Fairyproof’s Review of the Oracle Attack on DeFi Applications
Recently, Fairyproof audited quite a few DeFi applications. Among these applications, our audit team still found a common vulnerability in…
Recently, Fairyproof audited quite a few DeFi applications. Among these applications, our audit team still found a common vulnerability in our initial reviews.
The vulnerability is commonly known as “oracle attack”. Specifically, on DeFi applications, an oracle attack is an attack that exploits a vulnerability on a DeFi application’s data retrieval mechanism.
When a DeFi application retrieves data, it retrieves data from an off-chain source, or an on-chain source, or both.
When it retrieves data from an on-chain source it usually means to call a smart contract’s interface to read data. When it retrieves data from an off-chain source it will have to rely on an oracle since a blockchain application, principally, doesn’t have direct access to off-chain data.
Precisely, in blockchain, an oracle is a protocol or an application that can act as an intermediary between a smart contract deployed on a blockchain and data that are not on the blockchain. Also, an oracle enables a smart contract to access off-chain data.
With regard to DeFi applications, the most frequently queried data from either off-chain or on-chain is a crypto asset’s price.
If a DeFi application retrieves a crypto asset’s price via an oracle from off-chain data sources, it generally retrieves it from conventional centralized exchanges(CEX). In this case, the application should choose an oracle that is as decentralized as possible i.e. the oracle should acquire prices from more than one CEX, compose an average price and feed it to the application.
If a DeFi application retrieves a crypto asset’s price from on-chain data sources, it should compose a price based on an algorithm that averages multiple prices retrieved from multiple on-chain sources.
This way a DeFi application wouldn’t be exposed to the data source’s single-point of failures otherwise it would be exposed to an oracle attack.
However, the most frequent issue with a DeFi application’s data source in Fairyproof’s audit is either of the following two cases:
When it retrieves a price from off-chain sources it uses an oracle that only retrieves a price from a single source. In this case, if the single source is out of order or feeds a highly volatile price, there is a possibility that the DeFi application will trigger its unexpected actions.
When it retrieves a price from on-chain sources it just simply uses a price that is retrieved from a trading pair e.g. a trading pair of Uniswap. However, the price of a token in a trading pair is easily manipulated. Using a flash loan to borrow a large quantity of a token and dumping the token to a trading pair to pump the price of the other token in that trading pair has become a recurrent way for hackers to manipulate a crypto asset’s price. If a hacker uses this way to manipulate a price that is fed to a DeFi application, it will cause huge losses both to the application and its users.
To tackle this risk, Uniswap developed a popular algorithm called “Time Weighted Average Price”(TWAP). A TWAP is constructed by “reading the cumulative price from an ERC20 token pair at the beginning and at the end of the desired interval. The difference in this cumulative price can then be divided by the length of the interval to create a TWAP for that period”.
Fairyproof highly suggests that if a DeFi application needs a crypto asset’s price, it should use either a decentralized oracle to retrieve a crypto asset’s off-chain price or a TWAP algorithm to compose a crypto asset’s on-chain price.
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.