Contact: Rui Xi, xirui801@ece.ubc.ca
Detecting Price Oracle Manipulation Attacks
Decentralized Finance (DeFi) refers to a new category of financial applications that run on top of blockchain platforms like Ethereum. These applications provide traditional financial services, such as lending, borrowing, and trading, without intermediaries such as banks or brokers. DeFi applications rely on external data feeds, which bring data source outside of the blockchain (off-chain) and serve them on the blockchain (on-chain). A price oracle is a specialized oracle that provides the price feed of a given cryptocurrency. One of the most significant attacks exploits the dependency between DeFi application and its oracle, namely Price Oracle Manipulation Attack (POMA).
We propose POMABuster, a system that monitors and analyzes transfers of cryptocurrency tokens to identify POMAs. POMABuster first recovers the high-level cryptocurrency trading semantics from low-level transfer logs, then uses a gate to filter suspicious trades that manipulate the price feed of an oracle, and finally, detects if any arbitrage takes the price imparity opportunity. We observed and exploited three insights on existing POMAs: the attackers focus only on high-value cryptocurrencies, keep these transactions close in time for the arbitrage opportunity, and their trading operations are in line with suspicious trading operations in traditional stock markets, as defined by the US Securities and Exchange Commission (SEC). As a result, POMABuster is not limited to single transaction POMAs, and does not rely on prior attack patterns to detect POMAs. Further, it incurs low performance overheads.
POMABuster: Detecting Price Oracle Manipulation Attacks in Decentralized Finance, Rui Xi, Zehua Wang, and Karthik Pattabiraman, Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2024.