The exploits took advantage of manipulating price feeds, in order to “trick” the protocols into lending significantly more money than they would at real market rates.
Samczun published an in-depth report of each exploit and how it would have been carried out, as well as the potential profit which would have been turned from executing the exploit.
According to the researcher’s calculations, a total of about 3770 ETH (equivalent to almost USD$700,000) could have been drawn from the exploits, from the execution of just 3 simple attacks.
Since the discovery, these potential exploits have quickly been patched. However, the question still arises: Are on-chain decentralized oracles really safe?
The risks of on-chain decentralized oracles
Although on-chain, decentralized oracles circumvent many of the issues associated with centralization risks (e.g. price-feed provider tampering), they present many of their own flaws.
This is especially true in these nascent stages of decentralized platforms, where price-feed providers are still experiencing growing pains.
On-chain decentralized oracle systems usually draw their price data from one or two sources, which often have their own shortcomings. As highlighted in the above exploits, these shortcomings often involve poor liquidity and flaws in the sources’ own protocols.
Preventing future exploits
Although liquidity and third-party risks may solve themselves over time, there are a few steps that platforms can take to prevent the future likelihood of such attacks.
One intuitive key to this is price-feed validation – implementing systems that confirm the accuracy of oracle data.
In the case of the DDEX exploit, a mere application of sanity bounds upon DAI price movements patched the issue. This simply ensured that any swings in the price of DAI were within a reasonable range, ruling out the possibility of large-scale price manipulation.
Further precautions should also be taken to deeply understand the nature of the protocols from which price feeds are sourced, and reduce the reliance placed upon the accuracy of their data.