Crypto oracles are a blockchain vulnerability no one’s talking about

Data oracles, the automated feeds that provide crucial price data to smart contracts and enable trading on blockchains, are drawing increasing scrutiny over their roles in recent hacks and the vulnerabilities the industry’s reliance on them creates. They’re also attracting more investment from VCs and larger crypto players who see an opportunity amid these fears.

Two hacks this month illustrated the crucial role oracles play in crypto. A $114 million hack of Solana trading service Mango Markets took place after an attacker caused the price of a token reported on an oracle to triple. A smaller attack, on Moola Market, also centered on oracle price manipulation.

Oracles provide data that is not on the blockchain — off-chain data — in order for the blockchain to perform some action. Even crypto price data comes from oracles: Blockchains can’t execute or record trades without the market prices provided by oracles. They’re a critical piece of infrastructure, in other words, though it’s rare for anyone besides smart contract developers to pay attention to their value or dig into their vulnerabilities.

Chained together by data

Virtually every crypto application needs data to operate but it has to get it from a trusted source, and ideally fast and cheap. Many DeFi protocols rely on Chainlink, an open-source technology, to provide prices. Oracles, which aren’t a new concept in computer science, are named that because they “know things that the system can’t know,” said Sergey Nazarov, co-founder of Chainlink Labs.

Founded in 2017, Chainlink uses a network of interlinked oracles to provide 60% to 90% of market data across all of DeFi, according to Nazarov. This year it has helped process more than $6.4 trillion in transactions, he said. Chainlink started on Ethereum but is now on more than 15 blockchains.

Chainlink is hoping to extend this approach to other types of data and other financial applications, like insurance. Some new insurance providers such as the Lemonade Foundation and Arbol are using weather data provided by Chainlink to pay out insurance claims, dispensing with the need for traditional inspections. In blockchain gaming, Chainlink also offers a type of oracle that provides randomly generated numbers used for generating awards, characters, maps, or other parts of games.

Crypto applications such as derivatives protocol Synthetix, DeFi lending protocol Aave, and decentralized exchange PancakeSwap also use Chainlink for price feeds, automation, and random number generation, among other services.

Finding alternatives

Despite — or because of — its ubiquity, there appears to be growing interest in alternatives to Chainlink. Binance launched a native oracle service last week for its BNB Smart Chain. (Chainlink and other oracle providers still run on the BNB chain.)

Protocols like API3 and Flux have first-party oracles, which provide more transparent data direct from the source, instead of data aggregated by nodes, which is an approach used by Chainlink and others, said Flux co-founder Jasper de Gooijer.

“The main advantage if you’re not using a third-party layer [is that] you remove a whole attack vector that’s intrinsic to basically every other oracle project,” said Dave Connor, co-founder and business development lead at API3. Connor also helped run an early Chainlink node.

API3 and Flux also argue they are more decentralized than Chainlink. While Chainlink’s oracles are spread out among various nodes, their selection is still controlled by Chainlink, Connor said. API3 is trying to address this by managing its oracles with a decentralized autonomous organization.

Connor pointed to an incident with Chainlink where the price of gold was substituted for the price of silver to derivatives outfit Synthetix, which could have led to massive losses. “The exploit didn’t really cause many people to lose anything,” Connor said. “But it’s an example of what happens when the governance isn’t out in the open.” Chainlink said this was due to human error, not a problem with the oracle.

“Chainlink Data Feeds are decentralized at the data source, oracle node, and oracle network levels, generating highly reliable and accurate market data with strong protections against downtime and tampering,” Nazarov said.

This debate between efficiency and decentralization is common in crypto. “The reality is, over time, everything gets more centralized,” said Boris Wertz, who invests in crypto at Version One Ventures, citing bitcoin mining and ether staking as examples. “The question is, then, what’s the right balance between something that is efficient versus something that is sufficiently decentralized? Every single validator network has a balance between decentralization and efficiency.”

A risk to the crypto system?

Some insiders say having one major provider or a small number of providers undergirding the industry presents a risk for a new industry like crypto. “I think that that’s why there’s a lot of venture money that’s going after alternatives,” said Shawn Douglass, CEO of Amberdata, which provides data to oracle networks.

There’s always a “good news, bad news” debate when one big player in a category does well, Wertz said. “Obviously, that player is most likely stronger in terms of security and scale than others. At the same time, if it gets manipulated, then lots of people will get affected.”

The risk of that happening depends on what sort of back-up options oracle users have, but not all have enough redundancy, said Austin Campbell, head of portfolio management at crypto infrastructure firm Paxos. “It’s critical for protocols to have a resilient set of data providers in order to have multiple redundancy options in the case of outage or failure. This will reduce risk in DeFi, given most protocols do not have circuit-breaker-like technology that halts trading,” he said.

But Nazarov said Chainlink’s size isn’t a risk, because it can be customized to be as secure as developers want it to be. “Chainlink is actually an open-source framework for people to make their own oracle networks,” he said. “It’s actually a way for people to compose the degree of decentralization and risk management that they want.”

In the Mango Markets attack, Mango shouldn’t have allowed such a large withdrawal based on that oracle pricing. So the oracle, Pyth, wasn’t at fault, according to FTX CEO Sam Bankman-Fried. Still, the incident and similar hacks show that even if an oracle is correct, the way it is used can present “very significant risk,” Campbell said.

Nazarov pointed to the Mango incident as well, noting that Chainlink’s design prevents that type of price manipulation from happening. “I think it’s a larger risk to make a faulty oracle and get hacked,” he said.

These kinds of debates are likely to continue. As institutional players get deeper into crypto and regulators dig in, critical pieces of infrastructure like oracles are certain to get more scrutiny. Oracles may know things that aren’t on the blockchain. But their ultimate test may come in knowing themselves.

Clarification, Nov. 3: This story has been updated to clarify certain points about the BNB Smart Chain and first-party oracles.