defirisk.co
rubric v1.7.0

Oracle pool depth (USD)

A oracle & external dependencies factor in the v1.7.0 rubric. Measured per protocol on a c cadence.

Methodology how we score #

**What this measures** This factor records the liquidity depth of the DEX pool feeding the oracle — measured in USD at a reference block. This is a continuous, dynamically updated metric drawn from DEX subgraph queries and on-chain reads. It applies to any protocol using a DEX pool as a price source, whether spot or TWAP.

**Why it matters** Pool depth is the economic cost of oracle manipulation. The Inverse Finance exploit is the canonical illustration: with approximately $1M in pool liquidity, an attacker moved the INV price 50x using only 500 ETH, enabling $15.6M in undercollateralised borrowing. Mango Markets suffered $115M in losses from a MNGO spot oracle with thin underlying liquidity. Polter Finance's BOO token oracle had insufficient pool depth to resist the manipulation that resulted in $8.7M in losses. The synthesis dataset (Cluster O) shows that flash-loan amplification makes even "medium-liquidity" pools vulnerable when the protocol TVL is large relative to oracle pool depth.

**Green / Yellow / Red** Green is scored when the oracle pool depth exceeds a protocol-TVL-relative threshold that makes manipulation economically irrational (typically oracle pool depth > 5x the maximum single-asset borrow/drain possible). Yellow is scored when pool depth provides partial but not full manipulation resistance. Red is scored when oracle pool depth is demonstrably insufficient to resist a flash-loan-amplified price move.

**Common gray cases** Gray is applied when pool depth data cannot be retrieved from available subgraphs or when the oracle source uses an aggregated off-chain feed whose underlying pool depth is not publicly queryable.

**Notable historical examples** - **Mango Markets** ($115M, 2022): Thin MNGO oracle pool; 30x price pump with self-funded positions. - **Harvest Finance** ($33.8M, 2020): Curve Y-pool spot price manipulated via flash swap on thin liquidity. - **Inverse Finance** ($15.6M, 2022): ~$1M INV/WETH pool depth; 500 ETH moved price 50x. - **Polter Finance** ($8.7M, 2024): BOO token SpookySwap pool depth insufficient to resist flash-loan drain.

Measurement what to look for #

Measure the liquidity depth of each DEX pool feeding a TWAP oracle, in USD at reference block; updated continuously.

Data & output #

Data source
Uniswap v3 subgraph (pool TVL query) or equivalent DEX subgraph; on-chain pool `slot0` + `liquidity` reads
Output format
Green / Yellow / Red
Evidence artifact
Pool address + TVL USD + block number + subgraph query timestamp
Confidence signal
green = pool depth ≥$10M; yellow = $1M–$9.9M; red = <$1M (manipulable); gray = protocol does not use DEX-TWAP oracle (N/A)

Scored protocols 80 carry this factor #

Protocol RD-F-055
Aave v3 ethereum green Across Protocol ethereum not_applicable Aerodrome Finance base not_applicable Axelar Network ethereum green Babylon Protocol bitcoin not_applicable Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum gray BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum not_applicable Centrifuge ethereum gray Chainlink CCIP ethereum not_applicable Circle USYC binance not_applicable Compound V3 (Comet) ethereum not_applicable Concrete ethereum green Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum green deBridge ethereum not_applicable Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum not_assessed Ethena ethereum green ether.fi ethereum gray Euler V2 ethereum gray Falcon Finance ethereum not_applicable Fluid ethereum not_applicable Frax Finance ethereum not_applicable GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum green Hyperliquid arbitrum gray Jito solana not_applicable Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana yellow Kinetiq hyperliquid not_applicable Lido ethereum not_applicable Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc yellow Lombard Finance ethereum gray M^0 ethereum not_applicable Maple Finance ethereum not_applicable Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_applicable Midas ethereum not_applicable Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum not_applicable Ondo Finance ethereum not_applicable OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc not_applicable Pendle Finance ethereum yellow Polymarket polygon not_applicable QuickSwap polygon green Raydium solana green Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum green StakeWise v3 ethereum not_applicable Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum not_applicable Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum not_applicable Veda (BoringVault) ethereum not_applicable Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum not_applicable
0 red · 5 yellow · 12 green

Linked hacks 9 historical incidents #

relatedMakina Finance — Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain2026-01-20 · $4M · Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain · Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
relatedPolter Finance — Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow2024-11-16 · $9M · Spot price oracle manipulation (SpookySwap V2/V3) → inflated BOO collateral → draining borrow · Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering] || Underlying oracle pool depth [via cross-hack: Factor 25: Single-Source TWAP Oracle From Low-Liquidity Pool Used as Lending Collateral]
relatedDeus DAO / DEI stablecoin — Mis-ordered Parameters in burnFrom — Public Approval Override2023-05-06 · $7M · Mis-ordered Parameters in burnFrom — Public Approval Override · Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
relatedMango Markets — Self-funded MNGO spot price pump using two accounts → inflated unrealized collateral → lending pool drain2022-10-11 · $115M · Self-funded MNGO spot price pump using two accounts → inflated unrealized collateral → lending pool drain · Underlying oracle pool depth [via cross-hack: Factor 25: Single-Source TWAP Oracle From Low-Liquidity Pool Used as Lending Collateral]
relatedElephant Money — Flash loan + spot price manipulation during stablecoin minting2022-04-12 · $22M · Flash loan + spot price manipulation during stablecoin minting · Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
relatedInverse Finance — SushiSwap TWAP Oracle Manipulation — Thin Liquidity Governance Token2022-04-02 · $16M · SushiSwap TWAP Oracle Manipulation — Thin Liquidity Governance Token · Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering] || Underlying oracle pool depth [via cross-hack: Factor 25: Single-Source TWAP Oracle From Low-Liquidity Pool Used as Lending Collateral]
relatedSpartan Protocol — Flash loan + inflated pool balance → LP burn liquidity share manipulation2021-05-01 · $31M · Flash loan + inflated pool balance → LP burn liquidity share manipulation · Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
relatedCheese Bank — Flash loan + Uniswap LP spot oracle manipulation → inflated collateral value → drain via borrow()2020-11-06 · $3M · Flash loan + Uniswap LP spot oracle manipulation → inflated collateral value → drain via borrow() · Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
relatedHarvest Finance — Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain2020-10-26 · $34M · Flash loan + Curve Y-pool spot price manipulation → inflated fToken share valuation → vault drain · Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
rubric_version v1.7.0 factor RD-F-055 category 3 carried 80 critical no