Breaking News

Report: Blockchain Price Oracle Manipulation Produces Millions in Losses, Shows No Signs of Slowing

On November 9, a writer from the website samczsun.com published a report that shows a number of issues with price oracle manipulation stemming from a few blockchain applications. The researcher notes that price oracle manipulation has resulted in “over $30 [million] in losses so far.”

According to the researcher from samczsun.com there’s been a substantial amount of price oracle manipulation in 2020. On Monday, he tweeted: “Price oracle manipulation has resulted in over 30MM of losses so far and it shows no signs of slowing.” The tweet was also retweeted by the ethereum.org Twitter handle’s 500k followers. The tweet from @samczsun also leads to a blog post written on the researcher’s web portal called: “So you want to use a price oracle.”

In the article, he explains that during the end of 2019 he published a post called “Taking undercollateralized loans for fun and for profit” and the post explained how he could attack ETH-based decentralized applications (dapps). The dapps he wrote about specifically rely on price oracle data for a number of crypto assets.

“It’s currently late 2020 and unfortunately numerous projects have since made very similar mistakes,” samczsun.com’s post stresses. “With the most recent example being the Harvest Finance hack which resulted in a collective loss of 33MM USD for protocol users.”

Basically an oracle is a protocol that can record both onchain and off-chain data and submits the data into a blockchain like Ethereum. These oracles are used in smart contracts, automated market makers (AMM), trading platforms, and one of the popular ETH-based oracles is Chainlink. The report on vulnerabilities says that developers are aware of some of the issues tethered to oracles but “price oracle manipulation is clearly not something that is often considered.”

The blog post however isn’t just criticisms and samczsun.com’s editorial features an introduction to oracles, oracle manipulation, and how to mitigate against exploitation. Further, the post discusses six vulnerabilities that have taken place in the past.

For example, the post mentions undercollateralized loans, the Synthetix sKRW oracle malfunction, the yVault bug, Synthetix MKR manipulation, the Harvest Finance hack, and the Bzx hack as well.

An illustration of the Synthetix MKR manipulation. Photo via Samczsun.com.

Samczsun.com’s research also summarizes the Harvest Finance issues that took place on October 26, 2020.

“The attacker deflated the price of USDC in the Curve pool by performing a trade, entered the Harvest pool at the reduced price,” the findings state. “[The attacker] restored the price by reversing the earlier trade, and exited the Harvest pool at a higher price. This resulted in over 33MM USD of losses.”

The report concludes that “price oracles are a critical, but often overlooked, component of defi security.” The article highlights that there are plenty of ways that dapps can shoot themselves in the foot if they overlook some of these problems. “Reading price information during the middle of a transaction may be unsafe and could result in catastrophic financial damage,” the research post says.

During the last few months following the departure of the infamous Empire darknet market (DNM), a great number of DNM users have been flocking to alternative vendors. More recently, a new bot service on Telegram called Televend has been attracting tens of thousands of users and the service has grown colossal since it was first introduced. Meanwhile, law enforcement from Germany recently seized nine Telegram groups operating in the same manner.

The demise of the darknet marketplace Empire has seen a wave of DNM users flocking to alternative DNMs, but also newly created Telegram channels that offer illegal wares 24 hours a day. For instance, back in mid-October news.Bitcoin.com reported on a new complex system of robot drug dealing Telegram channels called “Televend.”

Since our initial report on the subject, the Televend system is still very active and has grown gigantically since then.

For example, one of the Televend channels called “Buy Drugs” has 155,201 subscribers at the time of publication. Other branches of Televend groups have doubled and quadrupled in size since our last report.

“Televend is an auto-shop bot network for direct dealers,” the software’s creators detail. “We administer the bots and vendors run them like private shops. Customers can visit them and pay with bitcoin, track orders and payments plus leave feedback/ratings.”

Televend vendors control their own listings and users need to locate a trusted vendor to access a specific bot. Drug vendors operate the “listings and configuration of their bot via a .onion Tor based control panel so no Telegram account is needed to vend.”

From behind the control panel, vendors can answer messages from customers, process orders, and access other features. Today the Televend “Group Chat” has over 15,000 users discussing vendors, drugs, and news stories.

At 10:23 a.m. (EST) on Wednesday morning, one user wrote: “Can anyone recommend a verified bot selling decent MDMA please?” A number of other users throughout the backlog of chat messages show many people have asked the same question when looking for a reliable Televend vendor.

A number of other users usually respond to the questions and they often refer a vendor that they trust. There are also many random vendors advertising wares like cannabis, opium, cocaine, LSD, ecstasy, and a colorful assortment of pharmaceuticals as well.

Meanwhile, at the end of October, German law enforcement announced the seizure of nine Telegram channels that operate in a similar manner. A translated report from darknetlive.com shows the Central Office for Combating Internet Crime (ZIT), the General Public Prosecutor’s Office in Frankfurt and the Federal Criminal Police Office (BKA) participated in the seizure.

The BKA called the illicit Telegram channels “alternatives to the darknet,” according to the official’s announcement.

The General Public Prosecutor’s Office disclosed that the investigations into these Telegram groups started this past summer during the month of June 2020. Prosecutors identified 28 vendors and on October 29, the German task force teams raided 30 different properties throughout Germany as well.

Law enforcement confiscated over four kilos of different types of drugs and around 8,000 euros in cash. The report also details that only two suspects were arrested from the Offenbach District so far.

In addition to announcing the confiscations, German police revealed that nine Telegram channels were shut down. Interestingly, one of the groups was called the “Silk Road” and the other marketplace channels also had unique names.

The translated report also shows that the Telegram channels had roughly 8,000 users before they were seized. On Twitter, the darknet market researcher and analyst called ‘Darkfail’ discussed the Telegram group seizure, and noted that he doesn’t think they were Televend related.

“‘Silk Road’ Telegram groups seized by German authorities. These do not appear to have been powered by Televend, an emerging alternative to Tor crypto markets,” 

Source - https://news.bitcoin.com/televends-complex-system-of-telegram-drug-bots-swell-as-german-police-seize-9-telegram-drug-channels/

No comments