Oracle Exploit, the Go-to-Crypto Hack in a Bear Market

Oracle Manipulation has cost $219,6 million in 2022, and its victims are many from Algorithmic Market Maker to Yield Optimizer.

The last year has seen a steep rise in oracle manipulation and a brutal chute in total value locked (TVL) for Oracle providers.

The multiplicity of Oracle exploits in 2022 resulted in several experts reevaluating the relevance of oracles in DeFi, and Chainlink, which has been dominating the Oracle market, lost an astounding $48 billion in TVL in 2022, from $56,7 billion to $8,7 billion between January 1st and December 31st, 2022.

So, what explains the popularity of oracle manipulation by hackers in 2022?

Oracles have become a crucial tool for the DeFi ecosystem.

Through smart contracts, they take off-chain real-world data and connect them with blockchains. For DeFi actors, oracles act as a middleman that allows them, among other things, to access financial data about assets and markets. Those data are then used to, for example, provide the pricing of assets in real-time for liquidity pools that are used to facilitate decentralized trading and lending.

The Oracle’s job is not to be the source of information but to verify external data sources and then relay that information.

Consequently, a hacker “only” has to change the truth that will be relayed by the oracle to a DeFi liquidity pool, whose equilibrium is based on this oracle information, to be able to siphon it.

Modus Operandi

An oracle manipulation is at its crux, a two steps attack.

The first step is to manipulate pool(s) used as price oracle(s) by a DeFi protocol to artificially inflate a token’s price by swapping/buying a vast amount of it.

Then go to the lending pool connected to this price oracle and open an under-collateralized position that will allow him to fly away with the excess money gained, thanks to the manufactured price discrepancy he created.

To illustrate this, let’s say that 1000 ETH = 1000 sUSD. In a scenario where the oracle has not been manipulated, and a lending pool requires depositing in collateral 120% of the value borrowed, you will need to deposit 1200 eth to receive 1000 sUSD.

However, if the hacker manipulates the pool(s) used as an oracle by buying en masse eth so that 1000 eth would then be worth 2000 sUSD, he only has to go to the lending protocol using this compromised oracle and deposit 1200 eth to receive 2000 sUSD.

That is what happened in substance in the most talked about oracle manipulation of 2022, the $100M Mango Market hack.

In a simplified summary, Avraham Eisenberg -who was the hacker behind the Solana DeFi trading platform Mango Market- funded his wallet with $5M USDC that he used to purchase 483 units of perpetual contracts in Mango token (MNGO), driving the price of MNGO X30 from $0,03 to $0,91 and increasing the value of his Mango token to $423M. Step one over. After artificially elevating the collateral value of his account, he proceeded to drain Mango Markets lending pools by taking massive loans totaling ~$117M in Bitcoin, Solana, and more. Step 2 over.

The oracles used by Mango Markets worked as intended, but since the source of truth was compromised, it was possible for Avraham Eisenberg to take an extremely under-collateralized loan.

This attack was self-funded, but as previously stated in our article dedicated to flash loan attacks, where once price/market manipulation was the preserve of “whales” like Avraham Eisenberg, flash loans now give the ability to a much larger pool of people to exploit oracles. A prime example would be Deus Finance, a DeFi protocol, which was exploited twice in two months in March and April 2022, for respectively $4 million and $13 Million through oracle exploits funded by flash loans.

The Bear Market, an Oracle Exploit Facilitator.

If whales and non-whales could gorge on oracle exploits in 2022, it is because oracles were made vulnerable due to the bear market.

Bear market means low liquidity, and low liquidity provides the best condition for Oracle manipulation.

In a bull market, when there is a substantial quantity of liquidity, oracle exploits are difficult to carry out: the amount of input required to manipulate the price of a token successfully is much higher.

Hackers choose to go for an Oracle exploit when, according to Alexander Wlezien, cofounder of DeFi Platform Friktion Labs,

“The economic cost of price manipulation must be far above extractable economic value.”

Hence, extreme manipulations are made easier and cheaper if there is low liquidity and increase hackers’ incentive to undertake these sorts of exploits.

New or relatively unknown tokens usually have little liquidity to begin with, and become even more illiquid during a bear market, making them prime targets for criminals. A hacker can have a monumental price impact by taking significant positions in illiquid tokens, like in the Mango Market case.

By its scale, the Mango Market case acted as an eye-opener.

It drove the decentralized lending protocol Compound to pause the supply of four tokens (YFI, ZRX, BAT, and MKR) as lending collateral on its platform to protect its users against price manipulation in the week following the attack.

One month later, Open Source Liquidity Protocol Aave temporarily suspended lending markets for 17 tokens to fend off volatility risks after the Mango Market hacker tried a repeat attack on Aave and almost stole $60 million on CRV using USD Coin.

The bear market provides fertile ground for Oracle exploit, and if DeFi protocols do not take preemptive measures to make them less vulnerable to them like Compound of Aave, it can be expected that as long as the bear market persists, Oracle manipulations will continue to wreak havoc in DeFi.