Describing the oracle
A blockchain’s On-chain rules and Off-chain services in the real world are connected by an oracle. Oracles collect information from Off-chain sources and publish it on the blockchain network for usage by smart contracts. Oracles must continue to be impervious to manipulation and provide reliable data. In the blockchain system, there are two different kinds of oracles: On-chain oracles and Off-chain oracles.
Contrasting On-chain and Off-chain oracles
Off-chain oracles rely on non-blockchain sources for their data. Generally speaking, Off-chain data respond to price fluctuations more slowly than the on data, which, based on the specific application, might be advantageous or unfavorable. You have to assume that they will constantly act honestly because pushing Off-chain data often involves a small set of informed users. Like the Coinbase Oracle.
Data sources that start on the blockchain are used by On-chain oracles. Since On-chain data is constantly up to date and does not involve a middleman, attackers can quickly modify it and produce disastrous outcomes. For instance, the Oracle Uniswap V3 database.
Ways to manipulate oracles
To control the price of AMM, use flash loans.
It is simple to carry out an exploit if an attacker has access to the price oracle. utilizing a flash loan scam:
- Takes out a sizable loan against asset A and puts the money in the liquidity pool.
- Asset A’s price declines relative to all the other assets in the liquidity pool as its supply rises.
- A modified price feed is provided to the defi platforms that use the pool’s price as the On-chain oracle.
- The attacker can take advantage of this in a variety of ways, for as by purchasing a big number of asset A at discounted rates, which they will use to pay back the Flash Loan and keep the remaining amount.
Attackers can frequently utilize Flash Loans to control the value of AMMs and change the current price of any token even before the author’s smart contract searches up the token on blockchain ecosystems and On-chain centralized oracles.
Centralized exchange leaks
If hackers manage to get their hands on the exchange account’s private key, they can quickly create backup tokens and utilize them to transfer the entire sum. They can even decide to borrow brand-new collateral tokens that have been diluted until the oracle displays the revised value.
Arbitrage
If the price between various pricing oracles varies, an arbitrager can utilize this knowledge to plan an arbitrage. For example, every 24 hours or anytime the value changes by 2%, Chainlink refreshes the Dai contract. Dai can be purchased for any amount from $0.97 to $1.03. Dai can consequently be changed in the chainlink environment to vary within a 2% scope without raising any red flags.
Cases of Oracle Attacks in the real world.
Case 1: Manipulation of the Synthetix MKR Price
In December 2019, Synthetix came under a price oracle attack. It distinguishes between Off-chain and On-chain price data, which is noteworthy.
The attacker engaged in a number of questionable transactions with respect to iMKR (inverse MKR) and sMKR. After first acquiring sMKR to move long MRK, the attacker buys MKR in bulk via the Uniswap ETH/MKR pair. The attacker then starts selling their sMKR to obtain a short iMKR position, purchases their MKR again from Uniswap, and continues the procedure.
The attacker uses Uniswap to conduct trades, which gives them the ability to unilaterally alter the cost of MKR in Synthetix. The underlying reason is that MKR lacks sufficient liquidity to allow arbitrageurs to get the market price to its ideal condition, and Synthetix’s Off-chain pricing feed is reliant on MKR’s On-chain pricing.
This instance shows how, also when you feel you’re utilizing Off-chain market data, you could still be employing On-chain price market data and facing the risks of doing so.
Case 2: the vulnerability in yVault
On July 25, 2020, a flaw in yEarn’s freshly released yVault contract was found.
Users can make money without managing their own assets by putting tokens in the yVault system. The total quantity of basic token payments and yVault tokens distributed are both kept track of internally by the vault. The valuation of a specific yVault token is determined by the proportion of tokens distributed to tokens deposited. The total revenue generated by the vault is divided among all of the yVault assets that were released and, consequently, among all yVault token owners.
Users of the initial yVault have the opportunity to earn USDC yields by contributing liquidity towards the Balancer MUSD/USDC pool. BPT tokens, that can be utilized to buy a stake in the Balancer pool, are given to customers who provide liquidity to the pool. As an outcome, yVault uses the MUSD/USDC that may be availed using its BPT to estimate the worth of its holdings.
Although this looks to be the appropriate technique to design the Balancer liquidity pool, its condition during operations is not balanced and must not be relied.
The user will not get a 1:1 rate of exchange when moving from USDC to MUSD and would instead keep some MUSD in the pool due to the connection curve which the Balancer has chosen in this case. Attackers can so freely control the price and ultimately drain the liquidity from the vaults. This implies that the price of BPT may occasionally increase.
What Steps Can Be Taken to Avoid Oracle Manipulation?
Average Price Over Time (TWAP)
In Uniswap V2, a TWAP oracle is added for usage by On-chain developers. TWAP oracles are extremely resistant to Oracle manipulation assaults. Even while it only relates to token assets with existing On-chain liquidity and its implementation could not be adaptable enough when market volatility is strong.
Utilize only verified decentralized On-chain oracles
Because of the characteristics of On-chain Decentralized Oracles, ensure that the exchange rate returned is validated by contrasting it with the exchange rate information obtained from other exchanges. It’s also a good idea to use an average of various oracle sources, including centralized and decentralized.
Final thoughts
Both On-chain and Off-chain oracles have benefits and drawbacks. On-chain oracles’ fundamental drawback is that it is simple to manipulate them. For instance, flash loans and On-chain oracles can indeed be paired as leverage. Many protocols employ Off-chain or hybrid pricing oracles in the smart contracts to lessen the possibility of oracle manipulation.
Join our beta program now https://www.olympix.ai/
Originally published at https://www.linkedin.com.
