On November 9, a writer from the website samczsun.com published a report that shows a number of issues with price oracle manipulation stemming from a few blockchain applications. The researcher notes that price oracle manipulation has resulted in “over $30 [million] in losses so far.”
According to the researcher from samczsun.com there’s been a substantial amount of price oracle manipulation in 2020. On Monday, he tweeted: “Price oracle manipulation has resulted in over 30MM of losses so far and it shows no signs of slowing.” The tweet was also retweeted by the ethereum.org Twitter handle’s 500k followers. The tweet from @samczsun also leads to a blog post written on the researcher’s web portal called: “So you want to use a price oracle.”
In the article, he explains that during the end of 2019 he published a post called “Taking undercollateralized loans for fun and for profit” and the post explained how he could attack ETH-based decentralized applications (dapps). The dapps he wrote about specifically rely on price oracle data for a number of crypto assets.
“It’s currently late 2020 and unfortunately numerous projects have since made very similar mistakes,” samczsun.com’s post stresses. “With the most recent example being the Harvest Finance hack which resulted in a collective loss of 33MM USD for protocol users.”
Basically an oracle is a protocol that can record both onchain and off-chain data and submits the data into a blockchain like Ethereum. These oracles are used in smart contracts, automated market makers (AMM), trading platforms, and one of the popular ETH-based oracles is Chainlink. The report on vulnerabilities says that developers are aware of some of the issues tethered to oracles but “price oracle manipulation is clearly not something that is often considered.”
The blog post adds:
Conversely, exploits based on reentrancy have fallen over the years while exploits based on price oracle manipulation are now on the rise.
The blog post however isn’t just criticisms and samczsun.com’s editorial features an introduction to oracles, oracle manipulation, and how to mitigate against exploitation. Further, the post discusses six vulnerabilities that have taken place in the past.
For example, the post mentions undercollateralized loans, the Synthetix sKRW oracle malfunction, the yVault bug, Synthetix MKR manipulation, the Harvest Finance hack, and the Bzx hack as well.
Samczsun.com’s research also summarizes the Harvest Finance issues that took place on October 26, 2020.
“The attacker deflated the price of USDC in the Curve pool by performing a trade, entered the Harvest pool at the reduced price,” the findings state. “[The attacker] restored the price by reversing the earlier trade, and exited the Harvest pool at a higher price. This resulted in over 33MM USD of losses.”
The report concludes that “price oracles are a critical, but often overlooked, component of defi security.” The article highlights that there are plenty of ways that dapps can shoot themselves in the foot if they overlook some of these problems. “Reading price information during the middle of a transaction may be unsafe and could result in catastrophic financial damage,” the research post says.
What do you think about the millions lost from blockchain-based price oracles so far? Let us know what you think in the comments section below.
Image Credits: Shutterstock, Pixabay, Wiki Commons, samczsun.com,
Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.