July 7, 2021

Flash Loan Attacks On The Blockchain

Utsav Jaiswal is joined by Sam Kim, Founding Partner at Umbrella Network, and Miguel Morales, Technical Advisor to Umbrella Network, to talk about flash loans on the blockchain. They discuss how flash loan attacks happen, the implications of flash loan a...

Utsav Jaiswal is joined by Sam Kim, Founding Partner at Umbrella Network, and Miguel Morales, Technical Advisor to Umbrella Network, to talk about flash loans on the blockchain. They discuss how flash loan attacks happen, the implications of flash loan attacks on the finance market, and the relationship with the blockchain. 🔦

On this episode of The HackerNoon Podcast, Utsav talks to Sam and Miguel talk flash loans:

  • What is a flash loan attack? 💥 (02:37)
  • Is there a world where the communications can be streamlined that ensures pricing is always fair? 💰 (06:53)
  • Do I need to be a programmer to take out a flash loan? 🧑‍💻 (10:11)
  • What happens when people like Elon Musk tweet about certain coins? Also, what the hell is a Floki? 🐥 (18:24)
  • Can flash loan attacks be traced? 🕵️ (27:34)
  • Why would people use Oracles? (38:22) And is there a use case for Oracles and the Binances of the world? 👀 (43:50)

Connect with Sam Kim:



Do fine. Yeah, so hello everybody. This is the half head-on podcast. And today we will be discussing at our flash loans, flash on attacks, how they happen, what are some of the obligations that can lead to certain catastrophic results in the financial world? And how are some of the people who are fighting against flashlight attacks and preventing it?

Why not go about things without further ado? I'd like to introduce Sam Kim, who is the founding partner at umbrella network, which is a decentralized article. For those of you who don't know articles basically are the window through which blockchains communicate with the outside world. We also have Miguel Morales who is the technical advisor to underline network and together we'd be going and go how did those flashlight attacks happen?

Whether it be on a tedium that it'd be on the Binance mock chain as we spoke about. And what is the underlying mechanics? I'm like, what. It possible we would go deeper and do all of that. But first let's like pass on the mic to Sam Kim and let him tell us what has been, what has he been doing for the past few months?

Hey Sam, welcome to the podcast. 

Hey, thanks for having me over on your podcast. Excited to be here. It's a great and topical topic that we're covering right now and hugely important, given all the things that have been going on in the market with these attack, with these flash zone attacks, I think this is a real issue that we've got to address and get out in front of cause they're going to continue to happen going forward.

I think the past couple of months we've been focused primarily on getting our Oracle out to market because we think that a strong thriving Oracle that covers a broad number of assets is the best way to fight these Oracle, these slash the attacks. So excited to talk about this.

Definitely. Definitely. And we'll be looking forward now. Let's go over to Miguel. So Miguel does a flash drone attack. I look like you, or does he like something very swerve as Sam? 

Yeah, I don't know. They're probably not as good looking at me. I don't know. But I'm kidding. I'm kidding obviously, but yeah.

Yeah. My name is Miguel Morales. I'm a technical advisor here at umbrella and yeah, it's our job is pretty exciting to be able to architect and build products that solve these this challenges because we're going to get discussed there largely like an Oracle problem that can be largely solved.

So it's just exciting to be here.  

so let's start with the question. Let's ask like Sam first, if you could explain what our flashed on attack is at its essence, like, how do you explain that flashlight back to your mom is like something that I love to ask everybody. Like, how do we explain thanks to your mom?

And if you can do that, like you can explain it to the wider world very easily. 

Yeah. I think the way I've been explaining it to in layman real-world applications think about your mortgage, right? If you take out a home loan the bank, one of the first thing they do is appraise the value of your home, right?

And based on the amount that you're appraised of the houses, appraised, that it determines how much you can borrow from the bank and how much money you can collect. And if you want to borrow more than you are qualified for, you can feed. And if you can figure out a way to manipulate that appraised value imagine that in the world where that's done through software, where, and if you.

That algorithm and manipulate it in the such that your home, which may be worth a hundred thousand dollars. All of a sudden it gets appraised at a million dollars. You're going to be able to access far more cash from the bank, right? At the same time. Imagine if you have a loan, outstanding loan and somebody manipulates the value of your home due to decrease, right from, let's say a hundred thousand to 25,000.

Now there's a potential that your mortgage will get called and you will have to pay back some of that money that you borrowed. That's not the case here in the U S in general, but in other markets that did, that is a real possibility. And so that's what people are doing. And that's the end that they're trying to that's the arbitrage they're trying to enact the flash loan is the mechanism by which they are manipulating those prices, right?

The value of USD T the value of. No USBC or any other asset, any other crypto asset they borrow through a flash loan which I think, maybe Miguel can talk to the flashlight there a bit, but basically through a flash tone, they get access to a budget capital and manipulate the price of a crypto assets such as USD, T USBC or an all coin in order to and take advantage of that authored value in another marketplace, in a secondary market from where they manipulate the price.

