List of Oracle Manipulation Exploits/Hacks in Crypto — ImmuneBytes

ImmuneBytes
7 min readMay 30, 2024

--

Oracle price manipulation attacks in crypto involve exploiting vulnerabilities in the way price oracles provide asset price data to decentralized finance (DeFi) protocols. Oracles are essential components in the DeFi ecosystem because they bridge the gap between off-chain data (like asset prices) and on-chain smart contracts. When these oracles are manipulated, attackers can feed incorrect price data to DeFi protocols, leading to significant financial losses.


+-----------------------------------+--------------------------+--------------------+-------------------+------------------------------------------------------------------------------+-----------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------+
| Project | Date of Exploit | Exploit Amt. (USD) | Blockchain | Type of Exploit | Type of Contract | Exploited Contract Address | Exploit Transaction |
+-----------------------------------+--------------------------+--------------------+-------------------+------------------------------------------------------------------------------+-----------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------+
| ParaLuni | 2023-12-23T00:00:00.000Z | 336000 | BNB Chain | Price/Oracle Manipulation, Price/Oracle Manipulation | | https://bscscan.com/address/0x9db1d695ea7231e5f800701524e712c06c8676b6 | https://bscscan.com/tx/0x147b621fbff03b98b57829585ae89e091f8a440f9137b81707493396aa84d0b1 |
| Carol Protocol | 2023-12-01T00:00:00.000Z | 53000 | BNB Chain | Smart Contracts Vulnerability, Price/Oracle Manipulation | | https://basescan.org/address/0x26fe408bbd7a490feb056da8e2d1e007938e5685 | |
| dy/dx | 2023-11-18T00:00:00.000Z | 9000000 | | Price/Oracle Manipulation, Price/Oracle Manipulation | | | |
| Harbor Protocol | 2023-08-19T00:00:00.000Z | 289000 | Ethereum | Price/Oracle Manipulation, Price/Oracle Manipulation | DeFi | | |
| Zunami Protocol | 2023-08-14T00:00:00.000Z | 2000000 | Ethereum | Price/Oracle Manipulation, Price/Oracle Manipulation | Generate Yield | https://etherscan.io/address/0xa21a2b59d80dc42d332f778cbb9ea127100e5d75 | https://etherscan.io/tx/0x0788ba222970c7c68a738b0e08fb197e669e61f9b226ceec4cab9b85abe8cceb |
| LeetSwap | 2023-08-01T00:00:00.000Z | 620000 | | Smart Contracts Vulnerability, Price/Oracle Manipulation | DEX | | |
| Rodeo Finance | 2023-07-11T00:00:00.000Z | 888000 | Arbitrum | Price/Oracle Manipulation, Price/Oracle Manipulation | Generate Yield | https://arbiscan.io/address/0xe9544ee39821f72c4fc87a5588522230e340aa54 | https://arbiscan.io/tx/0x98f1e234faac8b7f7ceaffe4e8e0581038678d95710b646db45ec3de47e6c3af |
| Themis Protocol | 2023-06-28T00:00:00.000Z | 365000 | Arbitrum | Price/Oracle Manipulation, Price/Oracle Manipulation | Lending and Borrowing | https://arbiscan.io/address/0x75f805e2fb248462e7817f0230b36e9fae0280fc | https://arbiscan.io/tx/0xff368294ccb3cd6e7e263526b5c820b22dea2b2fd8617119ba5c3ab8417403d8 |
| Sturdy Finance | 2023-06-12T00:00:00.000Z | 775000 | Ethereum | Price/Oracle Manipulation | DeFi | https://etherscan.io/address/0x59276455177429ae2af1cc62B77AE31B34EC3890 | https://etherscan.io/tx/0xeb87ebc0a18aca7d2a9ffcabf61aa69c9e8d3c6efade9e2303f8857717fb9eb7 |
| ERC20TokenBank | 2023-05-31T00:00:00.000Z | 112986 | Ethereum | Price/Oracle Manipulation | Tokens | | https://etherscan.io/tx/0x578a195e05f04b19fd8af6358dc6407aa1add87c3167f053beb990d6b4735f26 |
| EDE Finance | 2023-05-29T00:00:00.000Z | 658370 | Arbitrum | Price/Oracle Manipulation | DEX | https://arbiscan.io/address/0x171c01883460b83144c2098101cd57273b72a054#code | https://arbiscan.io/tx/0x3758a4b7338d8c3bd39072221ff3b6b6a59d36f3d885934f1b0081877f35163e |
