myctrl.tools

SC03Price Oracle Manipulation

>Control Description

Price oracle manipulation occurs when smart contracts depend on price or valuation data that attackers can influence directly or indirectly, leading protocols to make decisions based on incorrect values. Oracles represent trust boundaries where contracts assume received prices reflect genuine market or on-chain conditions. This vulnerability affects all contract types consuming price data: DeFi lending and borrowing (collateral assessment, liquidation mechanisms), AMMs and DEXes (spot and TWAP-based pricing), yield vaults (NAV calculations, share valuation), liquid staking and derivatives (ETH/stake price feeds), NFT and token valuations (floor price oracles), and cross-chain bridges (asset pricing for mint/burn ratios). **Exploitation Methods:** - Spot price manipulation via large trades, flash loans, or JIT liquidity within a single block - TWAP manipulation over short windows or during low-liquidity periods - Stale or stuck data when contracts fail to enforce freshness or implement fallback behavior - Deviation and outlier handling when aggregation logic cannot reject manipulated inputs

>Prevention & Mitigation Strategies

  1. 1.Aggregate multiple price sources using median/mean calculations across several DEXs or oracles; reject outliers and anomalous deviations.
  2. 2.Implement TWAPs over sufficient windows to resist short-lived price skewing; reject prices exceeding maximum staleness thresholds.
  3. 3.Avoid building core pricing on illiquid pools; cap the impact of any single pool or feed on global pricing.
  4. 4.On suspicious or unavailable data, halt sensitive operations like borrowing and liquidations; use circuit breakers and rate limiting on parameter changes.
  5. 5.Track price deviations between your oracle and reference markets; set automated alerts for unexpected movements or stuck oracles.

>Attack Scenarios

#1NGP Token (September 2025, ~$2M loss)

The protocol's price function relied solely on DEX pair (Uniswap V2/PancakeSwap) reserve balances to calculate token price. Attackers used flash loans to manipulate reserves, artificially lowering oracle values, then bypassed purchase limits and cooldown protections.

#2GMX (July 2025, $42M loss — oracle component)

While reentrancy in executeDecreaseOrder was the primary root cause, the attacker manipulated global average short price for Bitcoin downward (~57x), then used a flash loan to purchase GLP at artificially low prices and redeem at inflated prices. Price feed manipulation served as a key enabler.

>References

Ask AI

Configure your API key to use AI features.