That's  answered a little bit more than what is a flash loan there, but it to come and go do go hand in hand, 

right? Exactly. So let's go over to Miguel and Miguel, last, Sam brought up this 10 where it says that the price of the USD or the price of the U S DC can be manipulated for the lay man.

What this means is that people test manipulated the price of the U S dollar. I guess like only the fed has nights to do that. Or at least the fed has the power to do that. Or maybe the people who will their money printers. How does that translate into the blockchain side? Because when it comes to blockchain and cryptocurrencies, people tend to believe that once it's on the ledger it's life, how are people manually take the price of something like break it down for the limb?

Yeah, absolutely. So at the end of the day, there's still smart contracts. They're still. You could argue that it's not really a hack per se. I mean that this is the way that the system and smart contracts are supposed to work and the way that they're, coded and the way that it works, at least in some of the earlier times, the flash on attacks was was the attacker right?

Initiated a flash loan. And then they went and used that flash loan to do it. Let's say a big trade between a crypto pair in a uni swap or curb or whatever. And so because of that large transaction, the way that these that these centralized exchanges work, it moves the price significantly.

Particularly if it's like a small, a pool, a small liquidity is going to shift the volume significantly. And so for that point in time, even if the value like quickly shifts back within the next few seconds within doctrinal statute, the value of the asset would change dramatically. And so within that transaction, then the value changes, the price changes, and then that's where you can manipulate and do other things.

But that's essentially how you do it is you just make a large trade on a pair that has a smaller pool, and then that, that really changes the 

price. Got it. Do you think that is a role that the uni swaps or the sushi swaps the finances of the world can play to prevent that? Or is it just that it gets two systems communicating and there needs to be a layer of starts like the articles as you guys are building, others are gonna be like, there is a word there whereby the communications can be streamlined, maybe a secure pipe that makes sure that the pricing is always right.

And fair. 

Yeah. Go ahead. 

I was going to say, is that any single market. Can be manipulated. I There's not a market right there, big enough that it can't, it's not subject to a potential attack. Like we see all that like cool with Coinbase pro we saw with, all the other exchanges that we've talking about.

And if you look at even the larger centralized financial world, like if you look at the NASDAQ, w when there was I forgot the name of the hedge fund that was liquidating assets rather rapidly. They single-handedly depressed the price of the NASDAQ equity market. And which is, if you think about the sheer size of NAS, that market it's ma incapacity, that's beautiful.

Yeah. Any single market is vulnerable and therefore, yeah. I, to your point, like having that additional layer where an Oracle comes in and looks across the entire market and. Judges the price, not from a single exchange, but for all of the exchanges, that is the most viable way to protect against these things, because, how do you protect against a, how does a flagstone work in such a manipulative price across all of those exchanges?

And so I do believe this layer that's of Oracle that sit on top of these exchanges are critical.  

so Miguel, before you guys like bring on the umbrella network into main net, tell me how do I take out the flight? I want a bottle of billion dollars. Like how do I do that? 

I don't know about a billion, but you can buy a lot of money and it's exciting.

It's I think it's really cool. It's one of the things that really make blockchain like different, right? From like traditional financing. And so for example the most popular library out there is ABI. And so I'll be, for example, has a smart contract library, and you can develop your own flash long code.

So you, it's an API that they give you. So within your solidity smart contract, you call and you say, I want this this amount of tokens and in a few extra parameters. And then and then I talk that, that contract, the ABI contract has some callbacks and it calls back to your email. To make sure that everything happens within one transaction.

And so you just have to implement these callbacks in your contract and then use the obvious decay to call. Are they, and they need, you can have access to millions of dollars of any token without, or without any collateral and only paying like a small fee. You can also do it. Another thing you can do it is through Dexis.

So a unit swap, I believe has a way of doing a flash loan and a pancake swap does. And there's a few other ones, so probably I think it's the most popular one. And so you essentially have a library that you can use to write code that borrows millions of dollars, and you can use it for, within that transaction for eight seconds.

That's exciting. Yeah. 

Got it. So two questions there. Do I need to be a programmer to take out the flash. 

I would say that if you want to be successful at it, cause you have to monitor, let's say you do an arbitrage, you have to monitor different pairs for this arbitrage opportunity and then act on it.

I think if you want to be good, yeah, you have to know how to program and you have to know how to program and make the smart contracts. I use the flash loan now I think ABI has a front end. So you can do these things on the front end and be a dashboard a graphical interface. But I think that's so much less powerful than code.

So to answer your question, you don't have to, but I think to get the most power out of it, you have to be a developer. Yeah. 

Got it. So all of those people voting who watched what's YouTube video saying Lander, they got out of flashlight in five minutes. Learn the code first. But coming back to my second question.

So how long do I have from, they can go into flash phone attack. Like they know the flash loan before it needs to be paid. Like how long is.

