On February 16, 2020, on the Ethereum block height 9484688, the DeFi protocol bZx was attacked. The attacker manipulated the price of tokens on multiple DeFi projects to achieve an arbitrage of $360,000 within 15 seconds. On February 18, 2020, bZx was attacked again at the Ethereum block height of 9504627. When bZx shut down the Fulcrum platform for maintenance, the attacker used Synthetix to conduct transactions and finally received $644,000 in revenue. These incidents shocked the entire DeFi industry, as all the operations of the attacker were not technically difficult, and they just took advantage of the DeFi products, with the loopholes of bZx’s Rule.
From various subsequent technical analysis, it is obvious that one of the reasons of the successful attacks was bZx's own product vulnerabilities; while another vital reason was the loophole of Oracle, an important DeFi infrastructure. bZx is a margin trading protocol and users can pledge one currency as a margin and lend another currency under a certain leverage, with the exchange rate provided by an oracle. Before the incident, the Oracle of bZx was using was provided by Kyber, a decentralized automated exchange. However, in the case of insufficient funds, the exchange price is easy to be manipulated in the decentralized exchange based on AMM; and the attacker of this incident manipulated the relative price of WBTC to ETH through the Uniswap exchange pool integrated by Kyber.
From October to November 2018, after the EOS ecosystem undertook the Ethereum Fomo3D game, various Dice projects started to launch in the market. However, stolen coin incidents also occurred frequently due to random number problems. Through detailed analysis, it is found that at present, neither Ethereum nor EOS has officially provided any random number interface regarding the development of lottery module. Developers need to write random number generation functions which often use blockchain information as parameters and obtain a random number after a series of calculations. However, as blockchain projects are basically open-sourced, and most random number functions use blockchain information as parameters, in the same block, random functions using the same algorithm will always get the same results, making attackers easily deploy an intermediate contract and keep generating random numbers until they get a satisfactory random number, and later gain revenue through the intermediate contract.
As an important infrastructure connecting the real world and the encrypted world, Themis Oracle mainly targets scenarios such as Random Oracle, on-chain asset oracles, and computational oracle verifiable computing. Themis Protocol is a distributed oracle protocol that includes modules such as how to become a data provider, data identification verification, anti-attack algorithm, verifiable random function VRF, and arbitration protocol.
In terms of Random Oracle, Themis mainly uses VRF (verifiable random function) to conduct result output:
The data provider uses VRF to generate a random number, and sends the random number result together with the pledged Themis native token to the smart contract. From the time the data is submitted to the oracle, the verification period for any data submission is limited. After the verification period, data that has not been challenged is called an effective data. Within the validity period of the data, it is scheduled by time, and after it is used up, subsequent requests will be rejected. For the data provided by the data provider, the validators can randomly verify and pass the result to the arbitration node. The arbitration node will execute arbitration on the verification result. If it passes, it will become the final oracle output result. If it fails, the result will be removed and the Themis native token pledged by the data provider will be taken away and used as a reward for data validators and arbitration nodes. If the data provided by the data provider becomes the Themis Oracle output result after the verifications, they will be awarded the native token of Themis.
Regarding the working principle of VRF, it can be understood as a hash function combined with asymmetric key technology. Conventional hash functions, such as SHA256, will obtain a 256-bit binary number by performing functional operations on the data to verify whether the data are equal. But for an ideal hash function, its value range should be discrete and uniformly distributed. Given different input values, its output value should be irregular and randomly distributed in the range of the value range.
At the same time, there is a simple variant of hash function, that is, the hash function combined with secret key, such as result = SHA256 (secret, info). In this function, in order to receive the result, knowing info only is not enough, you must know the secret before calculating the final result.
VRF (Verifiable Random Function) is a hash function combined with asymmetric key technology, such as result = VRF_Hash (SK, info), in which SK is a private key that is kept secret, while PK paired with SK is a public key and needs to be disclosed to the validators.
The specific operation process is as follows:
1. The data provider generates a pair of keys, PK and SK;
2. The data provider calculates result = VRF_Hash (SK, info);
3. The data provider calculates proof = VRF_Proof (SK, info);
4. The data provider submits the result and proof to the data validator;
5. The data provider submits PK and info to the data validator;
6. The data validator verify result = VRF_P2H (proof), if it is established, continue with the following steps, otherwise stop;
7. The data validator calculates True/False = VRF_Verify(PK, info, proof), True means the verification passed, False means the verification failed.
The so-called verification passed refers to whether the proof is generated through info, and whether the result can be calculated through the proof, so as to deduce whether the info and result correspond to a match, and whether there is a problem with the data provided by the data provider. In the entire process, the provider never discloses his private key SK, but the validator can deduce whether info and result match.
In view of the fact that effective random number generation cannot be performed on the blockchain at present, Themis Oracle, which focuses on random number, will provide external data support for various DApps developed based on random numbers, securing the core algorithm mechanism of such DApps.
