The evolving landscape of Decentralized Finance (DeFi) has raised critical security concerns, especially pertaining to Protocols for Loanable Funds (PLFs) and their dependency on price oracles, which are susceptible to manipulation. The emergence of flash loans has further amplified these risks, enabling increasingly complex oracle manipulation attacks that can lead to significant financial losses. Responding to this threat, we first dissect the attack mechanism by formalizing the standard operational and adversary models for PLFs. Based on our analysis, we propose SecPLF, a robust and practical solution designed to counteract oracle manipulation attacks efficiently. SecPLF operates by tracking a price state for each crypto-asset, including the recent price and the timestamp of its last update. By imposing price constraints on the price oracle usage, SecPLF ensures a PLF only engages a price oracle if the last recorded price falls within a defined threshold, thereby negating the profitability of potential attacks. Our evaluation based on historical market data confirms SecPLF's efficacy in providing high-confidence prevention against arbitrage attacks that arise due to minor price differences. SecPLF delivers proactive protection against oracle manipulation attacks, offering ease of implementation, oracle-agnostic property, and resource and cost efficiency.

翻译：去中心化金融（DeFi）的快速发展引发了重大安全关切，尤其是涉及可借贷资金协议（PLF）及其对易受操纵的价格预言机的依赖。闪电贷的出现进一步放大了这些风险，使得日益复杂的预言机操纵攻击得以实施，进而可能导致巨额财务损失。为应对这一威胁，我们首先通过形式化PLF的标准运行模型与敌手模型来剖析攻击机制。基于分析，我们提出SecPLF——一种旨在高效抵御预言机操纵攻击的鲁棒实用解决方案。SecPLF通过追踪每种加密资产的价格状态（包括最新价格及其最近更新时间戳）运行。通过在使用价格预言机时施加价格约束，SecPLF确保PLF仅在上次记录价格处于设定阈值范围内时调用预言机，从而消除潜在攻击的盈利性。基于历史市场数据的评估证实，SecPLF能够对因细微价差引发的套利攻击提供高置信度防护。SecPLF为预言机操纵攻击提供主动防御，兼具易于实现、与预言机无关、以及资源与成本高效等特性。