, uma nje bezama ukwehlisa intengo echibini le-Uniswap elinemali ephansi. Kodwa-ke, inkinga ingase ibe ukuthi awekho amathokheni anele okuthenga, noma ukuthi abanayo imali eyanele yokuthenga amathokheni anele. Umhlaseli angase futhi acabange ukuthi ukulahlekelwa okungenzeka kungaba phezulu kakhulu uma izindleko zokuthenga amathokheni anele ziphakeme kakhulu uma ukuhlasela kuzohluleka.
Uma ukuthenga amathokheni kuyinkinga kakhulu, umhlaseli angaboleka amathokheni kusuka kuphrothokholi ehlosiwe yokuboleka noma enye. Kungenzeka ukuthi umhlaseli ehlise izindleko ngokuboleka amathokheni kuphrothokholi eqondisiwe yokuboleka, kucatshangwa ukuthi omunye umuntu akaqali ukuhlasela. Ngenxa yoshintsho lwentengo kusukela ekuphatheni i-oracle, kuya ngokuya kushibhe kancane ukuboleka amathokheni kuphrothokholi yokuboleka okuhlosiwe.
Okokugcina, umhlaseli uzocabangela ukuthi ufuna ukunciphisa amabhulokhi ngenkathi ebeka engcupheni yokubambisa noma ezama imijikelezo eminingi yokuboleka nokudayisa ukuze asebenzise isibambiso esincane. Isimo esikahle ukuthola inani elincane lesibambiso elidingekayo ukuze kwebiwe inani elikhulu lamadiphozithi. Uma intengo ishintsha noma intengo ingakwazi ukwehla ngokuqhubekayo ekuhlosweni kwayo, khona-ke ukuhlasela kungase kukhiye okuthile noma zonke izibambiso zabo kuphrothokholi.
Singakwazi ukubala inzuzo engaba khona sicabangela ukuthi umhlaseli uboleka amathokheni kuphrothokholi ehlosiwe yokuboleka futhi awathengise ukuze asebenzise igama lentengo ku-Uniswap. Ukuze senze lokhu, kufanele sicabangele imikhawulo yephrothokholi yokuboleka efana nezici zokuboleka kanye nezibambiso uma inakho kokubili, inani lesibambiso okufanele lidiphozwe, kanye ne-oracle pool liquidity.
Ukusebenzisa i-Multi-Block Attack
Isikhundla somsebenzisi 1 sibonisa inani eliphezulu lamathokheni umhlaseli angawaboleka ngokusekelwe esibambiso sakhe asifakile. Umhlaseli uzothengisa amathokheni amaningi abolekiwe echibini le-Uniswap elihlosiwe futhi afake inzuzo nentengo entsha esigabeni se-Liquidate Round 1. Isikhundla somsebenzisi 2, neminye imizuliswano yokuvalwa, ibonisa amanani amasha kucatshangelwa isibambiso esidingekayo senani lethokheni ebolekiwe.
Iphuzu lemijikelezo eyengeziwe ukulandelela ukuthi mangaki amathokheni angathengiswa ukuze enze umthelela wentengo oyifunayo uma umzuliswano wokuqala unganele. Abasebenzisi bangaphinda banqume ukuthi singakanani isibambiso esidingekayo ukuze kufezwe ukuhlasela okunenzuzo emizuliswaneni embalwa yokuthengisa ngangokunokwenzeka. Izigaba ezengeziwe zibala inzuzo uma umhlaseli eshiya isibambiso sakhe noma enqamula ukuhlasela emzuliswaneni wokugcina, ethatha noma iyiphi inzuzo noma ukulahlekelwa akuqongelele.
Abasebenzisi bangalingisa izimo ezihlukene futhi bakhe izinhlaka zengcuphe eziqondene nawe lapho besebenza nezivumelwano zokuboleka besebenzisa izisho ze-TWAP. Ngokuhlanganisa ithuluzi le-Euler oracle ne-Multi-Block Attack Simulator, abasebenzisi bangaba nesithombe esigcwele sezingozi ezingaba khona ze-flash loan kanye nokuhlaselwa kwamabhulokhi amaningi. Ukwengeza, abasebenzisi bangasebenzisa izilingiso eziningi ukuze bathole imingcele yengcuphe yokusebenza engcono kakhulu yezivumelwano zokuboleka, izigaba zamathokheni ezisengozini enkulu yokuhlaselwa kwezwi, ukuthuthukisa amasistimu ezixwayiso zangaphambi kwesikhathi, nokuningi.
