Within the context of pricing, an oracle is an on-chain API for price. Differently put, it simply tells you what the price of an asset is at a given time.
While we think Uniswap's oracles are best suited for our permissionless lending protocol, depositing into an Euler pool backed by illiquid liquidity pools on Uniswap can lead to devastating results.
For instance, inflating the value of a collateral allows the attacker to borrow an inflated amount of tokens, leading to bad debt. This is the most systemic and widespread attack on lending protocols.
Alternatively, if the Uniswap V3 oracle of the borrowed asset is manipulated to the upside, the attack could trigger liquidations and sweep borrowers' collateral.
Even more of concern is when the attacker can manipulate the asset pricing to the downside. Hypothetically, if the price drops to almost zero, the attacker only needs a small amount of collateral to borrow the entire pool and run away with a hefty profit.
In order to assess an oracle's safety, our team have developed a tool to calculate the cost of moving a given Uniswap v3 TWAP: oracle.euler.finance.
Using the tool, we can calculate the cost of moving the TWAP by 20.89% (minimum required to break even on highest-quality assets) up and down over 1 and 2 blocks:
Then, we take the minimum of these 4 values: $469.63 million and assign a rating to it according to this table:
Consequently, UNI/WETH pool safety is deemed high as the minimum cost of attack up and down over 1-2 blocks is > $50 million.
This is displayed on the front-end page of the respective lending pool:
Keep in mind that this is merely an indicative tool and we bear no responsibility for loss of funds.
If you are a project that wants to improve its token's oracle rating and be eligible for higher borrow and collateral factors, it's crucial to provide full-range liquidity to the XYZ/WETH pair on Uniswap V3.
By full-range liquidity we mean providing liquidity from the lowest tick all the way to the highest tick without any gaps in between.
Check out this video going through different manipulation scenarios for a more in-depth explanation:
It's important to note that even a small amount of fully-spread liquidity can significantly increase the cost of attack. For eg, the IDLE/WETH pool has a mere $52k TVL, yet the minimum cost of attack is a whopping $115 million:
Check out this blog post written by Darek explaining the oracle tool: https://blog.euler.finance/uniswap-oracle-attack-simulator-42d18adf65af
Check out Michael's paper on how even a small amount of full-range liquidity can make an attack incredibly costly: https://github.com/euler-xyz/uni-v3-twap-manipulation/blob/master/cost-of-attack.pdf