Whether you’re just getting started or a seasoned Web3 developer, understanding blockchain oracles is crucial. They’re the backbone that connects your smart contracts to the real world, allowing interactions to go beyond the blockchains. Without oracles, smart contracts are limited to just processing what’s already on-chain, missing out on essential data like price feeds, real-world events, or even web APIs.
In this article, we’ll explore blockchain oracles and their types in detail: why they’re game-changers, their applications, and their potential weak spots. Keep reading till the end! We’ve got some cool bonus waiting for you.
A blockchain oracle is a service that provides external data to smart contracts, enabling them not only to fetch data from other blockchains but also from the outside or off-chain world: sports events, banking data, and much more.
Smart contracts are inherently isolated and deterministic; they cannot access or retrieve data from external environments without an intermediary. The oracle serves as this intermediary, bridging the gap between off-chain and on-chain data sources.
In other words, oracles are the blockchain’s gateway to the real world.
Still not sure about oracles’ role? For a better understanding, we provided you with a real-world scenario:
Let’s assume we have an Ethereum smart contract created to bet on the price of the gold. Both players deposit their bets into the smart contract. What does a smart contract need to have to distribute the prize when the period is over? It needs to have the actual price of the gold. This is when oracles come in handy. Oracles can fetch accurate prices off-chain and deliver them to the blockchain securely and reliably.
Users (smart contracts) request and get some information from an external source (any data not stored on the blockchain). According to ethereum.org, here’s an outline of how it works:
Regarding the distinction between data sources and oracles: oracles are not the sources of data; they are the means by which smart contracts access the data.
Oracles serve different purposes, hence they come in different design and administration patterns. According to the classification by ethereum.org, the most popular design pattern is request-response because it allows smart contracts to query specific information rather than an entire dataset. By contrast, publish-subscribe is useful for fetching dynamic changes, i.e., fiat-to-crypto exchange rates. Another important classification relates to administration. It answers the question: Who controls the oracle: a single entity or multiple peers?
Interoperability solutions range from sidechains to blockchain-agnostic protocols. However, they come with all sorts of challenges, like consistency and requirements for code changes. By contrast, oracles offer compatibility and security across different blockchains. We’ve summarized key points of difference in the table below:
|Sidechains||Sidechain logic can be invalidated if the main-chain is compromised. Ensuring consistency is challenging.||Oracles don’t require compatibility between blockchains and have multiple security management ways.|
|Notaries||Notaries cover the full spectrum of interoperability but centralize trust.||Oracles can address some blockchain vulnerabilities through decentralized solutions.|
|HTLCS||HTLCs are trustless and adaptable for trades but may lead to asset lockup. Supports only digital asset exchange.||Oracles support both digital and arbitrary data.|
|BOB||Blockchain engines don’t communicate globally. Some solutions are centralized with necessary transaction fees.||Decentralized Oracles can overcome many of these limitations.|
|Trusted Relays||Connecting differing blockchain platforms is tough. Minimizing malicious relay services is unclear.||Oracles act as middleware providing off-chain data and have reputation systems.|
Oracles bridge the gap between on-chain and off-chain worlds by retrieving and validating external data for smart contracts.
Peer-to-peer lending, borrowing, and asset trading in DeFi require real-time financial data, such as exchange rates and capital markets data. For instance, a DeFi lending protocol would need current market prices for assets deposited as collateral.
Blockchain-based games or lotteries need unpredictable randomness, a challenge due to the deterministic nature of blockchains.
Oracle Examples: Chainlink VRF and API3 QRNG offer tamper-proof random number generation (RNG), ensuring fairness and unpredictability.
Allows smart contracts to respond to real-world events. Decentralized insurance applications might utilize oracles to access accurate weather data or disaster reports.
Automates functions within a contract to maintain application functionality. Chainlink’s Keeper Network allows smart contracts to outsource maintenance tasks in a decentralized way.
Oracles play a pivotal role in the decentralized finance ecosystem, serving as the bridge between external data sources and smart contracts; however, their critical function also makes them a prime target for market manipulation tactics.
Market manipulation is the intentional distortion of price for profit, at the expense of other users. The easier an asset is to trade (its liquidity), the harder it is for someone to mess with its price.
Common Techniques in Market Manipulation:
While many popular oracles are thoroughly vetted and audited, protocols that use them can still mess things up. A notable example is a critical vulnerability in the AaveV3 fallback oracle, where the ‘setAssetPrice’ function lacked essential access control, allowing hackers to set any asset’s price.
At the time of bug discovery (April 2022), Aave was worth nearly $3 billion, so you can imagine the magnitude of a potential hack. The worst-case scenario was averted as third-party researchers spotted the issue and reported it to Aave. These incidents underscore the importance of external code reviews, even when a project uses a battle-tested oracle.
Let’s review the most common attack vectors.
In this type of attack, the objective is to deceive smart contracts by providing false price data. Consider the first hack of Inverse Finance to give you a real-world scenario. A big shout out to the authors of the great REKT article.
A well-planned and executed hack lets a hacker influence the price of the INV token and receive a special offer from the Ethereum-driven lending protocol. The exploiter initially withdrew 901 ETH from Tornado Cash. Once they distributed 1.5 ETH to 241 clean addresses using Disperse, the attacker launched 5 different smart contracts when only one of them was real. Then, they swapped 500 ETH to 1.7k INV via the INV-WETH pair on SushiSwap, significantly changing the price due to low liquidity. Simultaneously, the exploiter began spamming transactions to be the first to enter the next block and get an inflated price from Sushiswap. But why do we mention Inverse Finance here? Unfortunately, the Sushiswap TWAP oracle was used by Inverse Finance through the Keeper Network, which resulted in the price of INV to be drastically increased. Finally, the attacker deposited their 1.7k INV, which should have cost $644k at that time, as collateral and borrowed $15.6M for good.
A lesson here? We shouldn’t rely upon a TWAP oracle generated from a single low liquidity DEX trading pair with a short-time sample, aggregating the market manipulation risks.
This type of attack is interconnected with the previous one since flash loans can be considered a tool to achieve price changes. In the flash loan attack, an exploiter borrows a large amount of funds through a flash loan and uses those funds to manipulate the price of an asset.
A flash loan attack is a type of exploit that takes advantage of the fact that flash loans are uncollateralized and do not require a credit check. In a flash loan attack, a hacker borrows a large amount of funds through a flash loan and uses those funds to manipulate the price of an asset on a DeFi platform.
It typically follows three steps:
We couldn’t forget about our dear blockchain enthusiasts, so we curated a selection of insightful articles that will drastically boost your expertise:
Subscribe to our newsletter
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.