Entry_point: Closed-source Oracle contract via low-level function (func_147d9322)
Exploit_vector: Attacker manipulated on-chain oracle by exploiting a vulnerable function to feed false token prices and drain liquidity through arbitrage positions.
Severity: Critical
Attack_steps:
Attacker identified and invoked a hidden oracle update function (func_147d9322) within the closed-source Oracle contract.
Used this to feed artificially low token prices into the system.
Executed arbitrage trades based on the manipulated price data across EDE pools.
Swapped tokens to extract value at distorted prices.
Impact: Drained ~437,948 USDC and 86,222 USDT ($520K) from the protocol.
Exploitability: High — oracle misconfiguration allowed unauthorized price updates
Root_cause: Improper access control: critical oracle update function was exposed and callable without restrictions.