DeFi Hacks Highlight Oracle Misconfiguration Risks

A recent series of hacks on decentralized finance (DeFi) platforms has brought attention to the issue of oracle misconfigurations. In one instance, Singularity_Fi lost approximately $413,000 due to an invalid Uniswap V3 fee tier being used in its oracle routes.

The incident occurred when a protocol admin registered six yield-token oracle routes using an invalid fee tier on January 19. This led to the direct price path breaking silently without any alarm or revert. The dynBaseUSDCv3 vault on Base continued to run, unaware of the actual value of its assets.

The attacker took advantage of this situation by flash-loaning 100,000 USDC from Morpho and depositing it into the vault. The mint went through without issue as the oracle indicated that the vault was nearly empty. However, when tokens were redeemed proportionally against every actual token balance, the underlying yield tokens were also redeemed. This resulted in a total damage of approximately $413,000.

In another incident on BNB Chain, JUDAO lost around $464,000 due to an oracle misconfiguration. The attacker exploited the deflationary LP drain mechanism by buying and selling JUDAO tokens. This led to a skewing of the pair's reserves, resulting in a profit of approximately $205,000 USDT plus 36 BNB for the attacker.