QX DeFi Risks Compass
  • 💡GETTING STARTED
    • About
    • License
    • How to Give Attribution For Usage of QX DeFi Risks Compass
  • 🏦Risks in TradFI
    • Global Finance - Key Framework
    • Risk Frameworks
    • Basics I - Terminology & Concepts
  • ⛓️RISKS IN DEFI
    • Deciphering DeFi Risks
    • DeFi Risk Management
    • EEA DeFi Risk Assessment Guidelines
    • Basics II - DeFi
  • 🥷Systematic Risks
    • Market Risk
      • Defining Market Risk
      • Assessing Market Risk
      • Managing Market Risk
      • In Practice
      • Liquidity Risk
        • Defining Liquidity Risk
        • Assessing Liquidity Risk
        • Managing Liquidity Risk
        • In Practice
    • Compliance & Legal Risk
      • Defining Compliance & Legal Risk
      • Assessing Compliance Risk
      • Managing Compliance Risk
      • In Practice
    • Bridge Risk
      • Defining Bridge Risk
      • Assessing Bridge Risk
      • Mitigating Bridge Risk
      • In Practice
    • Oracle Risk
      • Defining Oracle Risks
      • Assessing Oracle Risks
      • Managing Oracle Risks
      • In Practice
  • 🥷UNSYSTEMATIC RISKS
    • Software Risk
      • Defining Software Risks
      • Assessing Software Risks
      • Managing Software Risks
      • In Practice
    • Economic/Financial Risks
      • Defining Economic Risks
      • Assessing Economic Risks
      • Managing Economic Risks
      • Tokenomics Risk
        • Defining Tokenomics Risks
        • Assessing Tokenomics Risk
        • Managing Tokenomics Risk
      • MEV Risk
        • Defining MEV Risk
        • Assessing MEV Risk
        • Managing MEV Risk
      • Credit Risk
        • Defining Credit Risk
        • Assessing Credit Risk
        • Managing Credit Risk
    • Governance Risk
      • Defining Governance Risk
      • Assessing Governance Risk
      • Managing Governance Risk
    • Standards Conformance Risks
      • Defining Standards Conformance Risks
      • Assessing Standards Conformance Risks
      • Managing Standards Conformance Risks
    • Security Risk
      • Security Risk Assessment
      • Security Risk Mitigation
Powered by GitBook
On this page
  • Centralization Risk
  • Manipulation Risk
  • TWAP Oracles
  • Further reading
  1. Systematic Risks
  2. Oracle Risk

Defining Oracle Risks

Oracle Risks in DeFi protocols refer to the vulnerabilities and challenges associated with using external data sources or oracles to inform smart contract decisions. Oracles act as bridges between blockchain systems and the outside world, feeding real-time data (such as price feeds, event outcomes, etc.) into smart contracts.

However, this reliance introduces several risks:

  1. Centralization Risk: If a DeFi protocol relies on a single or a small number of oracles for critical data, it can reintroduce centralization into the decentralized ecosystem. This makes the protocol vulnerable to manipulation or failure of these oracles.

  2. Manipulation Risk: The data provided by oracles can be a target for manipulation. If attackers can influence the data fed into the DeFi protocols, they can exploit these manipulations for financial gain, potentially destabilizing the protocol or causing significant losses to its users.

  3. Data Integrity Risk: The accuracy and reliability of oracle data are crucial. Incorrect or delayed data can cause smart contracts to execute erroneously, leading to loss of funds or unintended consequences within the DeFi protocol.

  4. Oracle Failure Risk: The technical failure of an oracle, whether due to bugs, downtime, or external attacks, can paralyze a DeFi protocol that relies on its data, preventing the execution of smart contracts or leading to incorrect executions.

Centralization Risk

Using a centralized oracle/single API or data source reintroduces centralization into a decentralized blockchain system, undermining one of the core value propositions of blockchain and smart contracts.

This contradicts the goal of building decentralized blockchain applications that do not depend on any individual party. Using centralized oracles defeats one of the main purposes of blockchain technology.

Manipulation Risk

Manipulation Risk involves the potential for attackers to exploit or influence the data fed into the DeFi protocols for personal gain, potentially destabilizing the protocol or causing significant financial losses to its users and stakeholders.

For example, providing false price data to drain lending protocols, manipulating event outcomes of prediction markets, and triggering incorrect contract executions via altered data.

TWAP Oracles

TWAP (Time Weighted Average Price) oracles are designed to calculate the average price of an asset over a specified period, offering a more stable price metric in the face of market volatility. TWAP oracles are intended to offer an asset's price based on decentralized exchange (DEX) or liquidity pool data.

Manipulation of TWAP oracles typically involves arbitrage strategies that temporarily push the prices in AMM (Automated Market Maker) pools up or down, taking advantage of the time delay in TWAP feeds to profit before the prices normalize. This form of manipulation has led to significant losses in several projects that utilized TWAP oracles, such as Inverse Finance and Rari Fuse Pools, indicating a pattern of vulnerability associated with these oracle types.

TWAP oracles can be manipulated through strategic buying and selling, exploiting the mechanism that averages prices over time which could lead to a significant risk of impermanent loss.

The introduction of concentrated liquidity in protocols like Uniswap V3 is identified as a factor that could potentially simplify TWAP oracle attacks by requiring less capital to manipulate asset prices within a specific range.

Further reading

PreviousOracle RiskNextAssessing Oracle Risks

Last updated 1 year ago

Bank of International Settlement - The oracle problem and the future of DeFi - Bulletin 76 (September 2023) :

Hacken - The BonqDAO Price Oracle Hack Explained (February 2023):

Chainalysis: Oracle Manipulation Attacks are Rising, Creating a Unique Concern for DeFi (March 2023):

🥷
https://www.bis.org/publ/bisbull76.pdf
https://hacken.io/insights/bonqdao-hack
https://www.chainalysis.com/blog/oracle-manipulation-attacks-rising/