Abasebenzisi bangakwazi ukwenza leli shidi ngokuzenzakalelayo besebenzisa ama-API, izengezo, noma bathuthukise uhlelo lokusebenza ngokusekelwe ezibalweni. Iphuzu lesipredishithi ukuqinisekisa indlela engasetshenziswa yinoma ubani esikhathini esizayo, uma kwenzeka i-API noma uhlelo lokusebenza lususwa, lukhawulelwe, noma lushintshe.
Ukugxila kwaleli thuluzi ukuzama ukuthuthukisa ukuqwashisa ngengozi nokuhlinzeka ngokuvikeleka okukhulu ekubolekweni kwezimpahla ezinde, ngokuvamile ezingamboziwe iningi lama-oracle. Leli thuluzi futhi alinaki i-arbitrage kanye nenani eliqondile lamabhulokhi ekuhlaselweni, esikhundleni salokho ligxile ekubalweni kwezindleko ezingase zibe khona kanye nenzuzo yokuhlasela kwe-multi-block.
I -Multi-Block Attack Simulator iqukethe umhlahlandlela womsebenzisi, izibalo, kanye nesibonelo sokusiza abasebenzisi. Sicela wenze ikhophi bese uhlela amaseli aluhlaza kuthebhu ethi Isifanisi.
Nakuba kunamandla amakhulu okudala izimakethe zokuboleka kwezimpahla ezinde, kuyabonakala ukuthi ubungozi bokuvumela amathuba okuboleka aphephile bungase budlule izinzuzo. Amaphrothokholi kufanele okungenani anikeze amathuluzi engeziwe ukuze abasebenzisi bazi ngezinga lobungozi obuhilelekile. Izimpahla ezinemisila emide njengama-memecoins, amathokheni okuphatha, kanye nokwethulwa kwamathokheni ahlukaniswe ezindaweni ezithile kungazuza ezimakethe zokuboleka nokuphuma kokunye, kodwa lawa mathokheni aphinde abe sengozini enkulu yokukhwabanisa.
Ukuvula amandla okuboleka nokuboleka kwezimpahla zetail ende kuyaqhubeka kuzanywa njengoba imizamo ihlanganisa ukungeza amazwi engeziwe, amazwibela emalimboleko, ukudala amachibi angawodwa, kanye nokubambezeleka kokukhipha imali. Izilawuli zokuguquguquka aziqiniseki ukuthi zizosebenza ezimpahleni ezingekho emthethweni kakhulu ngenxa yokuthi isilawuli cishe ngeke sikwazi ukuhlukanisa phakathi kokunyakaza kwentengo yangempela nalezo ezihloselwe ukukhohlisa i-oracle.
Imithetho eminingana yokuboleka imali ibheke ekudaleni imali mboleko esekelwe esikhathini. Nokho, inkinga eyinhloko yokudala izikweletu ezimbi isekhona futhi ababolekisi kufanele bazimisele ukwamukela leyo ngozi. Yize lolu cwaningo lungangeni lujule kule ndawo yezivumelwano zokuboleka, izivumelwano ezisekelwe kusilinganiso senzalo eziguquguqukayo ziyaqhubeka nokubusa imakethe.
Izixazululo ezingaba khona zingacabangela ukubheka ivolumu ye-Uniswap, ukusabalala kwe-liquidity, nenani lamathokheni ukuze kunqunywe ubungozi ezimakethe ezibolekisayo nezibolekayo. Izimakethe ezinikezwe izilinganiso zobungozi eziphakeme zingakhiywa noma zivaliwe kuze kube yilapho kunikezwa imali eyengeziwe endaweni yezwi ku-Uniswap. Ezinye zalezi zici zisetshenziswe kusistimu yokulinganisa ye-oracle ye-Euler V1.
Ezinye izixazululo ziyathuthukiswa njengamahhuku e-Uniswap V4, nasezibuyekezweni nasezibuyekezweni zezivumelwano ezikhona ezifana ne-Euler V2 ne-Bunni. Izisho zentengo zingaphinda zisebenze kahle uma kusetshenziswa ezinye izinhlobo zokushintshisana okunwetshiwe, njenge-Time-Weighted Automated Market Maker (TWAMM) noma iphrothokholi yokuboleka esekelwe ebhukwini yoku-oda echazwe yi-Bedlam Research. Amapulatifomu afana ne-Kamino Finance abonisa inqwaba yezinyathelo zokulawula ubungozi ezihlanganisa i-LTV enamandla, kuyilapho ezinye izivumelwano ezihlanganisa i-GammaSwap, i-Timeswap, ne-Ammalgam inikeza i-oracle-less nezinye izixazululo.
Ekugcineni, uma kunomthombo owodwa kuphela wezintengo ongenawo amandla okusebenzisa imali, cishe alikho inani lokulawula ubungozi elingenza kube kokubili kuvikeleke futhi kube nokwenzeka ngokwezimali kubahlanganyeli bephrothokholi yokuboleka.