| Jimbos Protocol | 2023-05-28T00:00:00.000Z | 7500000 | Arbitrum | Flash Loan Attacks, Smart Contracts Vulnerability, Price/Oracle Manipulation | DeFi | https://arbiscan.io/address/0x271944d9D8CA831F7c0dBCb20C4ee482376d6DE7 | https://arbiscan.io/tx/0x44a0f5650a038ab522087c02f734b80e6c748afb207995e757ed67ca037a5eda |
| WEEB Token | 2023-05-10T00:00:00.000Z | 30689 | Ethereum | Flash Loan Attacks, Price/Oracle Manipulation | Tokens | https://etherscan.io/token/0x9e3d5b091e7728080d9b2e1aaf20ee63db6b65bb | https://etherscan.io/tx/0xcb58fb952914896b35d909136b9f719b71fc8bc60b59853459fc2476d4369c3a |
| Neverfall Protocol | 2023-05-04T00:00:00.000Z | 75000 | BNB Chain | Price/Oracle Manipulation, Price/Oracle Manipulation | DeFi | https://bscscan.com/token/0x5abde8b434133c98c36f4b21476791d95d888bf5 | https://bscscan.com/tx/0xccf513fa8a8ed762487a0dcfa54aa65c74285de1bc517bd68dbafa2813e4b7cb |
| ForTubeFi | 2023-04-28T00:00:00.000Z | 60000 | Ethereum | Flash Loan Attacks, Price/Oracle Manipulation | DeFi | https://etherscan.io/token/0xdb694cb2b58f66c5e79ff272df37ecb46dc31add | https://etherscan.io/tx/0x4b4fa751b2cb82ff9aa53406f48e83a44babb7c60d2354e13905efa7a2ddffe7 |
| Ovix Protocol | 2023-04-28T00:00:00.000Z | 2000000 | Polygon | Price/Oracle Manipulation, Improper Calculations | DeFi | https://polygonscan.com/token/0x51195e21bdae8722b29919db56d95ef51faeca6c | https://polygonscan.com/tx/0x10f2c28f5d6cd8d7b56210b4d5e0cece27e45a30808cd3d3443c05d4275bb008 |
| XBN Token | 2023-04-19T00:00:00.000Z | 10000 | BNB Chain | Flash Loan Attacks, Price/Oracle Manipulation | Tokens | https://bscscan.com/address/0x0321394309CaD7E0E424650844c3AB3b659315d3 | https://bscscan.com/tx/0x3b698ba37f33ac0f822a0de7e097126d71e8216bf59ec9b2e6044df7d4f40296 |
| Allbridge | 2023-04-02T00:00:00.000Z | 570000 | BNB Chain | Price/Oracle Manipulation | Bridge | | https://bscscan.com/tx/0x7ff1364c3b3b296b411965339ed956da5d17058f3164425ce800d64f1aef8210 |
| Definix | 2023-03-17T00:00:00.000Z | 17318 | BNB Chain | Price/Oracle Manipulation | DeFi | | |
| DKP Token | 2023-03-08T00:00:00.000Z | 80000 | BNB Chain | Flash Loan Attacks, Price/Oracle Manipulation | Tokens | | |
| TenderFi | 2023-03-07T00:00:00.000Z | 1590000 | Arbitrum | Price/Oracle Manipulation | DeFi | | |
| DAYUDAO Token | 2023-02-08T00:00:00.000Z | 3300 | BNB Chain | Price/Oracle Manipulation, Flash Loan Attacks | Tokens | | |
| BonqDAO | 2023-02-02T00:00:00.000Z | 120000000 | Polygon | Price/Oracle Manipulation | DAO | | |
| BEVO NFT Art Token | 2023-01-30T00:00:00.000Z | 44000 | BNB Chain | Flash Loan Attacks, Price/Oracle Manipulation | Tokens | | |
| Upswing Finance | 2023-01-18T00:00:00.000Z | 35500 | Ethereum | Price/Oracle Manipulation | DeFi | | |
| 520 token | 2023-01-16T00:00:00.000Z | 11561 | BNB Chain | Price/Oracle Manipulation | Tokens | | |
| Roe Finance | 2023-01-11T00:00:00.000Z | 80000 | Ethereum | Flash Loan Attacks, Price/Oracle Manipulation | DeFi | | |
| Defrost Finance | 2022-12-23T00:00:00.000Z | 173000 | Avalanche C Chain | Smart Contracts Vulnerability, Price/Oracle Manipulation | DeFi | 0xff152e21c5a511c478ed23d1b89bb9391be6de96 | |
| Kashi Medium Risk Chainlink Token | 2022-12-17T00:00:00.000Z | 50000 | Ethereum | Price/Oracle Manipulation | ERC20 | 0x4f68e70e3a5308d759961643afcadfc6f74b30f4 | |
| FPR ($FPR) | 2022-12-15T00:00:00.000Z | 30000 | BNB Chain | Price/Oracle Manipulation | DeFi | 0xA9c7ec037797DC6E3F9255fFDe422DA6bF96024d | |
| Nimbus Platform | 2022-12-14T00:00:00.000Z | 76415 | BNB Chain | Price/Oracle Manipulation | DeFi | 0x99c486b908434ae4adf567e9990a929854d0c955 | |
| Lodestar Finance | 2022-12-10T00:00:00.000Z | 6500000 | Ethereum | Smart Contracts Vulnerability, Price/Oracle Manipulation | DeFi | | |
