heidrian (@heidrian) • Hey
heidrian (@heidrian) • Hey
Publications
- Yesterday I finished the last of the 28 Etherenaut challenges from @openzeppelin.lens
, which I started last week as a review to give the security module at the Web3 Bootcamp for Ewol Academy. Did it in Polygon Mumbai.
The challenges include console commands, building RPC calls, ethers.js scripts, and deploying custom contracts, to hack each of the 28 levels. In more than one case I had to fork on local hardhat or debug with Remix and Tenderly.
And the truth is that more than just a review, it was a learning experience, doing things that I knew in theory but had never done in practice, such as programming entire contracts in assembly (not just inline), writing direct bytecode, setting up multicalls or consuming data from storage.
Highly recommended for any solidity dev:
https://ethernaut.openzeppelin.com
- I think the main lesson last week events leave for DeFi is that an asset price oracle cannot be used so carelessly, if what is actually deposited is a bridged version, that is, a voucher for the real asset with counterparty risk.
Going forward, it will be required for oracles such as Chainlink or Pyth to quote WBTC_network/USD instead of BTC/USD, the same way in stablecoin markets they quote the stable itself and do not hardcode its 1 dollar value.
I think until that happens, DeFi teams should at least put together some fallback centralized oracle,to be ready for emergency switching if the bridged token is depegged.
An example of this problem can be seen today in
Solend Protocol, which for BTC, for example, uses the Pyth oracle https://pyth.network/price-feeds/crypto-btc-usd, which continues to mark $16K instead of the $4K approx that the true deposited collateral (soBTC) is currently worth.