Oracles: Unblinding Blockchains - Part II
Apr 27, 2022
Oracle exploits – a history
Many smart contracts rely on oracles to drive critical functionalities that might be exploited by malicious actors for profit. As of today, there are a total of 86 DeFi exploits that lost approximately $3.2b funds primarily on Ethereum (55) but also Binance Smart Chain (21), Avalanche (2), Polygon (2), Solana (2), Fantom (1), Harmony (1), Algorand (1), and Ronin (1). For a comprehensive list, please refer to Cryptosec and Rekt. Ethereum being a significant outlier despite other chains having flourishing ecosystems as well indicates, that the pivotal innovation in decentralized applications is still happening on Ethereum as especially novel mechanisms and smart contract designs introduce vulnerabilities.
An oracle vulnerability usually originates when protocols execute based on compromised, malicious, or inaccurate data feeds affecting all processes linked to that oracle input such as unwarranted liquidations to malicious arbitrage trades. Despite flash loans being firstly introduced in 2018, oracle exploits via this attack vector only got traction in 2020. Therefore, Table 1 provides an overview of the most important DeFi exploits in 2020, showcasing how a multitude of protocols were not prepared for oracle exploits via flash loans (indicated in red).
Table 1: List of historic DeFi attacks in 2020
For instance, the ninth highest overall crypto exploit, after the $615m Ronin bridge exploit in March 2022, the $611m hack of Poly Network in August 2021, and the $326m exploit of Wormhole in February 2022, drained Cream Finance’s pools, a decentralized lending protocol, by leveraging a price oracle vulnerability. Being a Compound fork, Cream Finance rapidly expanded towards small caps and derivates that required a custom oracle proxy. This oracle, calculating the price per share using on-chain calls in 4Pool and yUSD contracts, introduced a flash loan attack vector that lead to a $130m attack. Up until today, flash loans are one of the most sensitive attack vectors of Oracles, see Illustration 1. As the trend of flash loan attacks is keeping its pace as we saw 17 successful attacks in 2022 alone, it further emphasizes the significance of proper security audits, smart contract design, and the selection of an adequate oracle implementation.
Illustration 1: History of smart contract exploits with and without flash loans
Oracle attacks and how to prevent them
Among the known smart contract attacks, we find Reentrancy, Frontrunning, Timestamp Dependence, Insecure Arithmetic, Denial of Service, Griefing, Force Feeding, Deprecated/Historical, and finally, Oracle Manipulation, which might be realized via:
- Off-chain infrastructures: software required to transport off-chain data into a smart contract that is prone to attacks such as access control, cryptographic implementation, transport, malfunctions, and database security
- Centralized oracles with trust assumptions: power abuse of a centralized entity such as front running or data manipulation
- Decentralized oracles: prone to security risks such as Sybil, freeloading, and mirroring attacks derived from network participants that are economically incentivized as they seek profit maximization or penalized for misbehavior
- On-chain spot price manipulation via flash loans (the most commonly exploited one)
For more information on the various attack vectors, we refer to “The Blockchain Oracle Problem in Decentralized Finance—A Multivocal Approach”.
With flash loans providing the largest attack surface, it is important to understand the way they work. Flash loans are essentially undercollateralized zero-risk lending features of smart contracts that are only valid within one blockchain transaction and fail if the borrower does not repay its debt before the end of the transaction that borrowed the loan. These are commonly used in DeFi exploits and have increasingly been leveraged to fund attacks on DeFi protocols as they provide instant and sizable liquidity to anyone.
Moreover, flash loans not only pose risk to price manipulation but also to governance manipulation as governance is often determined by coin-weighted voting among holders of a governance token. Beanstalk, a credit-focused stablecoin protocol running on Ethereum, was exploited in April 2022 by a flash loan attack that borrowed ~$1 billion in assets via Aave to obtain BEANs in order to gain a 67 percent voting stake in the project. In this way, the attacker was able to gain enough voting rights to pass proposals instantly. After draining the treasury for about $182 million in various crypto assets, the attacker returned voting rights, withdrew the money, and repaid the loan – within 13 seconds. It demonstrates that security precautions such as timelocks are necessary as there has to be sufficient time between voting and execution to carefully review proposals.