It's hard to, it's hard to describe, to answer your question, it would be every time a new block is minted. So you have access to those funds. So that's what 23 seconds or so. And so you essentially have that long, but from the point of view of a computer, it has to be done immediately.

So all the code gets executed sequentially and it's it's similar to a database. So if you guys are familiar with a database, you can do, what's called an atomic transaction. And atomic means that everything has to succeed or nothing succeeds. And so if there's a step, something that fails the whole thing rolls back toward to the original state.

And so you, you have that amount of time. So let's say a line one, you borrow. Yeah. At the end, you have to give it back and you can enforce this with code. And so you have that amount of time between you borrow it and you give it back to do whatever you need to do. So you can call it the smart contract.

You do, arbitrary. You can do swap, you can create tokens, you can set talk as at stake whatever you want to do within that, those lines of code . 

Now let's go back to the entrepreneur. So Sam, what does about the opportunities that you would like to leverage? If you get Miguel to take out a flashlight and for you, you have eight minutes, eight 


I think we would have to turn off the cameras and mute and discuss that. Now, of course. I think Miguel was, I wanted to emphasize one of Miguel's points earlier that I guess the word hack is not the word. For us to use, right? Hacks suggest that somebody broke into the system, right? I This is all smart contracts, but in most cases they were audited.

They were just, they were operating the way they were designed of an 


In the earlier days of this flash loan, I was more careful to call it the next point rather than half. But I probably straight from that  because, just because they become so commonplace, but yeah, look, there, there is still more that they're more every day I think we're seeing do wants is all of the original flash loan hack or, manipulation.

And there, we started to see them in non-dues if they're James and obviously financed, we started to see them in Binance, marching. Applications. We're also starting to see them in a liquidity pool attacks, rather than additional attacking the price of a stable coin. Now they're going after kind of the liquidity pool pricing.

And and then who knows where this goes next. But what I do know is that, umbrella and Oracles in general are well-positioned to safeguard against these attacks. And w what are the things that we should always be looking at is how are projects that you're staking or you're farming with, how are they basically preventing these attacks, where are they getting their price feeds? Are they looking to a single exchange? Are they looking to an Oracle that's? Diversified. Those are the things that we should be looking at. And that's where my attention is rather than how should I take advantage of these flashes last little?

I know why you say that, right? Because you and I are millennials, right? So we like at least as the sciences say is that we are more prone to following the rules of the law. Like being more how do I say compliant? But then this newer generation that Yolo is on the GME stocks or the area stocks.

Like they don't have those hangups like we do. So they were like, possibly, and like I used the word allergy, like use it in a more creative fashion. But do you think that there is a shift in terms of what people think of capital these days? In our times, at least it used to be capital means whatever you have saved up, and then you're invested, then you buy a house that you invested some strikes or whatnot.

And then you see all of these scales bike futures on dropping, or is that a word by which all of these are tasks like flashed on attacks or whatnot could become more commonplace and become something that everybody accepts? Is that a part of the system as some would say, if you are smart enough to pull it off, like, why should you be penalized?

You did not break any laws. 

Yeah. I think what your comment at the Capitol and people's thoughts around capital are, how it's different. I was taught to first save money fishing start with your retirement accounts, get a nice stock and equity portfolio going. And then when you have some money, Do some higher risk investing, whether it be a stock portfolio or a crypto, and even within crypto, you start with Bitcoin and Ethereum, you've got a nice space there. Then you look at all coins, right? That can give you higher returns. And then the big one is barium. And then only then do you go for these like really far outlines, but it seems like it has flipped a little bit where a lot of money is coming in and bypass and rather than starting with Bitcoin and it, them, and keeping their assets there, they're like jumping right into these like meme coins and yeah, the potential, what, in their opinion for outsized returns.

And I'm not, I'm not here to talk negatively about meme coins or any of these, but I'm just saying that, the return profile and the risk return profile, those are quite different. And it seems like that. Become more commonplace and yeah, to me, it's a little bit unusual to go with that and go there first.

The world is very different than what I, when I was starting off my career. I it's almost in some ways understandable. But having said that, ship everybody as a result now I'll be jumping into the flash loan business. No, because you we have a social contract with one another, I believe to bat for each other.

And it's not written in a smart contract code, but it is a social contract that we have all have with one another. And taking from somebody is not costless. It's meaningful. So for somebody else to have to have that loss it's when you do these flat tax. There, there are victims, right?

There are absolutely victims. And I think, being on the internet and being crypto and being everything being done on telegram, I know sometimes we lose sight of the fact that there's a person on the other end. I think at the same time, as an industry, we have to recognize this problem and we have to take the steps to mitigate them or prevent them.

In most cases we know how to do it. It's and the problem is just that Oracle's today aren't supporting every single crypto asset that needs to be supported, right? What the top 50 top a hundred crypto assets maybe are getting full support, but beyond that, there a lack of Oracle level support.

And that's where, Miguel and I are extremely excited because that's where we're focused. We're focused on. The other, the rest of the crypto assets, the non, while we do support BTC than all the other top 50,100, but it's also the middle of the market. They deserve to be their tokens and their assets deserve to be protected just as much as everybody else.

