Understanding Oracle Attacks and Manipulation. Knowledge is Power!

By Michael @ CryptoEQ | CryptoEQ | 26 Jun 2023


You are reading an excerpt from our free but shortened abridged report! While still packed with incredible research and data, for just $20/month you can upgrade to our FULL library of 50+ reports (including this one) and complete industry-leading analysis on the top crypto assets. 

67cbbf4723857b85c151585aa280e6d940346c501cef75bafd7dea02b44b24c9.png

Becoming a Premium member means enjoying all the perks of a Basic membership PLUS:

  • Full-length CORE Reports: More technical, in-depth research, actionable insights, and potential market alpha for serious crypto users
  • Early access to future CORE ratings: Being early is sometimes just as important as being right!
  • Premium Member CORE+ Reports: Coverage on the top issues pertaining to crypto users like bridge security, layer two solutions, DeFi plays, and more
  • CORE report Audio playback: Don’t want to read? No problem! Listen on the go.

 

Intro

The world of decentralized finance, known as DeFi, is touted as the next frontier in the financial landscape, offering the promise of democratizing finance by disintermediating traditional financial systems. Despite this immense potential, the complex architecture of DeFi, particularly its reliance on oracles for off-chain data, exposes these systems to a series of threats, notably oracle attacks. Among the 385 DeFi hacks in H1 2023, the top 3 attack vectors are logic bugs (46%), oracle manipulation (15%), and privilege exposure (14%). With 15% attributed to oracle manipulation, let's spend some time discussing exactly what that is and what users can do to protect themselves. 

95cb08324f229d86494770132fbb25a9a6e1f8ec6a1ef08cb004aebc96cd2e9c.jpg

Source: Peckshield

Understanding Oracle Attacks

Oracle attacks occur when an assailant dupes a system, such as a lending protocol, into believing that a higher sum of money has been deposited than what was actually contributed. By doing so, attackers can borrow more funds than they ought to, potentially leading to significant financial losses for the DeFi protocol and its users.

One technique attackers commonly utilize involves manipulating the prices of cryptocurrencies on decentralized exchanges, such as Uniswap. This platform facilitates the trading of various cryptocurrencies, but due to its decentralized nature, it's susceptible to price manipulations. Some older or less reputable projects that rely on Uniswap for price data become vulnerable targets for oracle manipulation attacks.

Another strategy employed by attackers focuses on less-liquid assets like liquidity pool (LP) tokens or shares in vaults. LP tokens represent a share of a liquidity pool on a decentralized exchange. The Warp Finance hack is a prime example of this form of attack. Warp Finance permitted users to deposit LP tokens as collateral for loans, and they calculated the value of these tokens based on the total value locked (TVL) in a liquidity pool. This calculation, however, proved to be flawed as it failed to account for the fact that the TVL can change dramatically when large trades are made. By taking a flashloan and conducting a sizable trade, the attacker was able to affect the TVL calculation, and subsequently, the value of the LP tokens. Consequently, the protocol was deceived into believing more money had been deposited, allowing the attacker to borrow more.

The Chainlink Oracle and Its Vulnerabilities

Chainlink has become a popular solution for sourcing secure random numbers in DeFi. Its operation involves two steps: firstly, a smart contract sends a randomness request to the oracle; subsequently, the oracle responds with a random number. Though this appears simple, incorrect utilization of the oracle can result in a number of exploitable vulnerabilities.

An attacker could use a tactic known as frontrunning to monitor the mempool for the oracle returning the randomness and beat the oracle, thereby predicting the random number. Furthermore, randomness oracles themselves might attempt to manipulate an application. Although these oracles can't select random numbers without consensus from other nodes, they can withhold and rearrange random numbers if several are requested simultaneously.

Chain reorgs present another challenge. Finality is not immediate on Ethereum or most other EVM chains, meaning that just because a block is the most recent, it doesn't necessarily mean it will remain so. These 're-orgs' can cause data discrepancies that may impact the accuracy of random numbers derived from the oracle.

Additional concerns include stale data and over-reliance on a single oracle. There is no service level agreement (SLA) for Chainlink to keep its price oracles up to date within a certain time frame. When the chain is severely congested, price updates might be delayed, and a smart contract that uses a price oracle must explicitly check that the data is not stale, otherwise it cannot make reliable decisions. Moreover, no matter how secure an oracle seems, it is not impervious to future attacks. Therefore, the best defense is to use multiple independent oracles.

Oracle Exploits: Misreporting and Poor Market Coverage

Oracle exploits happen when an oracle shares inaccurate data about an event or state of the external world. These exploits are often due to the oracle acting maliciously or negligently, or due to a compromised data source.

Misreporting refers to scenarios when an oracle relays a price that differs from the correct, market-wide price of an asset. Regardless of whether the misreporting is due to malicious or negligent behavior, any protocol that relies on a faulty oracle for price data is at risk of an exploit. Poor market coverage happens when an oracle relies on only a subset of all trading environments to report the price of an asset. This can lead to the oracle misreporting the price if that subset is manipulated, even when the majority of trading environments and the market-wide price remain unaffected.

The consequences of oracle exploits can be catastrophic for DeFi protocols. Misreported prices could lead to stablecoins becoming depegged from their target asset, or malicious arbitrage trades could be executed to profit at the expense of other users. Even worse, unwarranted liquidations could occur if an oracle inaccurately reports the price of an asset, and the protocol could become insolvent if an oracle exploit results in a large loss of funds.

The Case Studies of Mango Markets and BonqDAO

Recent incidents involving Mango Markets and BonqDAO provide clear examples of the different forms of oracle attacks. In the case of Mango Markets, a derivatives marketplace on the Solana blockchain, the platform suffered a severe price manipulation attack that was executed via crafty oracle exploitation. The attacker used two crypto wallets, each funded with $5 million in USDC, to manipulate the market and acquire a $116 million loan using unrealized profits as collateral. This instance underscores how systems operating as intended can still be exploited via well-executed market manipulation, without any software compromise.

Meanwhile, BonqDAO, a DeFi protocol on the Polygon blockchain, fell victim to an oracle exploit due to a bug in a smart contract. The exploit resulted in $100 million worth of the BEUR stablecoin being fraudulently extracted. This incident serves as a stark reminder of the inherent risks in oracle-dependent smart contracts and the need for thorough audits and reviews.

Oracle attacks pose a significant threat to the security and robustness of DeFi protocols. Recognizing these risks, understanding the mechanisms behind these exploits, and deploying robust preventative measures are key to ensuring the ongoing security and success of the burgeoning DeFi ecosystem. By fortifying oracle infrastructure and bolstering the smart contract architecture, the DeFi community can continue to unlock the sector’s potential while minimizing the risks associated with oracle vulnerabilities.

How do you rate this article?

75


Michael @ CryptoEQ
Michael @ CryptoEQ

I am a Co-Founder and Lead Analyst at CryptoEQ. Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.


CryptoEQ
CryptoEQ

Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.