The most common form of attack using flash loans is to manipulate sole price oracles of a decentralized exchange (DEX). A flash loan sequence of a simple lending attack might look as follows:
- Borrow large amount of token A
- Swap token A for token B on a DEX, therefore, lowering price of token A and increasing price of token B
- Deposit token B as collateral on a DeFi protocol that uses the above DEX as its single price feed, and use the manipulated pricing to borrow a larger amount of token A than possible w/o manipulation
- Use a portion of borrowed token A to entirely pay back the flash loan and keep the remaining tokens → profit from the protocol’s manipulated price feed
- As the prices of tokens A and B on the DEX get arbitraged back to the overall market price, the DeFi protocol is left with an undercollateralized position
How to prevent attacks? Most of the aforementioned weaknesses of oracle implementations and most importantly oracle price manipulation via flash loan attacks are preventable by leveraging either decentralized oracles with proper market coverage (number of exchanges an asset’s price takes into account relative to all exchanges the asset currently trades) or Time Weighted Average Price (TWAP) oracles. TWAP oracles mitigate vulnerability to flash loans as they average price over certain time periods and ignore any transactions in the current block. As TWAP oracles feature an inverse correlation between security and accuracy, the time period that they cover has the following implications:
- longer TWAP: higher tamper-resistance (expensive to manipulate), less accurate data (stale during volatility)
- shorter TWAP: lower tamper-resistance (less expensive to manipulate, more accurate data during volatility
With TWAP oracles, attacks get less attractive as price manipulation across blocks is very expensive since arbitrageurs step in. Moreover, they prevent front-running to a certain degree as an order executed right before has a less drastic impact on the price. Yet a recent paper, “TWAP Oracle Attacks: Easier Done than Said?”, showcases how the manipulation resistance of TWAP oracles by cleverly-engineered, so-called single block attacks is lower than expected and proposes to favor the median or the geometric mean as a manipulation-resistant statistic over a mean.
Decentralized oracles on the other hand aim to diversify data collectors to avoid quorum disruptions and are, in contrast to TWAP oracles, able to provide maximally tamper-resistant and accurate data due to Volume Weighted Average Price (VWAP). VWAP aggregates price data from liquid exchanges (Cex and Dex), weighting it by real volume, and removing outliers and fake volume.
To provide a brief overview, Table 2 compares TWAP oracles and Chainlink’s price feed by means of the most desirable traits such as accuracy of price, security, market coverage and price feed diversity. With Chainlink being the go-to oracle solution, the industry also offers decentralized alternatives that are prone to prevent flash loan attacks such as Tellor, Band Protocol, Provable (formerly Oraclize), or Witnet. The multitude of alternatives creates the opportunity of using a median of multiple oracle solutions to provide improved security as an attack is harder and more expensive and ensures that a smart contract gets the data required.
Table 2: Comparison of TWAP and Chainlink price feeds
Conclusion and Outlook
With oracles enabling crucial functionality for the DeFi space, these applications rely on very sensitive data. As history illustrates, a single exploit can result in the loss of millions of dollars worth of digital assets, as seen recently in the Beanstalk exploit. While oracle manipulation and flash loans aren’t new in DeFi, the same old attack vectors keep haunting the space and slow mainstream adoption. Overcoming these speed bumps by optimizing and leveraging modern oracles such as TWAP or VWAP of decentralized oracles to eliminate attack vectors is key to ensuring high quality, reliable data that is unsusceptible to manipulation. As these solutions come with different trade-offs, it is also important to select the best fit when designing smart contracts. In addition, regular audits may help to reduce oracle attacks and therefore improve the overall security of the ecosystem.