Exploiting DeFi Apps with this One Weird Trick

an attacker has almost full control over the price during a transaction and trying to read that price accurately is like reading the weight on a scale before it’s finished settling - samczsun

In the past 30 days, a price oracle exploit (every attack is unique but can be generally classified as being in the "price oracle exploit" or at least "economic attack" category) has been used to drain at least $45 million from vulnerable DeFi apps.

The essence of this exploit is manipulating a DeFi Apps's perception of what the price of something is - so you can extract tokens from it at a discount. It's like walking into Walmart and telling the cashier "actually sir, the price of this 80-inch TV is $1 USD" and the cashier responding: "of course sir, and thank you for your business".

In Ethereum, this translates to convincing a DeFi App that the price of Ethereum in USD is not ~$400, but ~$800 then, within a single transaction you can:

1. deposit eth as collateral while correctly priced at $400
2. manipulate price of eth to $800 (at least as far as this particular smart contract is aware)
3. borrow twice as much USDC than should be possible
4. manipulate the price of eth back to $400
5. repay the original $400, keep the extra USDC

Some variation of that basic formula is what's happened at least to the following DeFi Apps:

• Harvest: $24M by manipulating a price and withdrawing
• Value DeFi: $6M by manipulating a price and withdrawing
• Cheese Bank: $3M by manipulating a price and withdrawing

Other recent attacks using slightly related strategies:

• Eminence: $16M by manipulating Bancor bonding curve
• Origin Protocol: $7M by manipulating supply of OUSD using a re-entrancy attack
• Akropolois: $2M by manipulating supply of pooltokens using a re-entrancy attack

How do you "manipulate" or "convince" a DeFi app into thinking the price of something is different than it really is?

You simply trade (on whatever DEX the vulnerable contract reads from) whatever asset you want to manipulate the price of!

"WHAT?!" (you say, mouth agape)

Yes! This exploit works because these vulnerable Apps discover the price from an algo that reacts to trade activity. To be fair, the trade to make this happen is usually large (flash loan) or done in a loop.

Think about the scale analogy that samczsun used above. You can use this to visualize the exploit. A hacker causes the scale (price) to temporarily move in a certain direction, steals money, then moves the scale back to where it was (within a single transaction). The fix is preventing the scale from being manipulated faster than an arbitrageur could correct the price.

See our AMM Braindump post a deeper explanation for how these "scales" (AMMs) work.

In other words, the vulnerability was the assumption that these pricing oracles (mathematical curve algos) could be relied on to report a fair price (fair meaning consistent with other markets and/or being capable of being arbitraged).

The fix

2 (currently) generally accepted best practices, or strategies, for improving on this broken design are:

• Time weighted algos (continue to use a decentralized AMM price oracle but average the price over several blocks) Read more about TWAP price oracle design in Uniswap's docs.
• External oracles (use bots outside of the blockchain to post price updates from safe sources to the blockchain). See Chainlink and Bancor's thoughts on this approach.

And finally, see samczsun's more precise post on price oracle exploits and Consensys' known attacks and best practices.

Come work with us!

If you read this far, can write code, and enjoy using Kubernetes, Golang, Postgres, InfluxDB, React (w/GraphQL) AND you like Messari, then see our open roles for frontend and backend engineers and drop us a line at [email protected].

- J. Otto

Let us know what you loved about the report, what may be missing, or share any other feedback by filling out this short form. All responses are subject to our Privacy Policy and Terms of Service.