Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 016Oracle Manipulation

Compound DAI Oracle Cascade

Compound liquidated $89M in over-collateralised positions after DAI briefly traded at $1.30 on Coinbase Pro, the oracle's sole price source. No hack needed.

Date
Victim
Compound Finance
Chain(s)
Ethereum
Status
Funds Stolen

On November 26, 2020 — Thanksgiving morning in the U.S. — approximately $89 million in over-collateralised positions were liquidated on Compound Finance in a single hour. There was no smart-contract exploit. The protocol worked exactly as designed. The problem was that its oracle read DAI's price from a single venue — Coinbase Pro — and DAI briefly traded at $1.30 there in thin holiday liquidity.

What happened

Compound's price oracle at the time used Coinbase Pro as its anchor source for stablecoin prices, with a sanity check requiring the reported price to stay within 20% of a Uniswap TWAP. The 20% guardrail was generous — DAI rarely moved more than a fraction of a percent, even in stressed markets.

Between roughly 12:00 and 13:00 PT, three things happened simultaneously:

  1. ETH dropped ~8% globally, pressing many borrowers' collateral ratios closer to liquidation thresholds.
  2. DAI's price on Coinbase Pro spiked to ~$1.30 across the DAI/USDC, DAI/USD, and ETH/DAI pairs — a 30% premium driven by thin holiday-morning liquidity and concentrated buying.
  3. Compound's oracle ingested the $1.30 DAI price (within the 20% Uniswap-TWAP tolerance only because the Uniswap DAI pool also briefly drifted).

For Compound users who had borrowed DAI against ETH collateral, the protocol now calculated their debt at 30% higher than its actual market value. Tens of millions in positions instantly became under-collateralised. Liquidation bots — operating exactly as Compound intended — pounced.

~$89M in DAI-denominated borrows were liquidated in the window, with borrowers losing both their loans and the collateral seized at the liquidation discount.

Aftermath

  • DAI's Coinbase price normalised back to ~$1.00 within an hour. By the time it did, the liquidations were final.
  • Compound governance debated whether to compensate liquidated users. After contentious discussion, the team declined to reimburse — characterising the liquidations as having occurred according to protocol rules, even if those rules had failed users.
  • The incident dramatically accelerated Compound's migration toward Chainlink-based price feeds with multi-source medians and tighter deviation controls.

Why it matters

The Compound DAI incident is the canonical case for why "the protocol worked as designed" is not a defence. Every parameter in a DeFi system — oracle source, deviation tolerance, liquidation threshold, grace period — represents an implicit promise about reality. When reality stops matching the assumptions, "according to the rules" produces outcomes the protocol's users would never have signed up for.

The lesson — that single-venue price feeds are a single point of failure, even when the venue is Coinbase — drove the industry-wide move to Chainlink/multi-source aggregation. The pattern of the bug, however, recurs every time a protocol launches with a thin price feed and learns the same lesson its predecessors paid for.

Sources & on-chain evidence

  1. [01]decrypt.cohttps://decrypt.co/49657/oracle-exploit-sees-100-million-liquidated-on-compound
  2. [02]cryptobriefing.comhttps://cryptobriefing.com/compound-user-liquidated-49-million-price-oracle-blamed/
  3. [03]blockonomi.comhttps://blockonomi.com/chainlink-compound-liquidations/

Related filings