And so we're really excited about that and we've been working really hard just by, in large part to, to solve that. 

Got it. So when you say, like, when you talk about Oracle level support for this cryptocurrency, it's like people get that for the first 10 50 or a hundred. And then like you say that you have it for a much larger number.

Like how do you guys factor in people such as Elon Musk, who today three data, shouldn't see, I'm going to name my Shiba Inu flogging. And people were looking for what the hell is a Floki is that a  coin? Even the price of she buy noodles Doris kind guys, like they call them their fathers. So like even that price rose.

So while the rest of the cryptocurrency market was falling, Dortch go and rose spicy things, seven to 8%. She by new, by 12%, I did not look into the fact where the fluffy access center, but I don't know, like there were people searching for it on Twitter. So how. Does like umbrella network factor into these externalities or like these extraneous factors?

The purpose of an Oracle isn't to tell you what the market value of a Tokyo should be, it's what it is. What is the value without the external manipulation? So what I mean by that, like when Elon Musk makes a tweet that drives up the price of those going or any other coin, right? Those are real market moves.

You're seeing that move across all of the exchanges, wherever it's traded, with some real liquidity. And therefore that is the present value, true economic value of that token, as opposed to if The price of a token is manipulated through non-economic means in one exchange, that is an outlier.

And so what we're trying to do is protect against those outlier manipulations. And so if nine out of 10 exchanges show the similar price, and this is one, not liar we shouldn't let that one outlier. That's trying to manipulate the market alter our view of what that, what the price of that token is.

Right? And so drop that value and focus on the other nine that are more in line and more consistent with one another, but it isn't designed to it. W we're not, we didn't design this to Elon Musk proof crypto pricing, right? It takes up here. It would take something far more innovative than that thought then to, to 

that one.

And that makes a really interesting, like discussion on what exactly constitutes managed relation because when Elon Musk does it, it's in the open system, right? It's not in a closed system, but when these flash on attacks happen, they happen within a closed system. Within various smaller markets are like very smaller areas where the price gets manipulated, which is not in quantities with what you would call the price of the larger market.

So having said that, let's go back to Miguel and Miguel, could you walk me through one of these examples of a flashed on attack? Explain like maybe the harvest finance at dark or the burgers swap or dark so that we could like maybe understand what are those sequential transactions that happen?

Because from veteran's timing, if I am sending let's say one, it clearly I'm. The second I hit the send button. I'm praying to God. I did not like, pardon my French. I did not fudge up the private though. The public keys are my own private key or whatnot. I don't know. I'm just praying unless you gave me the confirmation that it has been sent, I would not trust easy.

But when you look at these flashlight attacks, it goes over with us. She does off steps. Walk me through one set attack. Maybe that will help us all understand it better. 

Yeah, absolutely. So I'll try to keep it high level. Some of these attacks are pretty common complex. Everything. And it's really interesting because they can do all these things within one single transaction.

So the harvest finance, right? Like one of the classical flash loan attacks. 

May I interrupt you once over here? What do you mean when you say within a single transaction? Does it mean, but then the same block? Or like, how do you like explain that to somebody who doesn't get it? 


It's essentially within the same block. Yeah. Yeah. But even then you can not send two transactions to the same block and have them relate to each other. You have to do it all within that one thing, like entry in the block. So it's it's every block. And then within an entry in the block. So you have to do it with a window.

Yeah. Yeah. So that's essentially transaction is it has to happen within the block and it has to happen within an entry in that block. And every entry in a block is called a translator. Yeah. Gotcha. Okay. Yeah. So with, so essentially let's say I, and I used to, I initiate, let's say I smart. I write a smart contract that does all these different steps.

Like first it borrows the flash loan, then it does it creates a new liquidity pool, creates a new, a token, it adds to the liquidity pool, all of that, you, it up first in a smart contract, and then you deploy that smart contract and then you initiate a transaction on that spark contract.

This is not like your transaction has to code. Is, you have already deployed the coin, but you have a transaction that initiates the code and executes the code. So just getting a little bit more in depth there. 

Please do this sounds very interesting. Like doula create your own token during a flagstone attack.

You can. And that's what that was the burger swap at time. So yeah, you can create your own token. You create your own pair, which is interesting and your own pool, and then add to that pool. So you can rate so the progress swab so far, but let me take a step back into the harvest one, cause that was like really simple, really easy to understand.

So the harvest finance one essentially. The attacker move the the price of the burger token by, by, by initiating a large trade on or it's not, it wasn't, it was curved, I believe, Kerber unit stock. And so they, they execute a transaction and they moved the price and harvest finance was using the price of the burger token.

That was, that is being defined in in, I think it was curved, let's say credit. So they're using that price, that's defining curve, which is wrong. And we've seen some of this drama, like we've seen like it Hayden from from Hayden from from union stock. Chain-link right. Like, why do you need chain-link?

