Oracle Manipulation

Smart contracts cannot access real-world data directly; they rely on oracles, which are external services that feed price and event data on-chain. If an attacker can manipulate the price an oracle reports, they can trick a DeFi protocol into lending against inflated collateral, executing trades at false prices, or liquidating positions incorrectly.

Oracle manipulation is often combined with flash loans: borrow a large sum, use it to move the price on a thin liquidity pool that an oracle reads, exploit the resulting false price in a target protocol, and repay the loan. Millions of dollars have been stolen this way from protocols relying on single-source or easily manipulated oracles.

For consumers, protocols that use decentralised, manipulation-resistant oracle networks with multiple data sources and time-weighted average prices (TWAP) carry meaningfully lower oracle risk than those relying on a single DEX pool price.