It is crucial for users to understand why oracle exploits occur and how they may impact the security of a decentralized service. Preventing exploits is fundamental to improving the reputability of Web 3.0. In this article a thorough analysis of oracle exploits is explored and how RedStone Oracles is specifically designed to prevent these incidents from occurring for their clients.
What Are Oracle Exploits?
Oracle exploits describe the intentional manipulation of an oracle leading to erroneous smart contract executions of a dApp.
Illustrative Example
If the price of a token A on Uniswap is artificially increased and then provided by an oracle to Aave, an attacker could take advantage of the incorrectly reported price to essentially steal funds from Aave. Knowing that only one price feed is provided to Aave (Uniswap’s pricing), the attacker takes advantage of the oracle reporting the incorrect price of token A to exploit Aave.
What is Market Manipulation?
Market manipulation is a more general term referring to an asset’s price being artificially controlled by changing the natural balance of supply and demand. The key difference between an oracle exploit and market manipulation is that an oracle exploit results in incorrect data being reported, while market manipulation describes the act of changing prices of assets. A simple example of market manipulation is a pump-and-dump scheme. This scheme includes artificially inflating the price of a cryptocurrency through coordinated buying and then selling off the inflated asset to profit at the expense of unsuspecting traders.
A Look at Historical Oracle Exploits
Below is a list of previous oracle exploits in Web 3.0 along with RedStone’s respective security implementations making RedStone a robust data provider.
💡Fact: RedStone Oracles has provided data feeds for years securing billions of dollars of value and has never been exploited.
Synthetix Exploit
Funds lost: ~$1 billion dollars
In 2019, an oracle reported the price of the Korean Won 1000 times higher than the actual price. As a result, an arbitrage bot exploited the mistake profiting significantly.. The error occurred due to a centralized oracle failing to validate the price data adequately before feeding it to the Synthetix protocol.
RedStone’s Preventative Measures
RedStone implements a system of checks (outlier detection) to ensure a provided data feed does not significantly deviate from the previous price of an asset. This acts as a buffer as reporting an extreme value for a price can have a significant impact on the performance of a decentralized financial (DeFi) protocol as exemplified by the Synthetix exploit.
Compound Exploit
Funds lost: ~$89 million.
In 2020, $89 million dollars was lost when the Coinbase Pro oracle incorrectly reported the price of the DAI stablecoin as $1.3 instead of $1.0. This incorrect price resulted in a significant amount of unnecessary liquidations. In this case, Compound relied on a single centralized oracle for the price of $DAI.
RedStone’s Preventative Measures
RedStone prevents reporting an incorrect price feed by aggregating data feeds from multiple sources including centralized exchanges, decentralized exchanges, and cryptocurrency data aggregators. Typically the prices provided to dApps are a median value calculated from all data sources acting as a second layer of scrutiny even if a single incorrect price feed is accepted as correct. RedStone provides dApp developers with the ability to exclude prices from a specific data source immediately and automatically if it is suspected that a data source is compromised.
bZx Exploit
Funds lost: ~$355K
The bZx exploit involved manipulating the prices of wBTC and sUSD by taking advantage of the low liquidity of the assets on an exchange. The attacker executed a series of transactions which eventually allowed funds to be taken from the protocol.
A detailed look at the scheme of transactions used by the attacker can be found here. https://peckshield.medium.com/bzx-hack-full-disclosure-with-detailed-profit-analysis-e6b1fa9b18fc
RedStone’s Preventative Measures
RedStone leverages liquidity-weighted average price (LWAP) to ensure that prices, even if tampered with on exchange, would not result in a significant misreporting of the price of that asset. RedStone also receives prices of assets from a combination of exchanges where there is sufficient liquidity for a given asset.
Mango Markets Exploit
Funds lost: ~$117 million
In 2022 Avraham Eisenberg exploited Mango Markets by manipulating the price of the low-liquidity MNGO token. He used flash loans and leveraged trades to create an artificial price spike, which allowed him to borrow against the inflated collateral, draining $117 million from the protocol.
RedStone’s Preventative Measures
RedStone implements liquidity-weighted average price (LWAP) to ensure price manipulation due to low liquidity does not significantly influence a protocol.
BonqDAO Exploit
Funds lost: ~$120M
In 2023, BonqDAO was exploited due to a bug in the price feed smart contract from the Tellor Oracle protocol. The attacker was able to change the price of a cryptocurrency to manipulate the protocol through its borrowing mechanism eventually draining it of 120 million dollars.
RedStone’s Preventative Measures
RedStone’s smart contracts have been audited by several auditing firms including Quantstamp, AuditOne, Peckshield, and ABDK. RedStone is dedicated to allocating company funds to ensure their smart contracts are written according to auditing professionals’ recommendations. Additionally, RedStone’s co-founder, Jakub Wojciechowski, previously worked as a smart contract auditor, bringing his expertise to RedStone.
0VIX Exploit
Funds lost: ~$2M
The 0VIX Protocol on Polygon was exploited in 2023 due to a vulnerability in the vGHST ability to manipulate its price via donations. The attacker used flash loans and manipulated the price via a specialized Oracle implementation called VGHSTOracle. This manipulation inflated the token’s price, enabling the creation and liquidation of leveraged debt positions for profit.
RedStone’s Preventative Measures
RedStone works closely with application developers to ensure price feeds are not prone to manipulation. The RedStone team considers the unique needs of our clients in order to ensure the integrity of data is maintained to prevent instances of manipulation of token prices where possible.
Rodeo Finance Exploit
Funds lost: ~$885K
Rodeo Finance was exploited as a result of an incorrectly implemented Time Weighted Average Price oracle. As a result, an attacker was able to take advantage of a faulty price of Ethereum stealing the liquidity of the protocol.
RedStone’s Preventative Measures
RedStone aggregates multiple price feeds for a given asset and has never experienced a successful exploit.
Conclusion
RedStone takes pride in providing data feeds to some of the most used blockchain applications now securing billions of dollars across the entire blockchain system. RedStone’s modular design allows for app-specific implementations of data feeds, providing the necessary backbone for dApps to interact with real-world data.
