Securing DeFi: The Case for ZkOracles

I have always maintained that DeFi is in its experimental phase. Thus, when DeFi fanatics try to compare blockchain finance with TradFi, it translates as outright ignorance to me. Essentially, the purpose of my preamble is to highlight the inherent risks present in the ecosystem, pointing to the long and tortuous journey ahead of us if we must get things right, much less engage in comparisons.

Because two truths can co-exist, DeFi has come a long way. Since my arrival here, I have witnessed the highs and lows of the growing industry. While my participation was limited, my first watershed moment coincided with the 2021 bull run, when meme coins went crazy, led by the first dog-themed token, Dogecoin. And the heartbreaking moments reflected in periods I lost money trading futures and, particularly, losing four figures during the Nomad cross-chain bridge exploit. Every other exploit and hack the industry has witnessed, I either observed on the streets of Crypto Twitter (now Crypto X) or crypto media platforms like CoinTelegraph, but not as a victim.

Yet, it leaves me no choice (then and now) but to acknowledge that security is a missing catalyst to DeFi's 100x adoption. Hence, this piece focuses on the ZkOracle primitive and its key role in securing DeFi and restoring its declining goodwill.

What are ZkOracles?

TLDR: ZkOracles are blockchain oracles that leverage zkSNARKs and Zkproofs to trustlessly transmit data on-chain while ensuring privacy, security,, and cost-efficiency.

ZkOracles, known as zero-knowledge oracles, are an offshoot of blockchain oracles. Blockchain networks rely on oracles to access and import data from the real world. Such data could range from asset prices and weather information for insurance claims to IoT sensors for tracking goods in the supply chain and events in prediction markets.

In relation to DeFi, oracles have been most useful in the lending realm. Smart contracts play a key role in automating operations within lending protocols. However, smart contracts operate as a siloed and deterministic entity and are unable to integrate external or off-chain data by themselves, especially when this is important to executing instructions they are embedded with. For example, in prediction markets, smart contracts could not determine the winner of a prediction based on an event without leveraging an oracle that reports the outcome. But how do Zkoracles work?

Zkoracles improve on the inefficiencies of traditional blockchain oracles— some of which have affected DeFi in its entirety, contributing to an adoption blight. But one inefficiency that resonates more among these is security. According to Chainalysis, most exploits across the DeFi ecosystem have resulted from oracle manipulation risks, pointing to the vulnerabilities inherent in traditional oracles.

In 2022, oracle manipulation exploits accounted for over $400 million in stolen cryptocurrencies. The Mango Market exploit in late 2022 perfectly describes how traditional oracles could be manipulated by hackers for personal gain. Avraham Eisenberg, the black hat hacker, had manipulated the price of $MNGO, the native token of the Solana-based DEX and lending protocol, using his profit (from the short-lived inflated Mango price) as a collateral to obtain a loan valued at $116 million.

While the oracles Mango Market ($MNGO's price was transmitted to the protocol using the moving average of centralized exchange price feeds) functioned accurately, they were easily manipulable due to their centralized status. $MNGO's low liquidity equally contributed to enabling the manipulation as a relatively minimal amount was used to inflate its price. Although some lending protocols avoid listing assets with low liquidity, this is contrary to the essence of decentralized lending— part of which aims to enable the collateralization of long-tail assets.

How ZkOracles Work in DeFi Lending

Lending protocols rely on oracles to calculate collateral value, borrowing limits, interest rates, etc— all of which are important for the proper functioning of the lending process. As such, a miscalculation across any of these hallmarks could spell doom for a protocol, particularly lenders— a lender could be arbitrarily liquidated if an oracle misreports mjprice or his collateral value. Yet, while decentralized oracle networks like Chainlink attempt to circumvent this challenge through multiple data sources for accurate reportage, the cost of doing so is high, this means that the more nodes that query data sources and supply the prices to lending dApps, the more expensive the transaction to update the data on-chain becomes.

