Flash loan + oracle manipulation → drain DEX
DeFi contract reads spot price from a single pool. Borrow a flash loan, distort the pool, exploit the dependent contract while price is wrong, repay the loan in the same transaction.
§ Context
Assumed environment: a lending / leveraged DeFi contract uses spot-price (not TWAP / Chainlink) from a thin liquidity pool. A flash-loan provider (Aave, dYdX) exists on the same chain.
§ Steps
- 01Pocket the differenceExfiltrationT1041— Exfiltration Over C2 Channel
- 02Identify single-pool oracle readerReconnaissanceW-RECON-FINGERPRINT— Tech Stack Fingerprinting
- 03Reverse trade, repay flash loanImpactW3-FLASH-LOAN— Flash Loan Exploit
- 04Borrow / mint against distorted priceImpactW3-FLASH-LOAN— Flash Loan Exploit
- 05Take flash loanImpactW3-FLASH-LOAN— Flash Loan Exploit
- 06Skew the price poolImpactW3-ORACLE-MANIP— Price Oracle Manipulation
§ References
§ Frequently asked
- What is the "Flash loan + oracle manipulation → drain DEX" attack path?
- DeFi contract reads spot price from a single pool. Borrow a flash loan, distort the pool, exploit the dependent contract while price is wrong, repay the loan in the same transaction. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Pocket the difference (T1041) — a exfiltration primitive. Assumed environment: a lending / leveraged DeFi contract uses spot-price (not TWAP / Chainlink) from a thin liquidity pool.
- What is the final impact of this kill-chain?
- The final step lands on Skew the price pool (W3-ORACLE-MANIP), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
Origin IP bypass → direct attack on backend
Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.
- Shared techniques2
Flash-loan veCRV → capture Curve gauge → emission redirect
Snapshot voting on Curve gauges uses veCRV balance at a specific block. Borrow large CRV via flash-loan, lock for max veCRV, vote in attacker pool's favour, unlock (or accept the limit) — emissions redirected for the epoch.
- Shared techniques2
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
- Shared techniques2
MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)
Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.
- Shared techniques2
Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach
Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.
- Shared techniques2
AXFR → discover shadow-IT staging → exploitable web app
DNS server allows unrestricted AXFR. Pull the full zone, find admin- / staging- / dev- hostnames never linked, hit one with default creds / leftover debug routes.