Security

Typus Finance Drained $3.4 Million Exploiting Custom Oracle Access Flaw

Unaudited custom oracle code with a missing authorization check enabled a $3.4M price manipulation attack on the TLP contract.
November 22, 20253 min

A glowing, translucent white sphere is centrally positioned within a rugged, dark blue, textured formation. The blue structure features lighter, granular blue accents, creating a complex, organic appearance against a blurred grey background
A contemporary office space is depicted with its floor partially submerged in reflective water and covered by mounds of white, granular material resembling snow or foam. Dominating the midground are two distinct, large circular forms: one a transparent, multi-layered ring structure, and the other a solid, textured blue disc

Briefing

Typus Finance, a real-yield platform operating on the Sui blockchain, suffered a critical oracle manipulation exploit targeting its Token Liquidity Pool (TLP) contract. The incident necessitated an immediate, mandatory pause of all smart contracts to prevent further asset drain and caused the platform’s native token price to plummet by 35%. Forensic analysis confirms the attacker leveraged a critical access control vulnerability in a custom price oracle, resulting in a total loss of approximately $3.44 million in pooled assets.

A spherical object, deep blue with swirling white patterns, is partially encased by a metallic silver, cage-like structure. This protective framework features both broad, smooth bands and intricate, perforated sections with rectangular openings

Context

The decentralized finance ecosystem remains highly exposed to oracle-based attacks, which account for a significant percentage of total losses in the sector. This specific incident highlights the systemic risk introduced by implementing complex, custom-built smart contract components without comprehensive, external security audits. The vulnerable oracle module was deployed months prior and was explicitly excluded from a previous, partial audit, creating a known security gap in the protocol’s architecture.

Transparent blue concentric rings form a multi-layered structure, with white particulate matter adhering to their surfaces and suspended within their inner chambers, intermingling with darker blue aggregations. This visual metaphor illustrates a complex system where dynamic white elements, resembling digital assets or tokenized liquidity, undergo transaction processing within a decentralized ledger

Analysis

The attack vector originated in a custom oracle module within the TLP contract that lacked proper access control. Specifically, the update_v2 function, responsible for setting the token’s price feed, was missing a critical authorization check. This missing assert statement allowed any external address, including the attacker’s, to call the function and manually set the price to an artificially inflated value.

The protocol’s core logic then trusted this manipulated price, enabling the attacker to perform arbitrage-style swaps. This process allowed the attacker to deposit minimal collateral and borrow/drain high-value assets like SUI and USDC at the incorrect, inflated valuation before bridging the funds out.

A futuristic, multi-segmented white device with visible internal components and solar panels is partially submerged in turbulent blue water. The water actively splashes around the device, creating numerous bubbles and visible ripples across the surface

Parameters

  • Key Metric → $3.44 Million → The total dollar value of assets (SUI, USDC, xBTC, suiETH) drained from the TLP liquidity pool.
  • Attack Vector → Oracle Manipulation → The primary technique used to deceive the smart contract’s internal pricing logic.
  • Vulnerability Root Cause → Missing Authorization Check → The specific code flaw in the custom oracle that allowed unauthorized price updates.
  • Affected Blockchain → Sui → The layer-1 blockchain where the vulnerable Typus Finance TLP contract was deployed.
  • Market Impact → 35% Token Price Drop → The immediate decline in the TYPUS token’s value following the public disclosure of the exploit.

A snow-covered mass, resembling an iceberg, floats in serene blue water, hosting a textured white sphere and interacting with a metallic, faceted object. From this interaction, a vivid blue liquid cascades into the water, creating white splashes

Outlook

The immediate mitigation step requires a full security-enforced redeployment of the entire contract suite, moving beyond the current pause state. This incident reinforces the non-negotiable best practice of utilizing battle-tested, decentralized oracle solutions over custom, unaudited implementations to secure core price feeds. Protocols utilizing custom oracle logic on the Sui ecosystem and other chains must conduct immediate, full-scope access control audits to prevent contagion risk from similar implementation errors.

The image displays a transparent, ring-like structure containing a textured, frothy blue substance. A white spherical object is suspended centrally, with a thin stream of clear liquid flowing over the blue substance and around the sphere

Verdict

The Typus exploit is a definitive case study demonstrating that a single, unverified access control flaw in a custom oracle module remains a catastrophic point of failure for DeFi protocols.

oracle manipulation, access control failure, smart contract exploit, liquidity pool drain, missing assert statement, unaudited code risk, decentralized finance, price feed attack, authorization bypass, custom contract risk, on-chain vulnerability, DeFi security audit, token liquidity pool, cross-chain bridge, asset theft, price data integrity Signal Acquired from → halborn.com

Micro Crypto News Feeds

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

access control

Definition ∞ Access control dictates who or what can view or use resources within a digital system.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

authorization

Definition ∞ Authorization is the process of granting or denying access to a system or resource.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

token price

Definition ∞ Token price represents the current market value of a specific digital asset, typically denominated in a base currency like USD or another cryptocurrency.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: