On November 9, a writer from the website samczsun.com published a report that shows a number of issues with price oracle manipulation stemming from a few blockchain applications. The researcher notes that price oracle manipulation has resulted in “over $30 [million] in losses so far.”
According to the researcher from samczsun.com there’s been a substantial amount of price oracle manipulation in 2020. On Monday, he tweeted: “Price oracle manipulation has resulted in over 30MM of losses so far and it shows no signs of slowing.” The tweet was also retweeted by the ethereum.org Twitter handle’s 500k followers. The tweet from @samczsun also leads to a blog post written on the researcher’s web portal called: “So you want to use a price oracle.”
In the article, he explains that during the end of 2019 he published a post called “Taking undercollateralized loans for fun and for profit” and the post explained how he could attack ETH-based decentralized applications (dapps). The dapps he wrote about specifically rely on price oracle data for a number of crypto assets.
“It’s currently late 2020 and unfortunately numerous projects have since made very similar mistakes,” samczsun.com’s post stresses. “With the most recent example being the Harvest Finance hack which resulted in a collective loss of 33MM USD for protocol users.”
Basically an oracle is a protocol that can record both onchain and off-chain data and submits the data into a blockchain like Ethereum. These oracles are used in smart contracts, automated market makers (AMM), trading platforms, and one of the popular ETH-based oracles is Chainlink. The report on vulnerabilities says that developers are aware of some of the issues tethered to oracles but “price oracle manipulation is clearly not something that is often considered.”
The blog post adds:
Conversely, exploits based on reentrancy have fallen over the years while exploits based on price…