| TiFi Token | 2022-12-10T00:00:00.000Z | 25000 | BNB Chain | Price/Oracle Manipulation | Tokens | 0x1c5272ce35338c57c6b9ea710a09766a17bbf14b61438940c3072ed49bfec402 | |
| Overnight Finance | 2022-12-02T00:00:00.000Z | 175188.24 | Avalanche C Chain | Price/Oracle Manipulation | DeFi | 0xfe2C4cB637830B3f1Cdc626b99f31B1fF4842E2C | |
| APC Token | 2022-12-01T00:00:00.000Z | 6126 | BNB Chain | Price/Oracle Manipulation | DeFi | 0x5a88114f02bffb04a9a13a776f592547b3080237 | |
| MBC token | 2022-11-30T00:00:00.000Z | 5600 | BNB Chain | Flash Loan Attacks, Price/Oracle Manipulation | Tokens, DeFi | | |
| Pando | 2022-11-06T00:00:00.000Z | 20000000 | Ethereum | Price/Oracle Manipulation | DeFi | | |
| Bvaults | 2022-11-04T00:00:00.000Z | 5600 | BNB Chain | Price/Oracle Manipulation | DeFi | | |
| USDH (Solend) | 2022-11-02T00:00:00.000Z | 1260000 | Solana | Price/Oracle Manipulation | DeFi | | |
| QuickSwap | 2022-10-24T00:00:00.000Z | 220000 | Polygon | Price/Oracle Manipulation | DeFi | | |
| Health Token | 2022-10-20T00:00:00.000Z | 4480 | BNB Chain | Price/Oracle Manipulation | DeFi | | |
| Moola Market | 2022-10-19T00:00:00.000Z | 8400000 | Celo | Price/Oracle Manipulation | DeFi | | |
| Mango Market | 2022-10-11T00:00:00.000Z | 112000000 | Solana | Price/Oracle Manipulation | DEX | | |
| RES token | 2022-10-06T00:00:00.000Z | 290671 | BNB Chain | Price/Oracle Manipulation | Tokens | | |
| Space Godzilla | 2022-07-13T00:00:00.000Z | 26000 | BNB Chain | Flash Loan Attacks, Price/Oracle Manipulation | DeFi | | |
| Pandora chain DAO | 2022-06-22T00:00:00.000Z | 128222 | BNB Chain | Flash Loan Attacks, Price/Oracle Manipulation | DeFi | | |
| Mirror Protocol | 2022-05-28T00:00:00.000Z | 2000000 | Terra | Price/Oracle Manipulation | DeFi | | |
| Blizz Finance | 2022-05-13T00:00:00.000Z | 21800000 | Avalanche C Chain | Price/Oracle Manipulation | DeFi | | |
| Venus Protocol | 2022-05-13T00:00:00.000Z | 11000000 | BNB Chain | Price/Oracle Manipulation | DeFi | | |
| Fortress Protocol | 2022-05-09T00:00:00.000Z | 3000000 | BNB Chain | Price/Oracle Manipulation | DeFi | | |
| Deus DAO | 2022-04-28T00:00:00.000Z | 13400000 | Fantom | Price/Oracle Manipulation, Flash Loan Attacks | DAO | | |
| Beanstalk Finance | 2022-04-17T00:00:00.000Z | 182000000 | Ethereum | Price/Oracle Manipulation | DeFi | | |
| Elephant Money | 2022-04-12T00:00:00.000Z | 11200000 | BNB Chain | Price/Oracle Manipulation | DeFi | | |
| Inverse Finance | 2022-04-02T00:00:00.000Z | 15600000 | Ethereum | Price/Oracle Manipulation | DeFi | | |
| Cream | 2021-10-27T00:00:00.000Z | 130000000 | Ethereum | Flash Loan Attacks, Price/Oracle Manipulation | DeFi | | |
| Indexed Finance | 2021-10-14T00:00:00.000Z | 16000000 | Ethereum | Flash Loan Attacks, Price/Oracle Manipulation | DeFi | | |
| Vee Finance | 2021-09-21T00:00:00.000Z | 34000000 | Avalanche C Chain | Price/Oracle Manipulation | DeFi | | |
| X-Token | 2021-08-29T00:00:00.000Z | 4500000 | Ethereum | Flash Loan Attacks, Price/Oracle Manipulation | DeFi | | |
| Pancake Bunny | 2021-05-19T00:00:00.000Z | 7000000 | BNB Chain | Price/Oracle Manipulation | DeFi | | |
| Rari Capital | 2021-05-08T00:00:00.000Z | 10000000 | Ethereum | Flash Loan Attacks, Price/Oracle Manipulation | DeFi | | |
| Harvest Finance | 2020-10-26T00:00:00.000Z | 25000000 | Ethereum | Flash Loan Attacks, Price/Oracle Manipulation | DEX | | |
+-----------------------------------+--------------------------+--------------------+-------------------+------------------------------------------------------------------------------+-----------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------+

