On November 9, a writer from the samczsun.com website released a report that shows some price oracle manipulation issues due to a few blockchain applications. The researcher notes that price oracle manipulation has resulted in “more than $ 30 [million] so far in losses. “
According to the researcher of samczsun.com there has been a significant amount of oracle manipulation in 2020. On Monday, he has tweeted: “Price oracle manipulation has resulted in more than 30 million losses so far and shows no signs of slowing down.” The tweet was also retweeted by the 500,000 followers of ethereum.org’s Twitter handle. @Samczsun’s tweet also leads to a blog post on the researcher’s web portal called, “So you want to use a price oracle.”
In the article, he explains that at the end of 2019 he published a post called “Take out secured loans for fun and profitAnd the post explained how he could attack ETH-based decentralized applications (dapps). The dapps he wrote about specifically rely on price oracle data for a number of crypto assets.
“It is currently the end of 2020 and unfortunately numerous projects have made very similar mistakes since then,” samczsun.com emphasizes. “The most recent example is the Harvest Finance hack that resulted in a collective loss of USD 33 million for protocol users.”
In fact, an oracle is a protocol that can take both on-chain and off-chain data and submit the data in a blockchain like Ethereum. These oracles are used in smart contracts, automated market makers (AMM), trading platforms and one of the popular ETH based oracles is Chainlink. The vulnerability report says developers are aware of some of the problems associated with oracles, but “price oracle manipulation is clearly not something often considered.”
The blog post adds:
Conversely, exploits based on re-entry have declined over the years, while exploits based on price oracle manipulation are now increasing.
However, the blog post is not all critical, and samczsun.com’s editorial articles provide an introduction to oracles, oracle manipulation, and how to limit exploitation. Furthermore, the post discusses six vulnerabilities that have occurred in the past.
The Samczsun.com research also provides an overview of the Harvest Finance issues that occurred on October 26, 2020.
“The attacker lowered the price of USDC in the Curve pool by executing a trade, entered the Harvest pool at the discounted price,” the findings said. “[The attacker] recovered the price by reversing the previous trade and left the Harvest pool at a higher price. This resulted in more than USD 33 million in losses. “
The report concludes that “price oracles are a critical, but often overlooked, part of defi security.” The article highlights that there are plenty of ways dapps can shoot themselves in the foot if they overlook some of these issues. “Reading price information in the middle of a trade can be unsafe and can lead to catastrophic financial damage,” said the research post.
What do you think about the millions lost so far due to blockchain-based price oracles? Let us know what you think in the comments below.
Image Credits: Shutterstock, Pixabay, Wiki Commons, samczsun.com,
Disclaimer: This article is for informational purposes only. It is not a direct offer or invitation to an offer to buy or sell, or a recommendation or endorsement of products, services, or companies. Bitcoin.com does not provide investment, tax, legal or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.