Chainlink – Understanding and Preventing ETH/USD Price Oracle Manipulation

chainlinkoracles

I will be concise. I am using ChainLink ETH/USD price feed in my smart contracts. I am ready to deploy the smart contracts so I did a little bit of legwork researching mainstream hacks and one particular caught my attention – the oracle manipulation.
I grasp what is the idea behind the manipulation and in my case it will happen if someone find way to manipulate the way ChainLink submits prices to the blockchain, am I right?
The question is purely abstract, that is why I am not providing any code.

Best Answer

There are various ways how the construct of Chainlink can break. In essence the ETH/USD price feed has three major attack vectors.

Who controls the price feed?
How is data brought on-chain?
Where does the data come from?

The first question is easily answered. The price feed contracts are in full control of Chainlink Labs with a 4/9 multisig. This multisig could kill any price feed whenever they want without warning. You are trusting that they dont do this.

As for the second part, data is brought on-chain by something called a DON (Decentralized Oracle Network). These are oracle nodes selected by Chainlink Labs for a specific price feed, all of them providing an answer that then gets aggregated and served to you on-chain. Misbehavior of nodes can be punished by Chainlink Labs removing them from a DON and in the future with slashing of a stake they have to put up.

The third part, where does the data come from? Well, this is quite tricky, but you don't actually know. You know who operates the oracle nodes, but you don't know where they get their data from. When you look at ETH/USD with 31 nodes, you actually can't prove that all of them aren't simply using Coingecko. Chainlink Labs most likely makes sure that there is a diverse set of sources spread out across the DON, but similarly to the first point you're trusting them with this. There is no way for you to confirm how many and which sources are used within a specific price feed.

So how can the ETH/USD price feed be manipulated?

Chainlink abuses their multisig and simply points ETH/USD to a malicious data feed. This will immediately kill all of DeFi and there is nothing that anyone can theoretically do to stop this. You're trusting that Chainlink won't do this.
There is currently no mechanic preventing the majority of chainlink node operators to collude and misreport on price feeds causing millions in damages. The only feed where this is possible by some is ETH/USD with staking v0.2. In theory the majority of node providers on any other feed can collude at any given time. Chainlink Labs would probably remove them from the DON, but the damage would already be done at this point. As usual, you're trusting that they don't do this.
The underling data sources can collude and feed the entire DON wrong price information. As you can't prove how many APIs are used you also can't quantify how many people would need to collude to break this construct. It could be 10. It could be 5. It could even be a single one. (this is most probably the most dangerous one as it is simply a black box)

There are probably a million other ways how this construct can break, but these are the immediate ones that come to my mind, which aren't actually that technically complex to perform and are mostly trust based assumptions.

Best Answer

Related Solutions

oracles, chainlink – Cost of Using a Chainlink Oracle

[Ethereum] get price feed information directly from ChainLink oracles rather than from the aggregated contract

Related Topic