Price Oracle Exploits and the Importance of Market Coverage

In this thread, we attempt to further the discussion of a key problem in the oracle category and evolve our understanding of the space where research work has not yet answered the specific problem or question being considered.

With DeFi scaling to secure a growing amount of value in user deposited funds, it has increasingly become the subject of malicious entities attempting to subvert protocols for their own financial gain at the direct expense of innocent users. One of the most frequently exploited attack vectors targeted by malicious actors is the price oracle, which serves as a mechanism for valuing assets within a protocol. Without accurate price oracles that track the true market-wide price, DeFi protocols cannot safely execute critical functions like issuing loans at the fair market price, checking collateralization ratios, settling futures/options contracts, trading synthetic assets, and more.

As evidenced by the numerous recent oracle exploits in the DeFi space, it has become clear many DeFi protocols are still using oracle mechanisms that are vulnerable to manipulation and insufficient for securing high value contracts. The most common exploits have been caused by a lack of market coverage, where the oracle mechanism only pulls data from just one or a few exchanges, tracking only a small subsection of the total market. Without full market coverage (achieved by tracking all exchanges), these price oracles can become out of sync with the rest of the trading market and end up delivering inaccurate pricing data to DeFi applications that do not reflect the true market-wide price.

Such market coverage issues are exploited further through the use of flash loans, which are temporary on-chain loans that are issued and paid back within a single on-chain transaction, otherwise it reverts. This permissionless access to a large amount of capital can be used to execute large trades to distort the exchange rate of assets on a decentralized exchange (DEX) outside of the true market price across all other exchanges. Malicious actors can then use this mispricing to siphon funds from DeFi protocols using the manipulated DEX as its sole price oracle mechanism. Over the past few months, over $100M has been stolen from DeFi applications using price oracles without market coverage, often caused by the usage of a DEX-based oracle that had been flash loan attacked.

Additionally, such market coverage issues have also affected price oracles that fetch data from one or a small number of off-chain centralized exchanges, as they too can be manipulated to become out of sync with the rest of the trading market.

The natural question is, how can developers determine if an oracle mechanism provides market coverage and resistance to flash loan issues? Some questions to ask include:

  • Is the oracle only tracking one or a small number of exchanges?

  • Is data being collected from both on-chain and off-chain exchanges?

  • Does the oracle fetch directly from exchanges or from data aggregators?

  • How many individual data sources does the oracle pull from?

  • How is continuous market coverage ensured into the future?

With this context and relevant questions in mind, I am curious about others’ thoughts regarding the importance of market coverage and flash loan resistance in price oracle mechanism. What steps can be taken to ensure this knowledge can become more widely recognized in the DeFi development community to prevent oracle exploits happening again into the future?

4 Likes

Market coverage is probably one of the biggest issues price oracle solutions face today in my opinion. Price oracles without market coverage have already been manipulated, causing millions of user funds to be lost within DeFi applications these past couple months alone. The latest I can recall is Compound Finance, which used a price oracle that only fetched data from Coinbase and led to around $90M in false liquidations.

However, not all price oracle mechanisms are vulnerable to centralization risk and rapid volume shifts. Chainlink Price Feeds can provide full market coverage as they fetch data from multiple data aggregation firms like CoinGecko, Bravenewcoin, Amberdata, etc. Each data aggregation firm individually fetches data from hundreds of exchanges (on-chain and off-chain) to generate a volume-weighted price that also accounts for fake volume and outliers. This is how proper market coverage is achieved and maintained even as volume shifts across different exchanges.

I think the takeaway here is that there are really two issues: 1) the oracle delivery problem (how do we get data on-chain reliably) and 2) the data quality problem (how do we ensure the data is trustworthy and worth posting on-chain). Market coverage falls into the latter category, but given both problems are interconnected, it’s something smart contract developers need to watch out for when using oracles.

1 Like