< Return

Understanding the Recent Oracle Manipulation Attack: A Deep Dive

July 17, 2024

In the world of DeFi, the integrity of oracles is crucial for maintaining fair and accurate prices across platforms. Oracles serve as external data providers that supply smart contracts with real-world information, such as price feeds. However, as this recent attack demonstrated, even a small bug in an oracle can result in a severe vulnerability.

This incident involved a stableswap pool, where a bug in the oracle mechanism led to significant losses. Importantly, this specific pool was flagged in previous audits, and efforts were made to prevent its usage due to the underlying issue.

The Attack Unveiled

This vulnerability was not triggered by manipulating any Exponential Moving Average (EMA) oracles, but rather due to a faulty oracle in a specific stableswap pool. The exploit was triggered by a remove liquidity imbalance call, which worsened the inaccuracies in the oracle’s price feed and led to a chain of events culminating in the attack.

The Flawed Oracle Mechanism

The root cause of the attack was a bug within the oracle of this specific stableswap pool. The protocol’s oracle had a flaw in its median price calculation that caused it to return prices that didn’t reflect actual market conditions. This flaw was a combination of two different oracle systems, and their interaction introduced inaccuracies.

Notably, this particular pool had been identified as problematic during audits, and recommendations were made to avoid using it. Unfortunately, those warnings went unheeded, leading to the oracle bug being exploited in this attack.

Learn more about the stableswap pool oracle mechanism and the second audit that flagged this issue.

Oracle Triggered by Liquidity Imbalance

The attack was set off by a remove liquidity imbalance call, which further worsened the already inaccurate readings of the stableswap pool’s oracle. As the liquidity imbalance increased, the median price generated by the oracle became increasingly disconnected from real market prices. The oracle’s inherent bug was exacerbated by this imbalance, eventually allowing the attacker to manipulate prices and extract funds.

Compounded Errors: Median Price Discrepancy

The bug in the oracle’s design resulted in a situation where the median price didn’t reflect any of the 11 input prices it was supposed to calculate. This discrepancy became especially dangerous when triggered by the liquidity imbalance, as the reported median price diverged sharply from the actual trading price.

Additionally, the oracle’s output prices were in sUSDE, while the input prices were in USDE. The conversion between these two values was controlled by an owner-defined conversion factor, which had been incorrectly set months prior. This compounded the inaccuracies, adding further instability to the pool.

Efforts to Avoid the Pool

From the outset, experts in the DeFi space, including those conducting the audits, had advised against using this specific liquidity pool due to the known oracle issue. Efforts were made to migrate users to other pools and discourage its use. However, the advice was not widely followed, and this contributed to the vulnerability remaining exploitable.

The Multisig Vulnerability

One of the additional factors that compounded this vulnerability was the ability for the conversion factor to be manipulated by a 2-of-N multisig setup. This allowed a small group of individuals to alter the conversion factor infinitely, further exacerbating the inaccurate prices being fed to the oracle.

Learn more about why multisig setups are crucial in DeFi.

Fuzzland’s Solution: Blaz+ Suite

At Fuzzland, we understand the critical role of oracles in DeFi and the potential risks associated with their manipulation. Our Blaz+ suite, consisting of Blaz+ Alert, Blaz+ Analysis, and Blaz+ Mitigation, is designed to proactively identify and mitigate such vulnerabilities.

Blaz+ Mitigation intervenes in real-time, using mempool analysis to front-run and back-run potential attacks. Whether it’s an oracle manipulation or a liquidity imbalance exploit, Blaz+ Mitigation neutralizes threats before they can cause harm.

Blaz+ Analysis performs 24/7 on-chain penetration testing of your smart contracts, detecting vulnerabilities like oracle bugs before they can be exploited. Leveraging AI-driven fuzzing and formal verification techniques, Blaz+ Analysis ensures your on-chain assets remain secure.

Blaz+ Alert notifies you in real time of any abnormal activities in your contracts, such as changes in oracle spot prices or discrepancies in median price calculations. These alerts enable swift responses, minimizing the risk of exploitation.

Implications for DeFi Security

This attack serves as a reminder that even minor bugs in an oracle can lead to catastrophic losses if left unaddressed. It also emphasizes the need for continuous, real-time monitoring and proactive defense mechanisms to safeguard DeFi protocols.

About Fuzzland

Fuzzland is a leading innovator in smart contract security, dedicated to making the Web3 space safer and more reliable. Specializing in automated smart contract analysis, Fuzzland leverages advanced techniques such as AI, static analysis, fuzzing, and formal verification to identify and mitigate vulnerabilities in decentralized networks. Our platform has been instrumental in preventing high-profile security breaches, safeguarding millions in assets, and setting new standards in blockchain security. With a commitment to proactive security measures and continuous innovation, Fuzzland is at the forefront of protecting the next generation of decentralized finance and blockchain ecosystems. Follow Fuzzlands work and get in touch today: Website | X | LinkedIn