The problem with using just a decks to get your Oracle data is, are these problems, right? So that's why you need we need an Oracle or something, not just a Dex. You need an outside. That's the big problem of using Dexis as an Oracle. So essentially harvest finance was using curb as an Oracle to get the price of the burger token.

So when the packer manipulated the price and they were able to who execute the exploit on the harvest finance side, and then withdraw the tokens at a high level. That's what happened? Yeah. Now the burger swapped one that one's really complicated. So essentially all within the same transaction the user created first they borrowed the money, meaning created a new token of just a fake token out of thin air created a new liquidity pool for that token in in burger swap.

And then and then added all that all that w BNB into that pool. Yeah. And so they're doing all this and then that, that, that shifted the price of burger. So they created the credit Paul and and, but yeah, they use the burger fake token parent, but they also can, this was an exploit because they exploited some of the coding because they were able to manipulate So what the smart contract, that was the reserve Doris, the total reserve.

And so this basically drove, alter the price of the burger token dramatic. And and so from there, they were just not now they moved the price and now they're able to swap. So they sought the fake tokens now for for the WPM be within from the pool, from their own pool that they created.

And then from that they, yeah, that's crazy. From that they basically then were able to swap the rest, the remaining for for Berger to broker swap. And then from that yeah, they received the w BNB. And then from that day they swapped that the remaining BNB to tomorrow burger and then they finally, at the end, they replay, they repaid the flashlight.

So very complicated, this is like very high level. So all these different, like what seven or eight steps that are just described happening all within that one. If you go to the transaction, you can see like all these different token transfers that are happening. And it's really interesting how the movie the tokens are moving pretty complicated.


Wow. It is complicated even when you try to break it down. Okay. Going back to sound. So let's say that you like have all of that money from the smartphone attack. But it's still on the blockchain. It can be traced where it went. Like you could use all of the mixers of the world. You could convert that to Monero is of whatnot, but your money would still be tainted.

It can be tracked. It can be bad. Is that the reason by some of these people choose to return the money, which like has been reported way more than I would have expected. I heard about a flat on my back. A few days later, they turned back to money. I'm like, what were you doing it for? I don't know.

But what is your take on things? Can it become untraceable in the way that the powers to be in this centralized world? Think of all cryptocurrencies it's untraceable money, it will devour arcades. It will finance, terrorism or whatnot, or is it something that can be. 

Yeah, look, I think peop the talk about crypto being enabling all sorts of fabricators.

So overblown, and as if these things weren't happening before the, 

exactly they want their dollars to be used, cause their friend does. 

And just like you said, great, go ahead. Use these traceable tokens. Sure. Like that's like an FBI agents, that's the biggest favor you could do for that?

Just oh, let me create this permanent trail paper trail of where I took the money and where it's sitting and all the hops in between. That's fantastic, but why do people give it back? In one reason we're seeing some of these like negotiated settlements. And I think.

They're almost in the category of the benevolent hackers. We do need to identify these potential exploits, but that's why we go through audits, which are very time consuming, not to mention expensive, but they're worthwhile because we want to have the best code out there possible. And so is there a role for an ethical hacker?

I do think there is. And how do we facilitate that in, in a way that's not that's not damaging to the project, especially to the people who have their tokens and their assets locked up with that project. We don't want, nobody wants them to be damaged. And so how do we create a way for that?

And I think we, as a community, That question is being asked more and more and I've seen projects who are helping to facilitate, the, the interaction between ethical hackers and the projects. I, I think the ones that returned to fund some of them do it purely because they want to show how how smart they are and how they have about their own skills.

And I need to have more power to them. Yeah, obviously they had the money, everybody would appreciate that. And then there are two the ones that find some way to negotiate it, where they take the offer of the project to return the funds for a certain amount. I think those are all fair compromises.

So we as a community grow and figure out, a longer time of solution to this cause we do have to have already code be battled tests. Our design and our architecture at the same time, we need a way for these to identify these in a way that's not damaging or harmful to the broader community.

that is very sound. Let's get a technical perspective on this one from again, from Miguel, about two to three years ago, when there were mostly centralized exchanges, there used to be a writing process where you could pay a huge sum of money to get listed, or there was, there's a wedding process where you paid a lot of money and godliness.

So in that world, there used to be at least a layer of security as to the exchange lifting or token. What makes sure that the token was backed by the right people of art, not, they would make them jump through hoops and pay a lot of money. How does that. Compare with the current send audio where pretty much anybody can be a token on the decks as the burgers swap guys, just like instead of rate, we need a balance first can be said about pretty much anything in the world, or is it that the financial chaos of the Dexis should be allowed to continue unabated and let let's say order appear out of chaos.

I am being poetic. Okay. 

Yeah. Yeah. Yeah. It sounds good. That's a, that's an interesting question. I personally got into if they're yum and blockchain, not because like I had heard about Bitcoin, but it was really a theory. I'm like solidity, like on stackable code that really got to me.