How Oracle Price Manipulation Attacks Work

  1. Identifying the Oracle Source: Attackers first identify which Oracle a DeFi protocol relies on for its price feeds. These Oracles can be centralized, relying on a single data source, or decentralized, aggregating data from multiple sources.
  2. Manipulating the Price Feed: Once the Oracle source is identified, attackers manipulate the price data that the Oracle provides. This can be done in several ways:
  • Manipulating Market Prices: If the oracle uses data from a specific exchange, the attacker can manipulate the price on that exchange by creating large buy or sell orders, thus skewing the price.
  • Flash Loans: Attackers can use flash loans to borrow large amounts of assets, execute trades that artificially inflate or deflate the asset’s price, and then repay the loan within the same transaction.
  1. Exploiting the Manipulated Price: With the manipulated price data, attackers can:
  • Undercollateralize Loans: Borrow more assets than they should be able to, using the inflated value of their collateral.
  • Execute Arbitrage: Buy assets at artificially low prices on one platform and sell them at higher prices on another.
  • Drain Liquidity Pools: Swap assets in liquidity pools at manipulated prices, leading to significant losses for liquidity providers.

Mitigation Strategies

  1. Decentralized Oracles: Using decentralized oracles like Chainlink, which aggregate data from multiple sources, making it harder for a single entity to manipulate the price.
  2. Price Feeds with Time-Weighted Averages: Implementing time-weighted average prices (TWAP) to smooth out price fluctuations and reduce the impact of short-term manipulation.
  3. Circuit Breakers: Introducing mechanisms that pause trading or borrowing if abnormal price fluctuations are detected.
  4. Oracle Diversification: Using multiple oracles and comparing their data to detect and reject outliers.
  5. Liquidity Pool Monitoring: Continuously monitoring liquidity pools for unusual trading activity and adjusting parameters accordingly.

Oracle price manipulation attacks highlight the importance of robust Oracle design and security measures in the DeFi space to ensure the integrity and reliability of price feeds.

Originally published at https://www.immunebytes.com on May 30, 2024.

--

--

ImmuneBytes

Build a hack-proof solution with the industry’s leading blockchain security company.