Flash loan attacks exploiting oracle manipulation became a major DeFi threat in early 2020 with the bZx exploit (approximately $350,000 stolen). These attacks proliferated between 2020 and 2022, causing hundreds of millions in losses across many protocols.

In previous years, flash loan attacks were the most common exploits affecting decentralized finance (DeFi) protocols—malicious actors would use instant liquidity and protocol vulnerabilities to steal millions of dollars within seconds. Since then, however, strategies targeting DeFi have become more sophisticated and varied. Today, one of the most common types of DeFi attack vectors is oracle price manipulation, whereby attackers target the price feed of DeFi protocols.

In this article, we look at how oracles work, why they matter, how they can be exploited, and more, with the goal of educating DeFi participants on how to better protect themselves from these types of threats.

What Are Oracles in Blockchain?

In blockchain ecosystems, smart contracts operate autonomously and deterministically. They do not have native access to external data sources. This isolation is a security feature, but it also introduces a critical limitation: Smart contracts remain unaware of events occurring outside of the blockchain. Oracles fill that need.

An oracle is a data delivery mechanism that supplies external information to a smart contract, such as the price of a token, the result of a sports match, or the outcome of an election. There are three major types of oracles:

• Centralized Oracles, managed by one or more entities, are efficient but pose trust risks. Compromise or bad input can have disastrous on-chain effects.
• Decentralized Oracles are used by Chainlink, Pyth, and Band Protocol to aggregate data, increasing reliability, but not eliminating all potential issues.
• On-Chain Oracles via DEXs increase trust while using on-chain data (Uniswap or PancakeSwap, for example). However, low liquidity can leave protocols using these oracles open to manipulation.

Why Do Oracles Matter?

Smart contracts run in real time and without intermediaries—whatever an oracle says, its corresponding protocol will believe and act on it instantly. This trust becomes a double-edged sword. Oracles have become the single most critical dependency in DeFi, influencing everything from lending, to borrowing and derivatives.

What is TWAP and How Does It Work?

The Time-Weighted Average Price (TWAP) constitutes a specialized oracle, serving as an external data feed for smart contracts, thereby facilitating informed critical decision-making processes. The TWAP averages an asset’s price over a given period to reduce price manipulation in DeFi by smoothing volatility and protecting against price spikes.

Instead of relying on a single spot price, a TWAP samples the price of an asset at regular intervals (i.e. once per block or once per minute) and calculates the arithmetic average over a predefined time window. The protocol uses the average price for essential on-chain operations, such as collateral valuation, trade execution, and liquidation thresholds.

For example, the TWAP of an asset sampled every minute for 10 minutes, with prices 1.00, 1.02, 1.01, and 1.11, would be the mean of those values: 1.066.

How Can TWAPs Be Exploited ?

TWAPs aim to mitigate brief price manipulation, but unfortunately introduce a new weakness. If a manipulator can maintain a skewed price throughout the entire TWAP calculation period, the resulting average will be as unreliable as the manipulation itself.

We can cite several examples of significant hacks, such as the April 2025 KiloEx exploit resulting in approximately

1. The attacker initiated the exploit with a $10 million USDC split across two Mango Markets accounts.
2. The attacker then executed a strategy involving simultaneous buying and selling of MNGO. One account heavily sold MNGO, while the other bought an equal quantity.
3. This coordinated trading activity artificially and rapidly inflated the price of MNGO. Consequently, the buying account’s value surged from $10milliontomorethan$400 million due to the manipulated price.
4. Leveraging this inflated account value, the attacker used his MNGO tokens as collateral to borrow a significant portion of Mango Markets’ other assets. This borrowing depleted nearly all of Mango Markets’ liquid funds because the collateral’s true market value did not align with its inflated price within the protocol.

Preventing Price Oracle Manipulation

Protecting against oracle manipulation attacks requires a multi-layered defense strategy. If the data layer is vulnerable, the protocol itself becomes exploitable. Here are essential measures DeFi protocols should implement:

• Use multiple, independent price sources: Relying on a single oracle feed creates a single point of failure. Aggregating data from multiple independent sources helps detect inconsistencies and mitigates the risk of isolated manipulation.
• Audit the entire price data pipeline: It’s critical to audit not just how prices are used in smart contracts, but how they are sourced, aggregated, and updated. A secure oracle must have strong, transparent mechanisms at every stage of the data flow.
• Incorporate fallback logic and sanity checks: Protocols should include logic that cross-verifies prices against historical data or secondary feeds. If a deviation exceeds a reasonable threshold, the protocol should pause sensitive operations like liquidations and borrowing.
• Deploy real-time monitoring and anomaly detection: Continuous on-chain and off-chain monitoring of oracle updates can help catch manipulation attempts early. Tools like CertiK Skynet can help identify this type of suspicious price behavior.
• Implement protective mechanisms like circuit breakers: Circuit breakers can automatically halt protocol functions when abnormal price changes are detected, preventing cascading failures during an attack.

To learn more about best blockchain security practices, read the latest articles on our blog.