In DeFi, oracles play an important role as they help to connect external data with blockchain. Thus, they significantly expand the usage of smart contracts making it possible for them to operate with the information from the real world.
Yet, oracles are not perfect and the technology does not always work as it should. Oracles may fall victim to manipulations or rely on incorrect data reporting and thus fail their users.
What kind of failures oracles may experience and what can be done to prevent this? Read on to find out.
As mentioned above, an oracle is an entity that connects the blockchain with external systems. Thus, it feeds the blockchain with real-world data and enables smart contracts to execute in accordance with this information.
In their essence, blockchain oracles fall into two broad categories:
As you may guess, there are many ways for things to go wrong when centralized oracles are involved. Therefore, the trustworthiness of such oracles is disputable.
With the lack of an unbiased source of truth, centralized oracles can easily fall victim to external manipulations.
For example, oracles may submit an event that has never occurred or neglect to provide the required data to the blockchain at all. Alternatively, they may simultaneously send two conflicting pieces of data to the blockchain and simply break the logic of the smart contract that operates this information.
Having spotted such abnormalities, malicious actors can perform different attacks to steal funds from DeFi services. Let’s investigate some real-world examples of such attacks.
There are many cases of oracles failing to provide correct data to those who requested it. We’ve listed some of the most notable events below.
In November 2020, a decentralized exchange Compound lost around $89 million after an exploit of an oracle provided by a centralized platform Coinbase.
As a DeFi protocol, Compound enables its users to borrow crypto on a peer-to-peer basis by providing collateral to secure the loan. The value of the collateral must be higher than the borrowed sum to avoid losses due to market volatility. If the value of the collateral drops below a predefined level, the position gets liquidated automatically.
To estimate this value, Compound relied on the data provided by Coinbase Pro. Presumably due to an exploit, the oracle fed the smart contract with an incorrect price of DAI which was $1.3 instead of a normal $1 which resulted in massive liquidations.
In June 2019, another DeFi platform Synthetix almost lost $1 billion as a result of incorrect data that it obtained from an oracle.
Synthetix operates mostly with non-crypto assets such as fiat-based currencies. To provide its users with the pricing data it relied on a number of centralized off-chain oracles. One of these oracles happened to report incorrect data for the price of the Korean Won making it 1000x higher.
A sophisticated bot trained to spot such abnormalities exploited this discrepancy getting away with a solid sum of money. Luckily for the platform, the creator of this bot later agreed to return the funds.
BZx is a cryptocurrency platform where users can borrow and lend crypto in a completely decentralized way.
In February 2020, it experienced a series of attacks as an unknown hacker discovered a vulnerability in Kyber Network, a single price oracle that the platform relied on.
The attackers managed to manipulate the prices of wBTC and sUSD on Uniswap. Since Kyber relied on the reserves of this platform, the changes in prices on Uniswap inevitably influenced the prices on Kyber as well.
Eventually, the oracle was misled by incorrect prices which resulted in a loss of around $1 million in crypto.
The case of an oracle exploit associated with Mango Markets, a Solana-based DeFi platform, is particularly interesting.
The hacker who manipulated the price of the $MNGO token through an oracle identified himself publicly as Avraham Eisenberg afterward. What’s more, he claimed that the actions he performed were actually legal being nothing else but a “profitable trading strategy”.
Statement on recent events:
I was involved with a team that operated a highly profitable trading strategy last week.
— Avraham Eisenberg (@avi_eisen) October 15, 2022
Mango Markets used oracles for $MNGO price calculation via moving averages from a few exchanges.
The security auditing company OtterSec stated on its Twitter that the attacker was able to manipulate the Mango collateral spiking its value and then taking “massive loans” from the platform’s treasury.
Later Eisenberg proposed returning $67 million and keeping the remaining $47 million as a bug bounty. The proposal was supported by the community, but the hacker still faced a lawsuit from the platform and a complaint from the SEC afterward.
Just like many other DeFi solutions, Liquid Loans relies on an oracle for various purposes.
It obtains price feeds for PLS and USDL to calculate the collateral ratio in the vaults, to mint USDL from collateralized PLS, to enable users to redeem USDL for a dollar’s worth of PLS, etc.
This oracle may also become victim to different types of external influence. For example, the price of PLS that it obtains from external sources may be too low. This would result in massive liquidations and money losses while the oracle itself may freeze or go offline.
To address this problem, Liquid Loans utilizes two different approaches: a truly decentralized Fetch oracle and a number of backup oracles.
As a fully decentralized blockchain oracle running on PulseChain, Fetch Oracle represents a much more reliable solution than any centralized version available today.
It obtains the data from a decentralized network of reporters who are incentivized to provide accurate data and, vice versa, get penalties when they submit incorrect information.
In the case of incorrect data, other participants may “dispute” it. The data then is sent off chain as it becomes a subject to voting. Thus, such a method eliminates the chance of an oracle failure and makes the whole system much more secure.
Although the primary oracle should never fail, it is always smart to have a backup or two incase this happens.
Many projects have a secondary oracle, such as Chainlink, to step in while the primary oracle is fixed.
Join The Leading Crypto ChannelJOIN
Disclaimer:Please note that nothing on this website constitutes financial advice. Whilst every effort has been made to ensure that the information provided on this website is accurate, individuals must not rely on this information to make a financial or investment decision. Before making any decision, we strongly recommend you consult a qualified professional who should take into account your specific investment objectives, financial situation and individual needs.
Kate is a blockchain specialist, enthusiast, and adopter, who loves writing about complex technologies and explaining them in simple words. Kate features regularly for Liquid Loans, plus Cointelegraph, Nomics, Cryptopay, ByBit and more.
Your Genius Liquid Loans Knowledge Assistant