On November 9, a writer from the website samczsun.com published a report that shows a number of issues with price oracle manipulation stemming from a few blockchain applications. The researcher notes that price oracle manipulation has resulted in â€œover $30 [million] in losses so far.â€
According to the researcher from samczsun.com thereâ€™s been a substantial amount of price oracle manipulation in 2020. On Monday, he tweeted: â€œPrice oracle manipulation has resulted in over 30MM of losses so far and it shows no signs of slowing.â€ The tweet was also retweeted by the ethereum.org Twitter handleâ€™s 500k followers. The tweet from @samczsun also leads to a blog post written on the researcherâ€™s web portal called: â€œSo you want to use a price oracle.â€
In the article, he explains that during the end of 2019 he published a post called â€œTaking undercollateralized loans for fun and for profitâ€ and the post explained how he could attack ETH-based decentralized applications (dapps). The dapps he wrote about specifically rely on price oracle data for a number of crypto assets.
â€œItâ€™s currently late 2020 and unfortunately numerous projects have since made very similar mistakes,â€ samczsun.comâ€™s post stresses. â€œWith the most recent example being the Harvest Finance hack which resulted in a collective loss of 33MM USD for protocol users.â€
Basically an oracle is a protocol that can record both onchain and off-chain data and submits the data into a blockchain like Ethereum. These oracles are used in smart contracts, automated market makers (AMM), trading platforms, and one of the popular ETH-based oracles is Chainlink. The report on vulnerabilities says that developers are aware of some of the issues tethered to oracles but â€œprice oracle manipulation is clearly not something that is often considered.â€
The blog post adds:
The blog post however isnâ€™t just criticisms and samczsun.comâ€™s editorial features an introduction to oracles, oracle manipulation, and how to mitigate against exploitation. Further, the post discusses six vulnerabilities that have taken place in the past.
Samczsun.comâ€™s research also summarizes the Harvest Finance issues that took place on October 26, 2020.
â€œThe attacker deflated the price of USDC in the Curve pool by performing a trade, entered the Harvest pool at the reduced price,â€ the findings state. â€œ[The attacker] restored the price by reversing the earlier trade, and exited the Harvest pool at a higher price. This resulted in over 33MM USD of losses.â€
The report concludes that â€œprice oracles are a critical, but often overlooked, component of defi security.â€ The article highlights that there are plenty of ways that dapps can shoot themselves in the foot if they overlook some of these problems. â€œReading price information during the middle of a transaction may be unsafe and could result in catastrophic financial damage,â€ the research post says.
What do you think about the millions lost from blockchain-based price oracles so far? Let us know what you think in the comments section below.
Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.