How an oracle made 2400 ETH disappear
The bZx protocol accommodates Fulcrum and Torque, two popular lending & borrowing protocols in the DeFi space. As of today however, the trust in the foundation of these platforms has been shaken drastically.
Attackers managed to extract ETH worth an approximate $640k by manipulating an oracle that involved the price of the sUSD token, a synthetic USD stablecoin originating from the ever-growing Synthetix platform. The attack included multiple steps to succeed, as described by Larry Cermak, TheBlock’s director of research:
The nature of the attack lays open a critical issue within the decentralised finance space: Oracles relying on a few selected data sources instead of utilising a broad range of those offer an easy-to-exploit attack vector, especially withing the relatively illiquid DeFi markets — which in some regards don’t seem as decentral at all.
900 ETH (~$240k at the time of the attack) were enough to double the value of sUSD from $1 to $2, making it possible to borrow an even larger amount of ETH which was eventually the reason the theft was possible. sUSD, calling itself a stablecoin, has proven to not handle upwards deviations from the 1 dollar mark all to well. While other stablecoins ensure their value by either employing market-making mechanisms or just by their sheer amount of volume, sUSD has no unique strategy behind it to prevent upwards price manipulation at all (according to the Synthetix Litepaper).
A phenomenon like this attack can be compared to flash crashes happening on big exchanges, at last a deviation from the norm is the reason for losses in both scenarios.
DIA is providing a solution, providing clean and open-source financial data to DLT and traditional financial markets. By crowd-sourcing and -validating financial data from every asset possible, DIA creates a truly decentral dataset bigger and more reliable than its centralised counterparts.
With our data feeds via API or Oracle, we supply the ecosystem with trusted financial data, for free, open-source, always looking for input and engagement with the community.
You can use the data as well as outputs for your own applications, from traditional tracker certificates to arbitrage trading bots.
You can find our documentation here: https://docs.diadata.org/
And the link to the BTC API feed here: https://www.diadata.org/app/price/asset/Bitcoin/0x0000000000000000000000000000000000000000/
Source of detailed information: The Block