So from a philosophical point of view I prefer Dexis, right? Anybody can just go and create a pair. Anybody can go and create a pool. Like the attacker did for Berger swab and enlisted, and then, and I, I guess people put in like the wrong addresses sometimes, and I'm terrified of that tool.

I was like, please let me make sure what I put in the right address. But that's the consequence, right? That's you can make it akin to other things that it's a lot of power and a lot of things can go wrong. But I think it's just like any sort of progress.

I think we're progressing and we're figuring out these little kinks and how to fix them. And I think, being an Oracle is it's a very important part of that, cause we're solving sobbing this, these issues how to use them yeah. I get it that the centralized exchanges are more secure, but then you got to think of other things like keys, and they hold your keys. That's not really, you're not holding that they can get that. So there's all kinds of other problems. Yeah I liked that because I think the revolution revolutionized particularly like uni swap and the way that, that liquidity posts work, the sort of the order book, like it was just, it's amazing.

Yeah, I 

think Miguel is, I absolutely agree with Miguel. We all got into this because of our belief in the centralization and autonomy over your own assets. All these things. And then they'll be on the code and I think what people do is people lose sight of just how new all of this is exactly.

This is it's at the stage where it's so early yes there, there are mistakes that can be made. There, there are things you have to be careful of. There are scammers out there pretending to be some other tokens at vulnerable times. Like what a project ideas like this. Yeah.

That happens. That is . And I'm not saying that those are all okay. Okay. And those are things that we should live with and back it up. I hope we address that in the future. Definitely. No, it's, but it's so early. Like we're just we're still crawling. It's just that, we've gotten a lot of attention, but it, it's been very, it's still a very early stage for defy for Texas.

And then relative to, centralized exchange, if you think about a centralized exchange, they've been around forever outside of the context of crypto, they've been around for an eternity. Yeah. I like where we're heading, I think we're going to solve a lot of these things over time. It doesn't mean that, these aren't problems, but it's problems that I think as a committee, we're going to, we're going to address these we're we're early, give us, give us all a little bit of time to mature 

dad financially.

And I guess this is a larger question on how it affects you. Oh, it's made like, when let's say that the first guy who got murdered, maybe enough people got together and said, okay, whatever is wrong. We're going to penalize that all Scott, it would be nice if there was a guard. I hope that is, I don't know, but okay.

I don't hope that is, let me be honest. Let's say that if there was a God who gave out all of those commandments, God be like, okay, Dow shall not murder by me, but whoever, it would obviously be great if he could have that in blockchain, but we don't. And we are developing laws, ethics, and rules as they go forward.

It was very heartening to see you and the Ethereum and the plastic split hopper, great VR there. And VR took that modern literature on that. We were take that back. So yes, we have models, ethics are them and so on and so forth. Let's move. Guess I'm sorry, go ahead. 

Yeah, I would just on your analogy, I think it's akin to having free will, we assume as have free will. So even we had those commandments, we could have the same. Guidelines right in blockchain, but doesn't mean that we have to follow them. So I think I prefer free. And I think it's the same in the code. Like you can have the freedom to use the best guidelines using proper Oracle or not and get hat.

Yeah. Got it. Speaking of articles, like how do you guys envision a goal of the future where articles can prevent like these attacks from happening and then some like breakdown, Oracles for us. Like we understand that goes just from what we saw in that movie called three, our hundred, or maybe for those of us who read a history, how do you like explain articles?

I'll take the higher level and Miguel maybe can go dig a little deeper, but at a high level, basically what Oracle does is take data that's off chain and bring it and make it available for blockchain applications to use that data, which they can't access otherwise. But bring it on chain in a secure way to make sure that they're free of manipulation that they're not used that I manipulate in such a way that they can be used to create exploits and attacks.

So in the sense of crypto, what we're doing in crypto pricing, we're taking the price of right now, 1200 different assets from multiple sources. We analyze that data and to come out with a the definition of the current market price and send that to the users of our data. Another example would be something like this, the score of a football match or a basketball game, right?

We want to take the data that's available in the API world or in the centralized world and make that available, that data available for black team application. No for prediction markets, as an example, how do we make sure that during that process, that data is not manipulated. And we do that through our consensus system.

We are, in addition to that, where umbrella is a little bit different is that, Miguel and I, as we mentioned, we got into this, obviously like everybody else we believe in decentralization, right? We believe the more people that are running our software, running the applications multiple nodes and the more they reflect the community and not, insiders, the more secure it is.

And therefore we put the operations into the hands of our community validators so that they are, running the code and we provide an incentive mechanism for them to do that during our consensus process. And so that's how we ensure that security and yeah, that's what we do as 


Miguel, I'd like to switch questions a little bit for you. Let's say big A's of Hybris finance actually explained to us, how does an Oracle prevent that attack from happening? Or maybe something like that? 

Yeah. Yeah. So that one it's pretty straight forward as something that we support now.

