Crypto oracles are a blockchain vulnerability no one’s talking about

Many crypto industries quietly depend on oracles, the data feeds that smart contracts tap into. Startups are challenging dominant player Chainlink, saying they can do it cheaper, more transparently, and with less centralized control.

Oracle eye on a pedestal

As institutional players get deeper into crypto and regulators dig in, critical pieces of infrastructure like oracles are certain to get more scrutiny.

Illustration: Christopher T. Fong/Protocol

Data oracles, the automated feeds that provide crucial price data to smart contracts and enable trading on blockchains, are drawing increasing scrutiny over their roles in recent hacks and the vulnerabilities the industry’s reliance on them creates. They’re also attracting more investment from VCs and larger crypto players who see an opportunity amid these fears.

Two hacks this month illustrated the crucial role oracles play in crypto. A $114 million hack of Solana trading service Mango Markets took place after an attacker caused the price of a token reported on an oracle to triple. A smaller attack, on Moola Market, also centered on oracle price manipulation.

Oracles provide data that is not on the blockchain — off-chain data — in order for the blockchain to perform some action. Even crypto price data comes from oracles: Blockchains can’t execute or record trades without the market prices provided by oracles. They’re a critical piece of infrastructure, in other words, though it’s rare for anyone besides smart contract developers to pay attention to their value or dig into their vulnerabilities.

Chained together by data

Virtually every crypto application needs data to operate but it has to get it from a trusted source, and ideally fast and cheap. Many DeFi protocols rely on Chainlink, an open-source technology, to provide prices. Oracles, which aren’t a new concept in computer science, are named that because they “know things that the system can’t know,” said Sergey Nazarov, co-founder of Chainlink Labs.

Founded in 2017, Chainlink uses a network of interlinked oracles to provide 60% to 90% of market data across all of DeFi, according to Nazarov. This year it has helped process more than $6.4 trillion in transactions, he said. Chainlink started on Ethereum but is now on more than 15 blockchains.

Chainlink is hoping to extend this approach to other types of data and other financial applications, like insurance. Some new insurance providers such as the Lemonade Foundation and Arbol are using weather data provided by Chainlink to pay out insurance claims, dispensing with the need for traditional inspections. In blockchain gaming, Chainlink also offers a type of oracle that provides randomly generated numbers used for generating awards, characters, maps, or other parts of games.

Crypto applications such as derivatives protocol Synthetix, DeFi lending protocol Aave, and decentralized exchange PancakeSwap also use Chainlink for price feeds, automation, and random number generation, among other services.

Finding alternatives

Despite — or because of — its ubiquity, there appears to be growing interest in alternatives to Chainlink. Binance launched a native oracle service last week for its BNB Smart Chain. (Chainlink and other oracle providers still run on the BNB chain.)

Protocols like API3 and Flux have first-party oracles, which provide more transparent data direct from the source, instead of data aggregated by nodes, which is an approach used by Chainlink and others, said Flux co-founder Jasper de Gooijer.

“The main advantage if you're not using a third-party layer [is that] you remove a whole attack vector that's intrinsic to basically every other oracle project,” said Dave Connor, co-founder and business development lead at API3. Connor also helped run an early Chainlink node.

API3 and Flux also argue they are more decentralized than Chainlink. While Chainlink’s oracles are spread out among various nodes, their selection is still controlled by Chainlink, Connor said. API3 is trying to address this by managing its oracles with a decentralized autonomous organization.

Connor pointed to an incident with Chainlink where the price of gold was substituted for the price of silver to derivatives outfit Synthetix, which could have led to massive losses. “The exploit didn't really cause many people to lose anything,” Connor said. “But it's an example of what happens when the governance isn't out in the open.” Chainlink said this was due to human error, not a problem with the oracle.

"Chainlink Data Feeds are decentralized at the data source, oracle node, and oracle network levels, generating highly reliable and accurate market data with strong protections against downtime and tampering,” Nazarov said.

This debate between efficiency and decentralization is common in crypto. “The reality is, over time, everything gets more centralized,” said Boris Wertz, who invests in crypto at Version One Ventures, citing bitcoin mining and ether staking as examples. “The question is, then, what's the right balance between something that is efficient versus something that is sufficiently decentralized? Every single validator network has a balance between decentralization and efficiency.”

A risk to the crypto system?

Some insiders say having one major provider or a small number of providers undergirding the industry presents a risk for a new industry like crypto. “I think that that's why there's a lot of venture money that's going after alternatives,” said Shawn Douglass, CEO of Amberdata, which provides data to oracle networks.

There’s always a “good news, bad news” debate when one big player in a category does well, Wertz said. “Obviously, that player is most likely stronger in terms of security and scale than others. At the same time, if it gets manipulated, then lots of people will get affected.”

The risk of that happening depends on what sort of back-up options oracle users have, but not all have enough redundancy, said Austin Campbell, head of portfolio management at crypto infrastructure firm Paxos. “It's critical for protocols to have a resilient set of data providers in order to have multiple redundancy options in the case of outage or failure. This will reduce risk in DeFi, given most protocols do not have circuit-breaker-like technology that halts trading,” he said.

But Nazarov said Chainlink’s size isn’t a risk, because it can be customized to be as secure as developers want it to be. “Chainlink is actually an open-source framework for people to make their own oracle networks,” he said. “It's actually a way for people to compose the degree of decentralization and risk management that they want.”

In the Mango Markets attack, Mango shouldn’t have allowed such a large withdrawal based on that oracle pricing. So the oracle, Pyth, wasn’t at fault, according to FTX CEO Sam Bankman-Fried. Still, the incident and similar hacks show that even if an oracle is correct, the way it is used can present “very significant risk,” Campbell said.

Nazarov pointed to the Mango incident as well, noting that Chainlink’s design prevents that type of price manipulation from happening. “I think it's a larger risk to make a faulty oracle and get hacked,” he said.

These kinds of debates are likely to continue. As institutional players get deeper into crypto and regulators dig in, critical pieces of infrastructure like oracles are certain to get more scrutiny. Oracles may know things that aren’t on the blockchain. But their ultimate test may come in knowing themselves.

Clarification, Nov. 3: This story has been updated to clarify certain points about the BNB Smart Chain and first-party oracles.


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories