I will be concise. I am using ChainLink ETH/USD price feed in my smart contracts. I am ready to deploy the smart contracts so I did a little bit of legwork researching mainstream hacks and one particular caught my attention – the oracle manipulation.
I grasp what is the idea behind the manipulation and in my case it will happen if someone find way to manipulate the way ChainLink submits prices to the blockchain, am I right?
The question is purely abstract, that is why I am not providing any code.
Chainlink – Understanding and Preventing ETH/USD Price Oracle Manipulation
chainlinkoracles
Best Answer
There are various ways how the construct of Chainlink can break. In essence the ETH/USD price feed has three major attack vectors.
The first question is easily answered. The price feed contracts are in full control of Chainlink Labs with a 4/9 multisig. This multisig could kill any price feed whenever they want without warning. You are trusting that they dont do this.
As for the second part, data is brought on-chain by something called a DON (Decentralized Oracle Network). These are oracle nodes selected by Chainlink Labs for a specific price feed, all of them providing an answer that then gets aggregated and served to you on-chain. Misbehavior of nodes can be punished by Chainlink Labs removing them from a DON and in the future with slashing of a stake they have to put up.
The third part, where does the data come from? Well, this is quite tricky, but you don't actually know. You know who operates the oracle nodes, but you don't know where they get their data from. When you look at ETH/USD with 31 nodes, you actually can't prove that all of them aren't simply using Coingecko. Chainlink Labs most likely makes sure that there is a diverse set of sources spread out across the DON, but similarly to the first point you're trusting them with this. There is no way for you to confirm how many and which sources are used within a specific price feed.
So how can the ETH/USD price feed be manipulated?
There are probably a million other ways how this construct can break, but these are the immediate ones that come to my mind, which aren't actually that technically complex to perform and are mostly trust based assumptions.