Review of Oracle Front-Run Attack on Qilin v1

On December 31, 2021, a user launched an oracle front-run arbitrage attack on Qilin’s v1 ETH-USDC trading pair. The attack started at 9:31 AM and ended at 7:12 AM in 2022. The attacker initiated 8 trades during this time period, with a total transaction value of $14 million with a 10x leverage. With an initial profit of $50,000, the trader paid a funding rate of $80,000 when the rebase funding rate was triggered.

The attack was carried out by front-running Chainlink’s oracle price feed. Qilin v1's perpetual contract trading is similar to PMM’s liquidity provision design, where an external oracle machine is used to feed the price, while LPs pool their liquidity to act as counterparties to traders. Qilin v1 uses the Chainlink free quote contract, and the details for quoting the contract are as follows.

1. Quotes every 2 hours.

2. Quote when the price movement exceeds 0.5%.

The logic of the arbitrageur’s attack this time was to open a position in advance with the Qilin v1 contract trade by front-running the Chainlink oracle quotes. Since the Qilin v1 contract has no slippage, the arbitrageur was able to earn an arbitrage profit with each front-run. By front-running the oracle with pre-opened positions, the arbitrageur earned a total of $50,000 from LP.

The Qilin v1 contract has a rebase funding rate mechanism that mitigates LP’s risk exposure by collecting funding rates from open positions to the liquidity pool. Since We use a liquidity providing provision design similar to the PMM model and base the risk measure on the size of unmatched positions between the long and short positions as LP’s counterparty exposure. The larger the ratio of unmatched positions to the liquidity pool, the greater the risk to the LP and the higher the funding rate.

In Qilin v1, the rebase funding rate mechanism is activated once every 8 hours. During the attack, the LP received a one-time funding rate fee of $60,000 from the arbitrageur when the mechanism was activated manually by the LP. This loss caused the arbitrageur to immediately stop the arbitrage and leave the market. The arbitrageur’s subsequent positions lost another $20,000 upon closing, ending with a net profit of $30,000 for the LP.

The core vulnerability lies in the latency of the oracle feeding delay and not the lack of slippage design. In V2, we have added a risk-adjusting slippage design.

In addition, although rebase funding rate mechanism recovered LP’s loss, it is triggered on an 8-hour basis. if the attacker closes their position before each trigger and re-opens the position, LP risk mitigation cannot be guaranteed. We have upgraded this in V2 accordingly as well:

1. Uniswap V3 TWAP is used for price feed in place of Chainlink’s oracle to address the latency issue.

2. A risk-based dynamic slippage is added.

3. Rebase funding rate is upgraded from the 8-hour basis to a per-block basis design to address funding rate escapes.

Rebase funding rate of Qilin:

https://medium.com/qilinprotocol/review-of-oracle-front-run-attack-on-qilin-v1-8ff713571885