search

OWASP / www-project-smart-contract-top-10

OWASP Smart Contract Top 10
http://owasp.org/www-project-smart-contract-top-10/
Other
26 stars 13 forks source link

Please consider Oracle manipulation #4

Open sc0Vu opened 1 year ago

sc0Vu commented 1 year ago

Hi there,

Thanks for this great repo. After reading the top 10 list, IMHO, please consider to add Oracle manipulation into this (some hacks happened).

About Oracle manipulation:

Oracle manipulation

Desciption

Oracle manipulation is an attack that smart contract rely off-chain information on other services called oracles (eg. price). If the data was wrong it might lead to abnormal behavior.

Impact

Might drain the pool from Defi protocol.

Steps to fix

Use a decentralized oracle network, or time-weighted average price feed.

Example

The lending contract use the price from dex oracle, attacker make flash loan and manipulate the token price (drain one asset from the pool). After price manipulation, attacker can make loan from lending pool if the token price source is dex oracle and not validated properly.

jinsonvarghese commented 1 year ago

@sc0Vu Hi Peter, thank you for opening this issue. The existing top 10 was put together after studying data sets from multiple sources. Oracle manipulation attacks are definelty on the rise. As such, I agree that this should be included in this repo.

Let me figure out how to incorporate this attack here and get back to you. We will probably add this under a new "Other vulnerabilities" or a similar section until we can release a new version of this list.