And basically harvest finance shouldn't have been using decks a single debt as their Oracle. And the solution there is just to drop out literally like one piece of code and to use a proper Oracle, right? So like you're in a Walla. What we do is we take we provide the developer choices so we can give you the spot price or time-weighted price, the mean median, average, whatever you need to.

And then we take those from multiple sources. We could use we can use centralized exchanges like Coinbase crypto compare, whatever. And then we take various sources and to make sure that there's no manipulation for, let's say we're reading community swap, and somebody manipulated the price of an asset in uni swab. Then we have other sources of information that we're going to add the tech, the outlier, and essentially just ignore that or the outlier. And so as a, let's say, harvest finance, all you have to do is use a good Oracle that uses multiple sources to enforce their data.

Yeah. So in the example of a harvest they attack the price of USD T on curve, right? Wow. And at Harvard was referencing the price of USAP on curve. That was the only stories that there were a hundred percent dependent. On the price fee from curve for the price of UACT. Whereas if they were to rely on umbrella curve may have been one of the sources, but we have multiple other sources.

I look at the price of us. If we're looking at, let's say five different sources for the price of USD, CT, there's a outlier on curve. We would ignore that price. And then rely on the other for that, a more consistent in some other cases, in the case of some other Oracles they're taking the median or detected the mean, but either way, like an Oracle is either diluting or eliminating the impact of but the appellation of a single source.


So two questions here, Sam one. How does that our, the Oracle problem, I. Why is not everybody using or the girls like right now? What was the point of using it sounds funny now, maybe that's hard. Okay. It's decentralized. What can happen? We have a smart contract, audited, and I don't know.

I think there are two things. One is first these were early days of defy and I don't think everybody was aware of these vulnerabilities, but now we are. And so why aren't every project using an article. And that's a really good and legitimate question at first, a lot of Oracle's getting data.

Chain is very expensive by far from the original existing articles. If you look at because what they're basically taking, doing is taking one piece of data and writing that on the blockchain as a single transaction. As gas and the price of crypto assets have gone up like that transaction became very expensive.

Three. Yeah. Not to go into specifics, but we've seen it go as high as two, $300 for a single transaction to get, let's say the price of ether, USD on chain. Wow. That's, that's incredible. So what are you going to do? You're going to figure out ways to limit how often you update that price.

And then number two, you're not going to support as many assets as you should necessarily. Hence, you're going to support a hundred, maybe 200. Maybe you're going to update the price of stable coins only once a day, or if there's some weird field price fluctuations, maybe then it, but you're not going to update it regularly.

And so projects one, the fast I have to ask is my, is the token price that I need is this supported by an Oracle? And many times they don't. And so they find, look for alternatives, which often tend to be a Dex or something like that. And which leaves them vulnerable. Number two is if it is supported, is the price updated frequently enough?

And so if I have a lending platform or some other form that that needs to price that needs to check the price of the asset regularly, it doesn't help me if the price is only updated once a day, even once every hour, right? Like I, it may need it more frequently. And so you, that's why projects still today still may not be using an Oracle.

And we're we hope to solve that, but that is what we're solving. You need a price, tell us we'll support it. There's no incremental cost for us to supporting additional crypto assets. Number two, we know we're updating high, very high level of frequency, One to three minutes of all of the price feeds, right?

Not just the ones that we deem worthy of being updated frequently, but really all of them. And we're excited to put this into the hands of developers and really eliminate the excuse that anybody have for not using it Oracle because we'll support it, we'll support any crypto asset that you want and need.

And number two, we'll update it frequently so that you have live data to run your project. Yeah, that's my take on it. 

Interesting. Interesting. Let's take a step back in time and let's think about the order books, right? Every large cryptocurrency experience still mostly goes by the order book.

It said a use-case for articles with the audible. Or more aptly or more bluntly as I would ask, like instead of world where the finances of the volt or the coin basis of the world get articles or their order book is good enough.

That's an interesting question. A centralized exchange, that's using an order book. You could potentially see them using it in some of the price in some if they're pricing alternative assets. But I think in terms of the trading of S a spot trading of crypto assets. Yeah. I don't know that an Oracle would play a role in there.

But we'd be happy to take their price feeds. That'd be a great source of data for us. But in terms of other areas that they do businesses, things like, options and futures that could, they could definitely be a role for an Oracle in there. 

Because correct me if I'm wrong, Miguel, all the books had also closed systems, right?

Whatever it is, the price of Bitcoin on Binance is different than knowing, like what is the supply and demand of Bitcoin on their order book? And the same can be said about going this. So are these not closed systems? Can they not have some sort of an attack that we don't have a name for a clash, a bag because of the, see, I don't know.

Yeah, but they're also, the volume, like if you put that like an order book right. In the, in a de-centralized smart contract volume becomes a problem. And in liquidity and all of that, especially for smaller pairs. I don't know, the order book model would work.

