Oracle Manipulation
What is Oracle Manipulation?
Oracle ManipulationAn attack that distorts the price or data feed used by a smart contract so the contract makes wildly wrong decisions about lending, liquidations, or settlement.
Smart contracts often rely on oracles to import off-chain or on-chain prices, exchange rates, randomness, or events. Oracle manipulation targets the source, the aggregation, or the on-chain consumer: attackers can move a spot AMM pool used as a price reference, push fake data through a single weak feed, or exploit a brief multi-block reorganisation. The downstream contract then mints free collateral, allows underwater loans, or triggers wrongful liquidations. Mitigations include time-weighted average prices (TWAP), multiple decentralised oracle providers (Chainlink, Pyth, RedStone), circuit breakers, deviation thresholds, and avoiding spot AMM prices for any collateralisation logic.
● Examples
- 01
The Mango Markets exploit (October 2022) inflated the MNGO oracle price to borrow about 116 million USD against the position.
- 02
The Harvest Finance hack (October 2020) manipulated Curve oracle prices via a flash loan, draining about 24 million USD.
● Frequently asked questions
What is Oracle Manipulation?
An attack that distorts the price or data feed used by a smart contract so the contract makes wildly wrong decisions about lending, liquidations, or settlement. It belongs to the Web3 & Blockchain category of cybersecurity.
What does Oracle Manipulation mean?
An attack that distorts the price or data feed used by a smart contract so the contract makes wildly wrong decisions about lending, liquidations, or settlement.
How does Oracle Manipulation work?
Smart contracts often rely on oracles to import off-chain or on-chain prices, exchange rates, randomness, or events. Oracle manipulation targets the source, the aggregation, or the on-chain consumer: attackers can move a spot AMM pool used as a price reference, push fake data through a single weak feed, or exploit a brief multi-block reorganisation. The downstream contract then mints free collateral, allows underwater loans, or triggers wrongful liquidations. Mitigations include time-weighted average prices (TWAP), multiple decentralised oracle providers (Chainlink, Pyth, RedStone), circuit breakers, deviation thresholds, and avoiding spot AMM prices for any collateralisation logic.
How do you defend against Oracle Manipulation?
Defences for Oracle Manipulation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Oracle Manipulation?
Common alternative names include: Price oracle attack.
● Related terms
- web3№ 424
Flash Loan Attack
A DeFi exploit that borrows a massive uncollateralised flash loan within one transaction to manipulate prices or governance and steal funds before the loan is repaid.
- web3№ 1056
Smart Contract Security
The practice of designing, reviewing, and operating on-chain programs so they cannot be exploited to steal funds, freeze logic, or violate intended business rules.
- web3№ 1055
Smart Contract Audit
An independent security review of smart-contract source code, deployment configuration, and economic design to find vulnerabilities before launch or upgrade.
- web3№ 435
Front-Running (Blockchain)
On-chain trade abuse where an actor sees a pending transaction in the mempool and submits their own transaction first to profit from the predictable price impact.
- web3№ 675
MEV (Maximal Extractable Value)
The profit that block builders, validators, or searchers can extract by reordering, inserting, or censoring transactions within the blocks they produce.
- web3№ 106
Blockchain Security
The discipline of protecting distributed ledgers, their consensus mechanisms, smart contracts, and surrounding infrastructure from compromise, fraud, and theft.
● See also
- № 910Reentrancy Attack
- № 00351% Attack
- № 965Sandwich Attack