{"id":"oracle-attacks","version":1,"language":"en","title":"Oracle Attacks","hidden":false,"content":"An **Oracle Attack** refers to a type of cyberattack that exploits vulnerabilities in a computer system's trust in external data sources, known as \"oracles.\" Oracles are third-party data providers that supply information to [smart contracts](https://iq.wiki/wiki/smart-contract) and [decentralized applications](https://iq.wiki/wiki/decentralized-application) (DApps) on [blockchain](https://iq.wiki/wiki/blockchain) networks. These data sources play a critical role in enabling smart contracts to execute autonomously by providing real-world data, such as price feeds, weather conditions, and other external events. [\\[1\\]](#cite-id-4d1g843lf34)[\\[4\\]](#cite-id-pvgmpjp00a)  \n$$widget0 [YOUTUBE@VID](PxcxBR9m8Q0)$$  \n  \n## Nature of Oracle Attacks  \n  \nOracle attacks typically involve manipulating the information provided by oracles to deceive a [smart contract](https://iq.wiki/wiki/smart-contract) or [DApp](https://iq.wiki/wiki/decentralized-application). The goal of these attacks can vary, but often includes financial gain or disrupting the proper functioning of decentralized systems. Attackers may attempt to alter the data feed to trigger unintended actions within smart contracts, leading to undesired outcomes.[\\[2\\]](#cite-id-90eh3gsqnl9)  \n  \n## Types of Oracle Attacks  \n  \n1\\. Price Manipulation: In the context of [decentralized finance](https://iq.wiki/wiki/defi) (DeFi) applications, attackers could manipulate price oracles to provide false pricing data. This can be exploited to execute profitable trades or cause liquidations within lending platforms.[\\[5\\]](#cite-id-rzq11h97qnb)  \n  \n2\\. Tampering with External Data: Attackers might compromise the data source itself or its communication channels to inject false information into the oracle feed\\. For instance\\, an attacker could falsify weather data used in an insurance [smart contract](https://iq.wiki/wiki/smart-contract) to fraudulently claim compensation.[\\[4\\]](#cite-id-pvgmpjp00a)  \n  \n3. [Timestamp](https://iq.wiki/wiki/timestamp) Attacks: Attackers may exploit time-sensitive [smart contracts](https://iq.wiki/wiki/smart-contract) by providing manipulated timestamps through the oracle. This could disrupt the proper execution of time-based functions.  \n  \n## Effects of Oracle Attacks on DeFi Security  \n  \n### Protocol Insolvency  \n  \nOracle manipulation poses challenges for lending protocols, potentially leading to a situation of insolvency on a larger scale. As an illustration, an oracle exploit has the potential to trigger the creation of unfavorable debt positions within the protocol, where the value of the collateral falls short of the user's debt. This circumstance could compel liquidity providers to absorb losses, given that borrowers might lack motivation to settle their debt. [\\[2\\]](#cite-id-90eh3gsqnl9)  \n  \n### Potential Economic Failure  \n  \nBeyond the risk of protocol insolvency, oracle attacks have the potential to trigger comprehensive economic failures in various contexts. For instance, consider algorithmic [stablecoins](https://iq.wiki/wiki/stablecoin) and rebase tokens that could lose their intended price pegs if oracles inaccurately report price fluctuations. [\\[2\\]](#cite-id-90eh3gsqnl9)  \n  \n### Impact on User Experience  \n  \nTo avert insolvency, [DeFi](https://iq.wiki/wiki/defi) money markets closely monitor the market value of [collateral](https://iq.wiki/wiki/collateral) assets and execute the liquidation of debt positions before they reach undercollateralized levels. However, these liquidations might be unjustified if the protocol bases its calculations on inaccurate oracle data.[\\[2\\]](#cite-id-90eh3gsqnl9)  \n  \n## Mitigation and Prevention  \n  \nEfforts to mitigate oracle attacks include:  \n  \n1\\. Multiple Oracles: Using multiple independent oracles and aggregating their data can reduce the risk of manipulation by a single malicious source\\.[\\[3\\]](#cite-id-nlqez4qx647)  \n  \n2\\. Decentralized Oracles: Utilizing decentralized oracle networks that source data from various providers and employ consensus mechanisms can make it more difficult for attackers to manipulate data feeds\\.