I don't know if, you can build an exchange on the order book model and then advertise it if you're a centralized exchange. I Yeah. You're using an order book and I don't think it's not vulnerable right. To a flash loan attack. A because it's not decentralized, it's not connected to these smart contracts, a and B it's you set your ask price yeah.

You're paying what, where you're, what the ask price is. So 

they quiet ask. This comes from this fact back. When you think about ordered books, you automatically think about two things when it comes to crypto one Voss trading and do like liquidity management or as they called market-making once you factor all of those, like non, let's say I've put into a store ledger topic bark, like something that isn't exactly reflective of the demand of a particular crypto.

How does that work?

Yeah, it looks out. I, and this is what you're saying about the kind of the wash training and that is, let's face it, it's very common in our industry, I've looked at tokens with just unbelievable trading volumes on exchanges that, you and I probably have never heard of.

And then nobody we know has that okay. Is that a problem? Yeah. And there are probably lots of false orders in that, in there. But if you look at the depth, I'm aware, one of the more interesting that could happen is like looking at the, the depth of these markets and using that as a variable in the Oracle feed.

And so that may be. 

Cause when I'm going with the sisters, I believe that the centralized exchanges are registering to watercolors. I fear that somewhere down the line, we'll like, see massive attacks on all of these on all of these centralized exchanges, like Binance. And we wouldn't be like none the wiser and we would again be thinking, okay, should I have used?

I know at anyways, I guess I'm sorry to go ahead and again, no, 

I'm just thinking I think it's going to be interesting in some of the future attacks that you could potentially do with a flash loan, right? Right now we'll just talk about arbitrage and other stuff, but I'm just going out there, but let's say that let's say you're a proof of stake system.

Maybe you're a theorem, right? Let's say I can borrow a crap load of material and set it at stake and then submit a bad block. Maybe there's other systems that have on chain purposes. You just pick out a bunch that takes the middle bad block and then remove it. I don't know.

So these are just things that are going to be interesting. I think do transports 

are going to be 

like, now you're talking my language. Yes. What's the next star died that you are going up for love Miguel. Let's hear about it. 

No, I think that was it. Yeah. I The others I'll just keep them to myself for now.

Gotcha. Gotcha. So yeah, with that, let's call it a wrap. It was very wonderful. Having both of you with us. Thank you for dining, the hacker noon podcast, Sam I'm again. And now we'd like to give each of you a few minutes to speak directly to the hackathon community. 

Yeah what's start first off.

Thanks for having both Miguel and myself here. It's been an exciting ride since we started umbrella back in September of last year. And, we have, obviously since then conducted our idea. We've pushed out, we've developed our product into Testnet both on it theory and Binance, March eight.

And I'm really excited to announce that we're going to be on main net. Next week we'll be first starting with Binance chain. And to the community out there, that's developing product talk to us like we, we love to help you guys secure your projects to make sure that you're not vulnerable or susceptible to these types of attacks that and all the other ones out there and work with us early, right?

Like I think one of the things that we're seeing is that a lot of products. Are tackling their Oracle is challenge at the end. And for finding it very difficult, what they should be doing is designing a, with an Oracle like us in mind from the beginning to make it stronger and come see what we can help you do.

Like all the things that we've learned with other projects that we work with with the community at large, and we look forward to engaging with you guys. I think we have a great, roadmap ahead from expanding at the Ethereum, into, other chains such as polygon and Solano coming up.

And we're really excited for the future, not just for us, but for the crypto community at large, I think we really started the ball rolling, and this is going to be an unstoppable force and I can't wait to see what we do together. Give us a call hit us up and, we'd love to work with you.

Natalie. Thank you, Miguel. Do you have any parting words for us? Oh yeah, 

for sure. Yeah. First of all, thanks Utah. And for having me and then says, K, I definitely agree. And it was a fun and so it was a fun chat. Yeah. I'm really excited about umbrella. I really believe as a technical advisor, that we're just better we're ahead, and we're real, right?

Like you can see our product, you can go and use it. We're about to be on main net. And that's huge. Like we see some of these projects that are just never even got to the real stage. We had that, we have other articles that have been around for awhile. And, you've heard of OCR Optune reporting.

I think that's cute. But we're like miles ahead from that. So I'm really excited for about umbrella and hopefully we can continue to execute and drive that community and, become more decentralized. And I definitely want to encourage, developers are watching, we have our SDK that's open and live.

You can use the later different types of data. You can see all the data points, you can request data from us directly. So that we add your data point that you want into the system, especially now that, it's like a smaller community that you have a much higher likelihood of getting your data point quickly in there.

Yeah. I just want to encourage developers to check out the SDK to start developing apps and just really test drive. 

Got it. Thank you very much. And we'll be leaving a lot of links with the umbrella likes taking portal time, the developer documents in the link to this episode. And there's this developer challenge that is happening with the umbrella network, right?

If you could develop an app on their BSC main net or the Testnet like you could win a lot of money. We were leave links for all of that in the description below. And with that, let's call it a wrap. Thank you guys, everyone for joining the hackathon podcast.