Fun

Report: Blockchain Price Oracle Manipulation Produces Millions in Losses, Shows No Signs of Slowing

News Feed - 2020-11-12 12:11:24

Report: Blockchain Price Oracle Manipulation Produces Millions in Losses, Shows No Signs of Slowing


On November 9, a writer from the website samczsun.com published a report that shows a number of issues with price oracle manipulation stemming from a few blockchain applications. The researcher notes that price oracle manipulation has resulted in “over $30 [million] in losses so far.”


According to the researcher from samczsun.com there’s been a substantial amount of price oracle manipulation in 2020. On Monday, he tweeted: “Price oracle manipulation has resulted in over 30MM of losses so far and it shows no signs of slowing.” The tweet was also retweeted by the ethereum.org Twitter handle’s 500k followers. The tweet from @samczsun also leads to a blog post written on the researcher’s web portal called: “So you want to use a price oracle.”


In the article, he explains that during the end of 2019 he published a post called “Taking undercollateralized loans for fun and for profit” and the post explained how he could attack ETH-based decentralized applications (dapps). The dapps he wrote about specifically rely on price oracle data for a number of crypto assets.


“It’s currently late 2020 and unfortunately numerous projects have since made very similar mistakes,” samczsun.com’s post stresses. “With the most recent example being the Harvest Finance hack which resulted in a collective loss of 33MM USD for protocol users.”


Basically an oracle is a protocol that can record both onchain and off-chain data and submits the data into a blockchain like Ethereum. These oracles are used in smart contracts, automated market makers (AMM), trading platforms, and one of the popular ETH-based oracles is Chainlink. The report on vulnerabilities says that developers are aware of some of the issues tethered to oracles but “price oracle manipulation is clearly not something that is often considered.”


The blog post adds: Conversely, exploits based on reentrancy have fallen over the years while exploits based on price oracle manipulation are now on the rise.


The blog post however isn’t just criticisms and samczsun.com’s editorial features an introduction to oracles, oracle manipulation, and how to mitigate against exploitation. Further, the post discusses six vulnerabilities that have taken place in the past.


For example, the post mentions undercollateralized loans, the Synthetix sKRW oracle malfunction, the yVault bug, Synthetix MKR manipulation, the Harvest Finance hack, and the Bzx hack as well. An illustration of the Synthetix MKR manipulation. Photo via Samczsun.com.


Samczsun.com’s research also summarizes the Harvest Finance issues that took place on October 26, 2020.


“The attacker deflated the price of USDC in the Curve pool by performing a trade, entered the Harvest pool at the reduced price,” the findings state. “[The attacker] restored the price by reversing the earlier trade, and exited the Harvest pool at a higher price. This resulted in over 33MM USD of losses.”


The report concludes that “price oracles are a critical, but often overlooked, component of defi security.” The article highlights that there are plenty of ways that dapps can shoot themselves in the foot if they overlook some of these problems. “Reading price information during the middle of a transaction may be unsafe and could result in catastrophic financial damage,” the research post says.


What do you think about the millions lost from blockchain-based price oracles so far? Let us know what you think in the comments section below. Ethereum User Spends $9,500 in Fees Sending Just $120 in an Error to Forget ALTCOINS | 4 days ago ETH 2.0 Scheduled for December, Vitalik Deposits $1.4M Worth of Ether Into Phase 0 Contract ALTCOINS | 5 days ago Tags in this story $30 Million, Altcoins, crypto assets, Cryptocurrency, DeFi, Defi Apps, ETH-based apps, Ethereum, Hack, Harvest Finance hack, Losses, manipulation, MKR, price oracle, price oracle manipulation, Prices, samczsun.com, Synthetix sKRW oracle malfunction, yVault bug


Image Credits: Shutterstock, Pixabay, Wiki Commons, samczsun.com, Use Bitcoin and Bitcoin Cash to play online casino games here. Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article. Read disclaimerShow comments

News Feed

Ukraine’s Kharkiv Art Museum Launches NFT Collection With Binance to Raise Funds, Secure Jobs
Ukraine’s Kharkiv Art Museum Launches NFT Collection With Binance to Raise Funds, Secure Jobs The art museum in the Eastern Ukrainian city of Kharkiv has partnered with cryptocur
FC Barcelona to Get Into Metaverse and NFTs
FC Barcelona to Get Into Metaverse and NFTs The FC Barcelona, a soccer club with a large fanbase in Spain and Europe, has revealed its plans to take advantage of the rise of the me
Report: DOJ and FBI Investigating Terraform Labs in Connection to Algorithmic Stablecoin Collapse
Report: DOJ and FBI Investigating Terraform Labs in Connection to Algorithmic Stablecoin Collapse The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) are
SEC and CFTC Lawsuits Against Former FTX CEO Paused Until Criminal Proceedings Conclude
SEC and CFTC Lawsuits Against Former FTX CEO Paused Until Criminal Proceedings Conclude Two civil lawsuits, stemming from the U.S. Securities and Exchange Commission (SEC) and the
French Central Bank Conducts Fifth Experiment on Tunisia CBDC
French Central Bank Conducts Fifth Experiment on Tunisia CBDC The French central bank, Banque de France (BOF), recently carried out its fifth experiment on the C
Buying Bitcoin Locally vs Online: Which Bitcoin of America Method is Best for You?
Buying Bitcoin Locally vs Online: Which Bitcoin of America Method is Best for You?With a second stimulus check due, now is the time to start thinking of your financial future, with
Subhash Chandra Garg on the Future of Crypto
Subhash Chandra Garg on the Future of Crypto India’s former Finance Secretary Subhash Chandra Garg has shared his views on the future of cryptocurrency, both in India and w
Looming US Real Estate Crisis – Freddie Mac Warns of Housing Market Uncertainty, Homebuilder sentiment Drops 58%
Looming US Real Estate Crisis - Freddie Mac Warns of Housing Market Uncertainty, Homebuilder sentiment Drops 58%U.S. real estate agents and lenders are bracing for the biggest housi
Onkar Singh10 hours agoHow to backup your crypto wallet private keysTo securely backup your crypto wallet private keys, create an encrypted offline copy on a hardware wallet or write them on paper.1420 Total views22 Tota
Didar Bekbauov1 hour agoHow Bitcoin miners can survive a hostile market — and the 2024 halvingBitcoin mining is becoming harder — which means miners will have to spend more to receive fewer rewards. But there are sti
Bitcoin, Ethereum Technical Analysis: BTC, ETH Hit Multi-Week Low, as Silvergate Uncertainty Spooks Markets
Bitcoin, Ethereum Technical Analysis: BTC, ETH Hit Multi-Week Low, as Silvergate Uncertainty Spooks Markets Bitcoin dropped to a two-week low on Friday, as crypto markets continued
Savannah Fortis13 hours agoTikTok, Snapchat, OnlyFans and others to combat AI-generated child abuse contentMajor social platforms, AI companies, governments and NGOs issued a joint statement pledging to combat AI-generat