A Guide to Oracle Manipulation Attacks

In 2024, protocols lost $50M+ to Oracle Manipulation Attacks. Oracle Manipulation Attacks have surfaced several times and harmed the industry. This harm is executed in lending protocols, derivatives protocols, moreover any protocol that deals with user funds and have dependency on some sort of price feeds.

This piece will focus on attacks that lead to these discrepancies in price feeds and lead to loss of user funds, and incur bad debt on the protocol.

What is an Oracle?

Oracles connect blockchains with real world data if we want to keep the definition short. Smart contracts run on blockchains, which are void of real-world updates. If we want to build a contract that depends on and takes a decision based on some metric that isn’t possible to calculate solely through a smart contract, we rely on oracles.

Hold on, but we cannot trust every oracle. Some oracles are centralized, while some are decentralized. The data you are getting and using in your smart contracts should be validated, right? This is where the decentralized oracles come in. While the industry have majorly discarded centralized oracles, most of the oracles are decentralized, but it is very important to validate before trusting. Some great examples of oracles are @chainlink, @pythnetwork, and many more.

Oracle = Source of Real World Data

Which Protocols depend on Oracles, and what are these dependencies?

In most cases, DeFi protocols depend on oracles for price feeds. But it is important to note that there are other types of protocols which require real world data and also uses oracles. These oracles in DeFi protocols are the source of price feeds for assets like ETH, BTC, SOL, and more.

Let’s take a lending protocol, for example, which determines the health factor of a particular loan. If the asset backing the loan as collateral drops in value, the position needs to be liquidated to incur no bad debt. The price data is provided by oracles like Chainlink, Uniswap, Pyth, and more. If the data isn’t correct, the protocol gets the asset, which is less than the value of the loan given to a particular user, which isn’t ideal and can harm the treasury and the user’s funds. Moreover, it can also impact users in a condition where they open a leveraged position on BTC, and the oracle doesn’t perform properly, their position could be liquidated without the real-time price updates.

Interesting price feeds to understand are TWAP (Time-Weighted Average Price), used by Uniswap, and VWAP (Volume-Weighted Average Price), used by Chainlink for certain assets. The former averages out the price over a specific period to normalize any anomalies in the data that occurred while the latter calculates the data considering the trading volume.

What are Oracle Manipulation Attacks?

Most of the oracle manipulation attacks are the cause of the following two events occurring consecutively:

1. Attacker manipulate the price of an asset. They do this usually through flashloans (an uncollateralized loan which need to be repaid in the same transaction). Flashloans provide them the initial capital to manipulate the pool, hence the price of the asset increases as they buy a lot of tokens from the pool.

2. A Derivatives Protocol which gets the feed from the above manipulated pool (not using TWAP) get the wrong asset prices, the attacker has already opened a long position on an asset, once the price is manipulated from Step 1, the attacker position value increases, they closes the position for profit and repay the flashloan from Step 1.

The above happened recently in an attack on KiloEx (a derivatives protocol).

An example of a Lending Protocol attacked by an oracle manipulation attack:

1. Attacker took a flashloan in tokenA

2. Swap tokenA with tokenB, inflating the price of tokenB in the pool (as less in quantity, x*y = k)

3. Deposit tokenB in the pool as the collateral

4. Lending Protocol gets the price of tokenB (inflated price)

5. Lending Protocol lends tokenA (this value will be huge as tokenB value was huge)

6. Repay the flashloan, leaving the lending protocol in bad debt.

How to Prevent an Oracle Manipulation Attack?

Here are some points to keep in mind while building a DeFi protocol:

1. Avoid using a single-source dependency for the price, which can be easily manipulated.

2. Have a backup source for the price. If using Uniswap as a primary source, use Chainlink as a secondary.

3. Utilize a decentralized oracle, such as Chainlink, to obtain accurate and up-to-date prices for assets.

4. If getting a price from Uniswap, consider using TWAP (Time-Weighted Average Price).

Conclusion

Oracle Manipulation Attacks has been growing in the space and have been a significant contributor in the amount of funds lost. This quick guide gives an introduction on this type of attack where users and protocols are at huge risk.

If you are building a DeFi protocol, understand how oracle manipulation can impact your protocol and users’ funds in the long run so it is better to choose and create your Oracle Infrastructure or source carefully.

At QuillAudits, with our 7+ years of experience and our multi-layered audit framework, we secure your smart contracts and protect users and protocols from malicious actors.