Not enough people care about Oracle Extractable Value!
Over the recent years, we've all become aware of MEV. However, just like miners can extract value from their sequencing power, oracles can extract value from their position. If exploited, they can use this to extract significant value and drain entire protocols.
Unfortunately, most development teams don't seem to care.
Countless bounty programs say: "anything to do with wrong oracle answers is out of scope".
Before flash loans, people didn't think AMM price manipulation was a real risk. Now people don't think Oracles might ever misbehave! This is a dangerous assumption:
Oracles can unintentionally allow others to extract OEV.
We saw a circuit breaker stop price feed updates for the LUNA/USD price feed just weeks ago. This allowed hackers to exchange worthless LUNA for tokens of actual value.
You can get rekt even if you assume honest oracles.
Oracles can intentionally allow themselves and others to extract OEV.
Participants in an oracle protocol can influence the output in different ways. For example, network delays, collusion, dishonest voting strategies and AMM price manipulation. Some of which can be triggered by outside actors.
Don't trust that oracles provide good results, verify by limiting the OEV in your protocol!