Report: Blockchain Price Oracle Manipulation produces millions of losses, shows no signs of slowing

On November 9, a writer from the samczsun.com website published a report showing a number of problems with the manipulation of the price oracle resulting from certain blockchain applications. The researcher notes that the oracle’s manipulation of prices resulted in “over $ 30 [million] in losses so far. “

According to the samczsun.com researcher there has been a significant amount of price Oracle manipulation in 2020. On Monday, he tweeted: “The manipulation of the price oracle has resulted in over 30 million losses so far and shows no signs of slowing down.” The tweet was also retweeted by the 500,000 followers of the ethereum.org Twitter handle. @Samczsun’s tweet also leads to a blog post written on the researcher’s web portal called: “So you want to use a pricing oracle.”

In the article, he explains that during the end of 2019 he posted a post titled “Taking Subcollateralized Loans for Fun and Profit” and the post explained how it could attack ETH-based decentralized applications (dapps). The dapps he wrote about rely specifically on pricing oracle data for a range of crypto assets.

“It is currently the end of 2020 and sadly many projects have since made very similar mistakes,” points out the post from samczsun.com. “The most recent example was the Harvest Finance hack which resulted in a collective loss of $ 33 million for users of the protocol.”

Basically an oracle is a protocol that can record data both on and off-chain and send the data to a blockchain like Ethereum. These oracles are used in smart contracts, automated market makers (AMMs), trading platforms, and one of the popular ETH-based oracles is Chainlink. The vulnerability report states that the developers are aware of some of the oracle-related problems, but “the manipulation of the price oracle is clearly not something that is often considered”.

The blog post adds:

Conversely, re-entry-based exploits have declined over the years while exploits based on manipulating the price oracle are now on the rise.

The blog post is not just a critique, however, and the samczsun.com editorial features an introduction to oracles, manipulating oracles, and how to mitigate exploitation. Additionally, the post discusses six vulnerabilities that have occurred in the past.

For example, the post mentions under-collateralized loans, the Synthetix sKRW Oracle malfunction, the yVault bug, the Synthetix MKR manipulation, the Harvest Finance hack and also the Bzx hack.

Samczsun.com research also summarizes the Harvest Finance issues that took place on October 26, 2020.

“The attacker deflated the USDC price in the Curve pool by trading, entered the Harvest pool at a reduced price,” the results state. “[The attacker] restored the price by reversing the previous trade and exited the Harvest pool at a higher price. This resulted in losses of over $ 33 million. “

The report concludes that “price oracles are a fundamental, but often overlooked, component of defi security.” The article points out that there are many ways dapps can shoot themselves in the foot if they overlook some of these issues. “Reading pricing information during the middle of a transaction may be unsafe and could cause catastrophic financial damage,” says the research post.

What do you think of the millions lost so far from blockchain-based pricing oracles? Let us know what you think in the comments section below.

Image credits: Shutterstock, Pixabay, Wiki Commons, samczsun.com,