The reason for this is because each validator (node) has to sign a cryptographic message stating the price they queried, (i.e. ETH/ USD) for reporting into the Oracle to update on-chain. The more signed messages, the higher the cost of the Oracle transaction is because it contains more data (more signatures)

Usually, a few Oracle service providers try to avoid this by limiting the number of nodes (validators) on the Oracle network. But this also comes at a cost— security tradeoff, thus increasing the potential for manipulation.

Meanwhile, ZkOracles sidesteps all of these challenges without the need for tradeoffs— neither on security nor decentralization. ZkOracles prioritize data privacy, security, and cost-efficiency. For lending protocols, ZkOracles consult multiple off-chain data sources for asset prices or any other relevant data (wallet balances, transaction activity, collateral value, interest rates), performing as many off-chain queries as possible without incurring costs, unlike traditional oracles.

ZkOracles transmits the off-chain computation and ZkProof for it (which it generates with the help of zk-SNARKS) on-chain to the smart contracts on the protocol. The data is transmitted trustlessly and privately such that bad actors are unable to frontrun and manipulate. Despite the private transmission, a lending protocol's smart contracts can verify that the data is accurate using the Zkproof generated.

Securing DeFi with ZkOracles

ZkOracles belong to the category of decentralized fair oracles, which have been touted for their advantages, such as minimized manipulation risks as data obtained is tamper-proof. Moreover, they also create the window of opportunity for long-tail assets such as liquid staking derivatives (LSD) outside the dominating LSTs— Lido's stETH and Rocketpool's rETH to attain a collateralization status (users could deposit them as collateral to obtain loans). Examples of the less popular LSDs include ankrETH, frxETH, cbETH, swETH, and metaLSD, UnshETH.

Vitalik Buterin had expressed concerns regarding the threats stETH and rETH domination pose to Ethereum's decentralization, suggesting that stakers should begin staking ETH with other protocols. And regarding collateralization, most LSDFi (stemming from the concept that LSTs could attain other use cases such as lending and restaking) protocols (Lybra, Prisma, Gravita, etc.) prefer to onboard the dominant LSDs. In the same vein, major oracle providers require a $100 million and above TVL for any LSD to integrate their price oracle, shutting the door on the less-patronized LSTs.

However, the mechanism behind ZkOracles suggests that less dominant LSTs could aggregate prices in DeFi lending without depending on a centralized entity or meeting steep requirements such as having huge TVL or incentivizing liquidity. This precludes the possibility of manipulation, thereby reducing the likelihood of another high-impact exploit since Zkoracles cull data through different APIs with a Zkproof that shows that the prices fed to protocols are trustless and verifiable.

Final Thoughts

While oracles are one of DeFi's most important infra, they have also proven to be the industry's Achilles heel, given the number of exploits that have occurred from the attack vector in the past year. Although one may likely argue that the industry is still standing in spite of the exploits, I'm compelled to take a cue from Dan Elitzer's "Why DeFi is Broken" article, where he noted that "the frequency and severity of exploits are at least two orders of magnitude above what might be considered acceptable levels for mainstream adoption." Thus, that argument crumbles if we (DeFi folks) have our eyes set on mainstream adoption as a goal.

But mainstream adoption aside, ZkOracles preserve the ethos of decentralization that Lido's dominance appears to be threatening as regards Ethereum by enabling the less-dominant LSTs to gain market share and enjoy more utility on LSDfi protocols. Interestingly, as Dan Elitzer also suggested, I imagine that individuals and institutions could deploy ZkOracles for personal use on lending protocols, barring the need to depend on a general oracle and reducing the scope of damage in the event of an exploit (if the oracle of a user is compromised, any damage is limited to the user). I'd like to think of the integration of zkOracles into DeFi lending as killing three birds with a stone— privacy, decentralization, and security.

Abbreviations

ZKSNARKs - Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge

CDP - Collateralized Debt Positions.

LSDfi - LSD Finance

DeFi - Decentralized Finance

TradFi - Traditional Finance

LST - Liquid Staking Tokens

LSD- Liquid Staking Derivatives

Long-tail assets - Assets with low volume or liquidity

ankrETH - Ankr staked ETH

frxETH - Frax ETH

cbETH - Coinbase ETH

swETH - Swell ETH

stETH - Lido’s staked ETH