In 2022, the crypto world witnessed its biggest hacking spree, resulting in a staggering $3.8B loss. Amidst the protocol compromises and bug exploits, there’s a lesser-known but highly impactful form of attack that deserves our attention: Oracle manipulation.
Oracle manipulation involves tampering with the data used by DeFi protocols, and in 2022, it cost DeFi projects a whopping $403.2M in 41 separate attacks.
This blog aims to comprehend what oracles are, why they are susceptible to manipulation, and the consequences that follow in the wake of such attacks. Let’s dive in and get started.
What Are Oracles, Anyway?
If you’ve been wondering what an oracle is, here comes the explanation. Imagine you’re in a world where everything is stored on a blockchain, from digital currencies to smart contracts. But what if you want to bring real-world information, like weather updates, stock prices, or news events, into this blockchain universe? That’s where oracles come into play.
Oracles are like gateways between the blockchain and the real world. They take information from outside the blockchain (off-chain) and turn it into a format the blockchain can understand. This is crucial because it allows smart contracts to make decisions based on real-world events.
Now, let’s see what are the different types of oracles:
They fetch real-time data from online sources like databases, servers, or websites and deliver it to smart contracts. This data can be anything from cryptocurrency prices, exchange rates, or even live flight information.
These oracles gather data from physical sensors, barcode scanners, and other devices that read information from the physical world. Then, they translate this real-world data into a readable format by smart contracts, which enables blockchain-based decision-making.
Inbound and Outbound Oracles
Inbound oracles bring external information into smart contracts. For example, a sensor measures the temperature, and the oracle conveys it to the smart contract.
On the other hand, outbound oracles take information from smart contracts and send it out into the real world. For instance, relaying information about transactions happening on-chain that triggers a specific action in the real world.
Centralized and Decentralized Oracles
Centralized oracles require trust as a single entity controls it. If that entity fails, the oracle can be compromised. In contrast, decentralized oracles don’t rely on a single source. They use a consensus mechanism that builds trust among multiple parties, making them more resilient.
Cross-chain oracles can read and write information between different blockchains. This enables data and assets to move seamlessly between blockchains, opening up a world of possibilities, such as triggering actions on one blockchain based on data from another or using assets across different blockchains.
With this, we now have a brief understanding of oracles in DeFi and its vital role in making decentralized applications more powerful and versatile. But what is the likelihood of these Oracles causing a problem that leads to fund loss? Keep going to know them.
When it comes to using Oracles, there’s a challenge that often goes unnoticed but has a huge impact on the functioning of decentralized systems- the Oracle Problem.
Oracle problem arises due to blockchains’ inherent inability to interact with external data sources on their own. It is because they are designed in a way to precisely deal with data already coded, ensuring consensus on fundamental execution like verifying transactions, checking account balances, and validating smart contract actions.
But, to unlock the full potential of smart contracts, they often need to connect with the outside world. Decentralized Finance contracts require market data, insurance contracts rely on IoT and web information, and trade finance contracts depend on external documents and signatures. None of this data originates within the blockchain, and traditional services are not directly accessible.
Here is where the oracles step in, serving as the bridge through which external data enters and exits the blockchain. This also provides room for Oracle failures, as given below.
- Issues with trust and reliability: The Oracle raises concerns about the trust, authenticity, and security of the information. It introduces the need for trust in smart contract executions and the third-party providing data. Since centralized oracles lack a distributed attribute, they can become single points of failure, compromising trust.
- Data integrity: Oracles rely on external data sources, and if this data is tampered with or incorrect, it can lead to misappropriate smart contract executions. Even trustworthy oracles can feed false data if the information they operate on has been altered.
- Malfunctions and Tampering: Oracles, like any technology, can malfunction or be deliberately altered. This can disrupt their proper functioning within smart contracts and compromise the integrity of the system, especially in high-value contracts.
Real-time scenarios of Oracle Failures and Lessons to be Learned
Mango Markets Oracle hack
- Amount Lost: Approximately $112 million in digital assets.
- Reason for the Hack: Oracle price manipulation, where the attacker manipulated collateral values via the platform, took out massive loans, and drained funds from Mango’s treasury.
- Lesson to Be Learned: DeFi protocols must ensure the reliability of their Oracle data feeds to prevent price manipulation attacks. Centralized exchanges used as data references should be critically assessed for vulnerabilities.
BonqDAO Protocol Oracle exploit
- Amount Lost: An estimated $120 million, comprising $108 million in BEUR tokens and $11 million in wrapped-ALBT (wALBT) tokens.
- Reason for the Hack: The exploiter manipulated the price of the AllianceBlock (ALBT) token by changing the updatePrice function of the oracle in BonqDAO’s smart contract.
- Lesson to Be Learned: Smart contracts and oracles must be rigorously audited and secured to prevent unauthorized modifications. Decentralized organizations should prioritize security measures to protect their protocols from large-scale losses.
Inverse Finance Oracle Price Manipulation Hack
- Amount Lost: $5.8 million in tokens.
- Reason for the Hack: This hack relied on price oracle manipulation, exploiting the vulnerability of on-chain token value calculations. The attacker manipulated the perceived value of LP tokens in the YVCrvCrypto pool.
- Lesson To Be Learned: DeFi protocols should avoid on-chain token price calculations and opt for trusted price oracles like Chainlink. Security audits are crucial to identifying and addressing vulnerabilities before exploitation occurs.
As the DeFi landscape continues to expand, oracle solutions must evolve alongside it, becoming more robust and resistant to manipulation.
Some clear takeaways from the discussed case studies are:
- Diligent Audits of DeFi projects, focusing not only on smart contracts but also on the oracles that feed them critical data.
- Decentralization is Key as consensus oracles and multiple data sources can enhance security and trust.
- Using reputable Oracle providers with a track record of reliability
- Avoiding on-chain token price calculations and utilizing off-chain price oracles like Chainlink
- Continuous monitoring for early threat detection to prevent great losses.
QuillAudits stands as your dedicated partner in securing protocols against vulnerabilities and threats within the Web3 ecosystem. Visit our website today or chat with our experts to learn more about how we can provide the security assistance you need.