EVM Exploit October 26, 2020 4 min read

Stale Oracle Data Exploit Generator

Sigvex exploit generator that validates Chainlink oracle staleness vulnerabilities by executing contracts against fresh, stale (24-hour-old), and incomplete-round oracle configurations.

evmoracle-manipulationexploit-generator

Stale Oracle Data Exploit Generator

Overview

The stale oracle data exploit generator validates findings from the stale_oracle, oracle_manipulation, and oracle-manipulation detectors by executing the target contract under three Chainlink oracle configurations — fresh data, 24-hour-old stale data, and an incomplete round — and checking whether the contract reverts on the stale configurations. If stale or incomplete data is accepted without a revert, the vulnerability is confirmed.

The generator scans the target bytecode for the latestRoundData and latestAnswer Chainlink selectors to confirm that Chainlink oracle calls are present before testing. The Venus Protocol suffered $100M+ in losses due to stale price acceptance during a price feed outage. Multiple L2 protocols lost $50M+ from failing to check the Arbitrum/Optimism sequencer uptime feed before reading Chainlink prices.

Note: Exploit generation in Sigvex is for vulnerability validation purposes only.

Attack Scenario

Stale price exploitation:

Chainlink’s ETH/USD feed stops updating due to a sequencer outage on an L2 or a deviation threshold not being met.
The on-chain price remains at the last updated value (e.g., $1500) while the real market price has moved to $2000.
A lending protocol that uses the stale price accepts the outdated $1500 collateral valuation.
An attacker borrows against this artificially undervalued collateral or triggers profitable liquidations.
Positions that would be safely collateralized at the real $2000 price are liquidated at the stale $1500 price.

Incomplete round exploitation:

Chainlink begins a new round (roundId = 100) but the answeredInRound remains at 99 (incomplete).
The contract reads the answer but does not check answeredInRound >= roundId.
The returned price is from the previous, now-stale round (round 99).
The contract makes financial decisions on price data that has been superseded.

Exploit Mechanics

The generator first checks whether the target bytecode contains the LATEST_ROUND_DATA or LATEST_ANSWER Chainlink selectors and records the oracle type accordingly.

Three execution scenarios configure the simulated oracle storage using the Chainlink aggregator storage layout:

Storage slot	Field	Fresh value	Stale value	Incomplete value
Slot 0	`roundId`	100	100	100
Slot 1	`answer` (price)	$2000 (`200000000000`)	$1500 (`150000000000`)	$2000
Slot 3	`updatedAt`	`current - 60s`	`current - 86400s`	`current - 60s`
Slot 4	`answeredInRound`	100	100	99 (incomplete)

The fallback selector 0x3cda3351 (getCollateralValue) is used when no specific selector is found.

Verdict:

Fresh succeeds and Stale succeeds → stale data accepted (confidence 0.90): no updatedAt validation.
Fresh succeeds and Incomplete succeeds → incomplete round accepted (confidence 0.85): no answeredInRound >= roundId check.
Fresh succeeds and Stale reverts → protected: freshness validation is in place.

// VULNERABLE: No staleness check
function getPrice() external view returns (uint256) {
    (, int256 price,,,) = priceFeed.latestRoundData();
    return uint256(price); // Could be 24 hours old
}

// SECURE: Validate freshness and round completeness
function getPrice() external view returns (uint256) {
    (
        uint80 roundId,
        int256 price,
        ,
        uint256 updatedAt,
        uint80 answeredInRound
    ) = priceFeed.latestRoundData();

    require(updatedAt >= block.timestamp - 3600, "Stale price"); // Max 1 hour old
    require(answeredInRound >= roundId, "Incomplete round");
    require(price > 0, "Invalid price");

    return uint256(price);
}

Remediation

Detector: Stale Oracle Detector
Remediation Guide: Stale Oracle Remediation

Always validate all four return values from latestRoundData():

// Required validations for Chainlink on Ethereum mainnet
require(updatedAt >= block.timestamp - HEARTBEAT, "Stale price");
// Heartbeat: ETH/USD = 1 hour; less liquid pairs = 24 hours

// Required for all chains
require(answeredInRound >= roundId, "Incomplete round");
require(price > 0, "Invalid price (zero or negative)");

// Required on L2s (Arbitrum, Optimism)
// Check sequencer uptime feed before any Chainlink price
AggregatorV3Interface sequencerFeed = ...;
(, int256 sequencerStatus, uint256 startedAt,,) = sequencerFeed.latestRoundData();
require(sequencerStatus == 0, "Sequencer offline");
require(block.timestamp - startedAt > GRACE_PERIOD, "Sequencer recently restarted");

For high-value protocols, use multiple oracle sources (Chainlink + Uniswap TWAP) and halt operations if they diverge by more than a threshold.

