What are Price Oracle Manipulation Attacks in DeFi?

Price oracle manipulation attacks are a common threat to DeFi protocols. These attacks exploit vulnerabilities in how smart contracts estimate the values of crypto tokens, enabling the attacker to drain value from the protocol using incorrect valuations. This article explores price manipulation attacks, including how they work and best practices for managing these vulnerabilities.

What is Price Manipulation?

With the exception of stablecoins, most tokens lack a set value. Instead, their values are set by market forces and supply and demand. For example, if a smart contract holds a large quantity of one token, it might be considered more valuable than another, scarcer token.

For this reason, DeFi contracts commonly need to determine the current market price of a particular asset. This is essential for making trade, establishing the value of collateral, and similar operations.

Price manipulation attacks involve tricking a smart contract into using an incorrect valuation for a token. By doing so, an attacker can take advantage of the difference between the real and perceived value of the token to make a profit at the expense of the smart contract and its users.

Types of Price Manipulation Vulnerabilities

At a high level, a price manipulation attack is any time a smart contract uses incorrect pricing information in a way that an attacker can exploit. Often, this involves purchasing tokens for less than they’re worth, enabling the attacker to drain the value invested in the vulnerable smart contract.

However, price manipulation attacks can take advantage of a range of different issues in a smart contract. Some of the most common include the following:

Internal Price Calculations

Some smart contracts attempt to estimate the relative value of a token based on supply and demand. This is calculated based on the amount of the token that is currently held within the smart contract. In theory, rarer tokens are more valuable, increasing their price.

This type of price calculation is vulnerable to flashloan attacks. If an attacker takes out a flashloan, they can massively increase or decrease the quantity of a particular token that a smart contract holds, decreasing or increasing its perceived price. This enables them to drain value from the contract by purchasing a token for less than it is worth or selling it at a premium. Since flashloans are taken out and paid off within a single transaction, this attack can be performed for next to nothing.

Flashloans play a starring role in many price manipulation attacks due to their ability to change the perceived value of a token. In fact, 62.1% of price manipulation attacks involved flashloans, according to Halborn’s analysis of the top 100 most significant DeFi hacks through 2023.

Reliance on Single-Source Oracles

Price oracles provide a smart contract with access to third-party pricing information. The smart contract can query the oracle, which offers the current price of the asset in question.

However, this can introduce many of the same risks as calculating token prices within the smart contract itself. If the oracle used is targeted by a flashloan attack, then the price data it provides may be incorrect as well. This would cause any smart contracts relying solely on this data to use incorrect price values and be at risk of exploitation.

Flawed oracles are the leading cause of price manipulation attacks. Additionally, they accounted for over 49% of losses in 2023 for price manipulation attacks.

Insufficient Input Validation

DeFi smart contracts use various types of third-party data to perform their roles. For example, a smart contract function may accept user-provided input in the call to the function as well as pricing information sourced from a price oracle.

If the function doesn’t perform proper input validation, there is the possibility that an attacker may be able to manipulate parameters passed to it to change the perceived price of assets. For example, if user-provided data and oracle pricing information are made available to the function in a serialized form, then deserialization issues could allow the attacker to overwrite the oracle-provided pricing information. If this occurred, the function would be using attacker-defined pricing data, enabling the attacker to drain value from the contract.

Smart Contract Errors

An attacker may also be able to perform a price manipulation attack by taking advantage of other vulnerabilities or logical errors within a smart contract. For example, a failure to implement proper access control might enable an attacker to directly manipulate pricing information and drain value from the protocol.

A real world example of an unusual price manipulation attack was the Vow hack in August 2024. In this incident, the Vow team temporarily changed its price setter code as part of testing to prepare for a new feature. While the pricing information was temporarily incorrect, an MEV bot minted billions of tokens that they sold for a profit.

Protecting Against Price Manipulation Attacks

Price manipulation attacks are a common threat for DeFi smart contracts. Often, these vulnerabilities are difficult to identify and fix without a comprehensive analysis of the entire smart contract ecosystem. For example, looking at a single smart contract in isolation might miss the fact that the oracle that it relies upon for pricing information is using DEX spot prices, which are highly vulnerable to manipulation via flashloan attacks. This type of issue can only be spotted by a security audit that looks at a contract in the context of its entire deployment ecosystem.

To protect against price manipulation attacks, a smart contract should use a decentralized oracle that collects pricing information from several different sources to inform its calculations. This helps to manage the risk of price manipulation by raising the complexity of a flashloan attack. Additionally, the use of time-weighted average price (TWAP) oracles can reduce the risk of token prices being affected by sudden market fluctuations or flashloan attacks.

To learn more about the current state of DeFi security and the main threats to look out for, check out Halborn’s Top 100 DeFi Hacks report. For help in identifying and protecting your project against price manipulation and other common DeFi hacks, get in touch with Halborn.