Oracle manipulation is when an oracle smart contract is manipulated by hackers.
Oracle manipulation, or oracle price manipulation, is an exploit most common in the DeFi space where an oracle smart contract is manipulated by attackers, which leads to system failure, theft and other damages. DeFi networks are reported to have lost over $33 million due to price oracle manipulation in 2020 alone.
Oracles are third-party service providers that supply blockchains with external or real-world data such as price feeds, weather information, statistics, etc. Price feeds are by far the most exploited oracle data since they allow attackers to steal millions of funds from DeFi platforms.
Generally, there are two ways an oracle can gather price information. One is to seamlessly siphon price data from centralized exchanges via APIs. On the other hand, oracles can also do the calculations themselves by consulting decentralized exchanges (DEXs). Both methods have their own sets of advantages and disadvantages, as well as ways of being manipulated.
In the Harvest Finance hack, the culprit was able to penetrate its pools through a flash loan using a form of oracle manipulation. Basically, the hacker reduced the value of USDC within the Curve pool via a trade. Then, the perpetrator got into the Harvest pool at the deflated price, brought USDC back to its initial price reversing his trade, then exited the pool at a much higher price.