References

Chainlink: latestRoundData Documentation
Chainlink: L2 Sequencer Uptime Feeds
Venus Protocol Exploit Analysis ($100M+ losses from stale oracle)
SWC-116: Block Values as Proxy for Time

EVM Attack Pattern

Oracle Manipulation

How attackers manipulate price oracles to exploit lending protocols, inflate collateral, and drain DeFi platforms — the most costly attack class in DeFi history.

EVM Detector

Oracle Manipulation

Detects smart contracts that rely on manipulable on-chain price sources, such as DEX spot prices or single-source price feeds, without time-weighted averaging.

SVM Detector

Oracle Manipulation

Detects Solana programs that rely on unvalidated or manipulable price oracle data, enabling attackers to trigger liquidations, drain vaults, or manipulate DeFi calculations.

EVM Exploit

API/Off-Chain Data Manipulation Exploit Generator

Sigvex exploit generator that validates off-chain data trust vulnerabilities where contracts accept external API data without signature verification, freshness checks, or redundancy — enabling data injection, replay attacks, and single-point-of-failure exploits.

EVM Exploit

Cross-Chain Oracle Inconsistency Exploit Generator

Sigvex exploit generator that validates cross-chain oracle inconsistency vulnerabilities including L2 sequencer downtime, oracle price lag between chains, and missing Chainlink sequencer uptime feed checks.

EVM Exploit

Oracle Failure Exploit Generator

Sigvex exploit generator that validates oracle failure vulnerabilities by testing contract behavior when price feeds return zero, extreme, or unavailable values.

EVM Exploit

Oracle Manipulation Exploit Generator

Sigvex exploit generator that validates spot-price oracle manipulation by comparing contract execution under normal vs. artificially imbalanced DEX reserve configurations.

EVM Exploit

Price Deviation Exploit Generator

Sigvex exploit generator that validates price deviation vulnerabilities by submitting extreme price updates (10x increase, 90% crash) and confirming whether the contract accepts them without bounds checking.

EVM Exploit

Single Oracle Dependency Exploit Generator

Sigvex exploit generator that validates single oracle dependency vulnerabilities by simulating primary oracle failure with no fallback, confirming protocols that halt or misbehave when the sole price source goes offline.

EVM Remediation

API/Off-Chain Data Remediation

How to secure contracts that consume off-chain data by requiring cryptographic signatures, freshness timestamps, and multiple independent sources to prevent data injection and replay attacks.

EVM Remediation

Cross-Chain Oracle Inconsistency Remediation

How to eliminate cross-chain oracle vulnerabilities by adding L2 sequencer uptime checks, grace period enforcement, and cross-source price deviation validation before reading any Chainlink price feed on L2 networks.

EVM Remediation

Oracle Failure Remediation

How to harden contracts against oracle failure modes — zero prices, extreme values, and feed unavailability — using input validation, bounds checking, fallback oracles, and circuit breakers.

EVM Remediation

Oracle Manipulation Remediation

How to eliminate oracle manipulation vulnerabilities by replacing spot prices with time-weighted averages and using decentralized oracle networks.

EVM Remediation

Price Deviation Remediation

How to protect protocols from extreme price movements and flash loan manipulation using deviation bounds, TWAP comparison, circuit breakers, and absolute price range constraints.

EVM Remediation

Single Oracle Dependency Remediation

How to eliminate single oracle dependency by implementing multi-source price architectures, cross-validation, and circuit breakers that keep protocols functioning when any individual feed fails.

EVM Remediation

Stale Oracle Data Remediation

How to eliminate stale Chainlink oracle vulnerabilities by validating all latestRoundData return fields, enforcing heartbeat-based freshness thresholds, and adding L2 sequencer uptime checks.

SVM Remediation

Oracle Manipulation Remediation (Solana)

How to defend Solana DeFi programs against oracle price manipulation through account ownership verification, staleness checks, confidence interval validation, and multi-oracle aggregation.

Back to Knowledge Base

Use the Sign In button in the navigation bar.

Sigvex

Advanced bytecode decompilation and security analysis across multiple runtimes. Detect vulnerabilities, exploits, and reverse-engineer smart contracts directly on-chain.

Product

Features
How It Works
Pricing

Resources

Knowledge Base
Research
Blog

Company

About
Contact
Security

Legal

Terms of Service
Privacy Policy
Cookie Policy
Acceptable Use

Built for developers, by developers.