[\\[2\\]](#cite-id-90eh3gsqnl9)[\\[3\\]](#cite-id-nlqez4qx647)  \n  \n3\\. Economic Incentives: Designing mechanisms that encourage honest behaviour among oracle providers\\, such as requiring [collateral](https://iq.wiki/wiki/collateral) or [staking](https://iq.wiki/wiki/staking), can discourage malicious activity.[\\[4\\]](#cite-id-pvgmpjp00a)  \n  \n4\\. Oracle Upgrades and Governance: Periodically updating and improving oracle designs while involving community governance can help address emerging vulnerabilities\\. [\\[4\\]](#cite-id-pvgmpjp00a)[\\[5\\]](#cite-id-rzq11h97qnb)  \n  \n## Examples of Oracle Attacks  \n  \n* In December 2019, [Synthetix](https://iq.wiki/wiki/synthetix) experienced another attack attributed to price oracle manipulation. Significantly, this incident blurred the boundary between on-chain and off-chain price data. [\\[5\\]](#cite-id-rzq11h97qnb)  \n* During the [Harvest Finance](https://iq.wiki/wiki/harvest-finance) hack, the attacker managed to breach the protocol's pools by executing a flash loan attack involving a type of oracle attack. In this incident, the hacker manipulated the value of [USDC](https://iq.wiki/wiki/usdc) within the Curve pool by conducting a trade that decreased its price. Subsequently, the attacker entered the Harvest pool at the manipulated lower price, restored the USDC value to its original state by reversing the trade, and then exited the pool at an elevated price.[\\[3\\]](#cite-id-nlqez4qx647)[\\[5\\]](#cite-id-rzq11h97qnb)[\\[6\\]](#cite-id-bmr7qqrc517)  \n* In a separate incident, a breach occurred on [bZx](https://iq.wiki/wiki/bzx), an [Ethereum](https://iq.wiki/wiki/ethereum)-based lending protocol, where an attacker exploited a vulnerability to create an under-collateralized position. This exploitation led to the attacker gaining around $370,000 in profit while causing a significant equity loss of approximately $620,000 within the [bZx](https://iq.wiki/wiki/bzx) lending pool.[\\[3\\]](#cite-id-nlqez4qx647)","summary":"An Oracle Attack is a cyberattack that exploits vulnerabilities in a system's trust in oracles, potentially manipulating data supplied to blockchain smart contr...","categories":[{"id":"defi","title":"Decentralized Finance"}],"promoted":0,"tags":[{"id":"Glossary"}],"metadata":[{"id":"references","value":"[{\"id\":\"4d1g843lf34\",\"url\":\"https://www2.deloitte.com/content/dam/Deloitte/tr/Documents/technology-media-telecommunications/Blockchain-and-Cyber.pdf\",\"description\":\"The Achilles’ Heel of DeFi: Understanding Oracle Manipulation\",\"timestamp\":1692353659802},{\"id\":\"90eh3gsqnl9\",\"url\":\"https://www.halborn.com/blog/post/what-is-oracle-manipulation-a-comprehensive-guide\",\"description\":\"WHAT IS ORACLE MANIPULATION? A COMPREHENSIVE GUIDE\",\"timestamp\":1692354291789},{\"id\":\"nlqez4qx647\",\"url\":\"https://hydnsec.medium.com/the-dangers-of-oracle-manipulation-in-blockchain-systems-understanding-and-mitigation-strategies-598d1be0df66\",\"description\":\"The Dangers of Oracle Manipulation in Blockchain Systems:\",\"timestamp\":1692354778735},{\"id\":\"pvgmpjp00a\",\"url\":\"https://www.bitdegree.org/crypto/learn/crypto-terms/what-is-oracle-manipulation\",\"description\":\"What is Oracle Manipulation?\",\"timestamp\":1692355049783},{\"id\":\"rzq11h97qnb\",\"url\":\"https://medium.com/beaver-smartcontract-security/defi-security-lecture-7-price-oracle-manipulation-d716cdeaaf77\",\"description\":\"DeFi Security Lecture 7 —Price Oracle Manipulation\",\"timestamp\":1692355116712},{\"id\":\"bmr7qqrc517\",\"url\":\"https://coinmarketcap.com/alexandria/glossary/oracle-manipulation\",\"description\":\"Oracle Manipulation\",\"timestamp\":1692355845491}]"},{"id":"previous_cid","value":"QmdvEddszktksdouhmxt1EtqC9rLY7mbHfVfX5veNmBuei"}],"user":{"id":"0x2E66379061a2A39ccf38cE73d6144665C7eDC3E1"},"author":{"id":"0x8eBEb49FEFC02bd8C053F588F58A85e72E4cF9C9","profile":{"username":"Tobiloba_Ogunwusi","avatar":""}},"media":[{"name":"PxcxBR9m8Q0","id":"https://www.youtube.com/watch?v=PxcxBR9m8Q0","size":"0","type":null,"source":"YOUTUBE"}],"views":17,"events":[],"ipfs":"QmdvEddszktksdouhmxt1EtqC9rLY7mbHfVfX5veNmBuei","transactionHash":"0x910f9437cd712a8be2fe573424b5287e2e66988aa53a4020ade2841189f539c1","created":"2023-08-18T11:24:33.211Z","updated":"2023-08-18T11:24:33.211Z","images":[{"id":"QmeEXHH99tydBsk3fkLaRgYJwjxR3PLcBn2M26dvasbNk2","type":"image/jpeg, image/png"}],"linkedWikis":null}