Analysis of $700k oracle manipulation exploit highlights vulnerabilities in DeFi vaults

A recent decentralized finance attack highlights how vulnerabilities with the standard implementation of certain DeFi vaults can be exploited by a sophisticated threat actor using familiar tools like flash loans to manipulate exchange rates and mislead price oracles. 

On February 27, an attacker executed a flash loan-based "donation attack," borrowing approximately $4 million from Aave to exploit the ERC-4626 vault token for Mountain Protocol's wrapped yield-bearing stablecoin, wUSDM, artificially inflating its internal exchange rate. The underlying stablecoin, USDM, is collateralized by short-term U.S. Treasury bills.

As part of the donation attack, the threat actor inflated the exchange rate of wUSDM to from 1.06 to 1.7, then used two accounts to perform a self-liquidation on lending platform Venus Protocol. Though Venus reacted quickly to freeze the market, the attacker managed to profit around $200,000, while Venus suffered a net loss of over $716,000 as a result, according to a detailed post-mortem recently released by risk management firm Chaos Labs. 

"Both teams implemented appropriate emergency measures — freezing markets, adjusting risk parameters, and resetting the exchange rate," said Yoni Keselbrener, head of DeFi at Lightblocks Labs, in an interview with The Block. Keselbrener contributes to oracle infrastructure on eOracle , an Ethereum-native oracle network developed on EigenLayer that allows for the integration of real-world data into decentralized applications. 

The attacked vault implements the ERC-4626 standard for tokenized vaults originally introduced in May 2022, though the vaults later rose in popularity. However, the vault standard "...does not include safeguards against manipulated exchange rates when used in lending protocols," according to the post-mortem. 

Lending platform Euler Finance published a research report on vulnerabilities with ERC-4626 vaults in January of 2024, arguing that most vaults don't explicitly implement safety checks to prevent against exchange rate manipulation. "We expect that in many cases two or more mitigation mechanisms might need to be combined for greater effect," the authors wrote . 

Chaos Labs acknowledged in its post-mortem that safety strategies could have prevented the attack. "To mitigate this attack vector, the wUSDM contracts could have used a cross-chain exchange rate oracle, or, following proper disclosure, Venus would have implemented security measures to limit the appreciation of the exchange rate," Chaos Labs wrote. "To further mitigate this attack vector, an upside-capped oracle setup—such as Aave’s CAPO mechanism —will be implemented for all yield-bearing assets, preventing manipulation through artificial yield spikes."

"It applies to any vault [by the way], not only standardized," added the X account of Curve Finance in response to a thread by Keselbrener discussing the vulnerability.  "Just a common misstep by lending platforms." 

Keselbrener said the CAPO standard is effective, but requires "...additional code complexity and ongoing management to ensure they don't restrict legitimate yield growth while preventing manipulation." 

"As DeFi becomes more complex, we need to think beyond simple price feeds to understand the entire risk profile of the assets we're integrating," Keselbrener said. "The need for cross-chain oracle infrastructure isn't a drawback but an additional security layer. Specialized oracle providers can also implement specific safeguards designed to detect and prevent these exact manipulation scenarios."