In terms of asset prices on the chain, Themis has designed a complete mechanism to ensure the authenticity of the final price of the Oracle:
1. The data provider mechanism. Anyone in the Themis ecosystem can become data provider, and the price and pledge scale are set by themselves. But the data provider needs to pledge Themis native tokens to the smart contract while submitting the asset price. Any validator who thinks that the price is problematic can raise their doubts. If any verifier considers such price as questionable, it can identify such price. Afterwards, arbitration node will execute arbitration, determine the offer time according to the block of offer, and inquire the true price of current head exchange at such time. If the difference between the price provided by the data provider and the true price is greater than the threshold value, the data provider will lose the Themis (ERC-20) under pledge, which will be used as ecological rewards. If a malicious data provider wishes to influence the final Oracle output by taking advantage of the identity, he will need to use various data provider identities and pledge a large number of native tokens for manipulation. Thanks to the data validators and arbitration nodes, the malicious data provider will lose all the pledged native tokens and the submitted false price information.
2. Data validators mechanism. For the data provided by any bidder, the validator can question and submit it to arbitration. In order to improve Themis’s pricing efficiency and punish malicious validators, Themis Protocol requires all validator to pledge the original token and provide a new price and asset when raising doubts. Meanwhile, in order to amplify the cost of the attacker, the staking scale of all validators and that of the previous round are amplified by a multiple. The multiple is usually a fixed constant, but it can be adjusted by the Themis ecosystem according to the actual operation. Taking a multiple of 2 for example, the initial data provider pledged the asset size n1, then the verifier who questioned the price needs to pledge n2=2n1, and the number will become n3=2n2=4n1 if the price is questioned again. This means, the price for malicious validator to maintain their desired malicious price will become higher as the number of challenge rounds increase, leading to them losing all pledged assets. Through this mechanism, the validator will either contribute to the correct data or lose an increasing number of pledged native tokens after questioning. It is inevitable that there will be other verifiers on the market for interest arbitrage and data correction.
Token Economy
Themis ensures that the data of Themis Oracle is authentic and reliable by setting up data providers, data validators and arbitration nodes, and through the corresponding token reward and punishment mechanism. MIS is the native token of Themis Protocol, which is mainly used as asset pledge and incentive for data providers and verifiers to provide and verify data in the ecosystem. It is also an asset paid by external data callers to retrieve Themis Oracle data. The profit will be proportionally distributed to data providers.
The total amount of MIS is 1 billion, of which 10% is for preliminary project promotion. The remaining 90% are produced by mining; to be more specific, 75% are directly awarded to data providers, 10% to developers, and 5% as reward for arbitration nodes and ecological incentive. The production of mining will be decreased and released with ETH block. In the meantime, Themis designed an accumulation reward mechanism: the arbitration node will randomly select some of the proposals as the incorrect data offered by data providers. When a validator challenges the data, the system will not punish the data providers, and accumulation award will be triggered to reward the data validators.
Mining economy
90% of the total MIS is produced by mining, 75% is obtained by data providers and data validators, 10% is awarded to developers, and 5% is used as arbitration node rewards and ecological incentives. All 1051499 block from the Ethereum was officially opened. The initial reward for developers and arbitration nodes and ecological incentives is 25MIS/block, and the initial reward for data providers and data verifiers is 20MIS/block.
Every 4 million blocks, the MIS awarded per block reduces by 10%. The reward per block at present is 20 MIS.
Miners acquire MIS by providing verifiable random number or offering the price of in-chain assets. Whenever miners call mining contracts, the system will charge no service fee (excluding the service fee of ETH). Miners need to pledge certain amount of, at least 100, MIS whenever calling the contract.
The computation of MIS mining quantity of miners’ every mining transaction:
At first, the number of MIS mining reward N included in the block of package mining transaction shall be worked out. If the height difference of such block from the last block including mining transaction is y, then: N=y×20
It means that, if no mining transaction occurs within a certain period of time, the first new block including mining transaction will acquire all the MIS rewards before.
In such way, miners will be motivated to keep mining, so as to maintain the stability of Themis ecology.
In which, X is the rank of MIS pledge quantity in such block. People holding the same quantity of MIS rank the same.
Assume that there are 12 mining transactions in a block, the rank according to the MIS under pledge of every transaction is:
Coin-holding ranking is based on jumping ranking weighting algorithm other than the weighted average of users’ coin-holding quantity, with the purpose of avoiding MIS from controlled by the minority, monopoly, and breaking up major clients, as well as realizing community win-win of Themis with best efforts.
Users ranking in the best ranking area will acquire the most benefits, which provides good mechanism guarantee to attract more users to participate in mining. Meanwhile, it is good for making data providers more scattered, so as to ensure the decentralization of oracle system.