👮
Contract Cops
  • Mastering Ethereum Book
    • What is ethereum?
    • Tokens
    • Oracles
    • Decenralized Applications(DApps)
    • The Ethereum virtual machine
    • Ethereum basics
    • Ethereum clients
    • Cryptography
    • Wallets
    • Transactions
    • Chapter 7 - Smart Contracts & Solidity
    • Side Notes
      • Tokens
      • Smart Contracts and Solidity
  • Cryptography
    • Ethereum Cryptography - Cheatsheet
    • Assymetric vs symmetric cryptography
    • ECDSA vs RSA
    • Elliptic curves and ECDSA
    • Sha-256 Example
    • Sha-256
    • What are the different steps in SHA-256?
  • Ethereum Blocks
    • Block Headers
  • Learning Solidity
    • Storage vs memory
    • Upgradeable contracts
      • Proxy pattern in smart contracts
  • PoS
    • Proof of stake
  • PoW
    • PoW
  • Tokens
    • ERC-1155
    • ERC20
  • Cryptonomics
    • Automated market makers
    • Collateral Tokens
    • Collateralized Stablecoin
    • Fiat currency
    • Liquidity pool
    • Open Position: Meaning and Risk in Trading
    • Slippage
    • Spot price
  • Common Attack Vectors
    • Checking access control
    • Access control issues on critical functions
    • Account Existence Check for low level calls
    • Account Existence Check
    • Common attacks with contract/EOA addresses
    • Arithmetic under/overflow
    • Assert Attack
    • Assert require revert
    • Assert Violation
    • Bad Interface DOS
    • Bad pragma and compiler
    • Block Timestamp Manipulation
    • Bypassing contract check
    • Code With No Effects
    • Code size check vulnerability
    • Constructors with Care
    • Default Visibilities
    • Delegatecall
    • Delegatecall
    • Denial of Service (DoS)
    • DoS with block gas limit
    • Entropy Illusion
    • External contract referencing
    • Flash Loan Attack
    • Floating Point and Precision
    • Function selector abuse
    • Function selector abuse
    • Smart contract gas griefing
    • Hash collision parameters
    • Hash Collisions With Multiple Variable Length Arguments
    • Imprecise arithmetic
    • Improper Array Deletion
    • Incorrect array deletion
    • Incorrect interface
    • Insufficient Gas Griefing
    • Loop through long arrays
    • Message call with hardcoded gas amount
    • Not enough gas for ether transfer
    • Precision Loss in Calculations
    • Oracle Manipulation
    • Public Burn Function
    • Read-only reentrancy
    • Race Conditions/Front Running
    • Reentrancy Attacks
    • Reentrancy
    • Requirement Violation
    • Right-To-Left-Override control character (U+202E)
    • Shadowing State Variables
    • Short Address / Parameter attack
    • Signature Malleability
    • Signature Replay
    • Transaction Order Dependence
    • Tx.Origin Authentication
    • Unchecked CALL Return Values
    • Unexpected ether
    • Uninitialized Storage Pointers
    • Unsafe Ownership Transfer
  • EIP's
    • EIP155
    • EIP55
  • PoW
    • Ethash
    • Scrypt - RFC 7914
  • Questions for self evaluation
    • Questions 23/04/2023 (Nr: 84)
    • Usability guide for questions
  • Frequently asked questions
    • What is the difference between transaction and message?
    • What is the use of a interface or function without implementation?
  • UsefulResources
Powered by GitBook
On this page
  1. Mastering Ethereum Book

Oracles

Oracles are the only way to security introduce out-of-Ethereum data. This includes information such as weather information, stocks, voting & more.

What are oracles? In the Ethereum blockchain, the term Oracle refers to an extrinsic data source.Oracles are needed for a lot of things, such as the information of football matches, the randomness needed for a gambling/lottery game or any other outside of Ethereum data.The problem is that such data sources must be "trustless", meaning they do not have to be first trusted for their data to be used.Some of the data that can only be obtained with oracles in the Ethereum blockhain is:

Oracle design patternsCollect data from off-chainTransfer data onto chain with a signed messageMake data available by putting it into a smart contract's storageThe three ways that an oracle can be set up are request-response, publish-subscribe and immediate-read

Immediate readData query is baed on "just-in-time"This type of oracle usually stores the information required in storage and a search can then be made with a specific request: "Is this person over 18?","What is this person's address?".Such a request might happen once and never again.An example might be a university to set up an oracle for all of the certificates and rewards achieved by past students. Such data might not want to be exposed to everyone, therefore it is noted that oracle data might be hashed to keep its privacy.A solid way to do this would be with Merkle trees with salts and only storing the root hash in the smart contract's storage for efficiency.

Publish subscribeContracts can "subscribe" to the publisher oracle and once new data, relevant to a subscriber is available, he can be notified.A contract can either poll the oracle to check whether the latest information has changed or they can listen for updates when they occur.Polling is considered innefficient for outside of the blockchain, but not really from within. A polled call is simply a call to a synced Ethereum client.NOTE: If polling is done by the smart contract itself, there could be a lot of gas spenditure.

Request-responseThe request-response category is the most complex one. This is where the off-chain data required is too large to be stored.The request response process can usually be categorized in some straight forward steps:The process starts by a transaction from an EOA to some contract that has a link to an oracle.The smart contract calls a function from the oracle that in hand, retrieves the data from a secure off-chain provider. The oracle might also request expenditure or data access costs/rights.Finally, the resulting data is signed by the oracle owner and retrieved.Data can come from sensors, humans or the internet. Therefore, we can say that oracles can be human, software or hardware.To note: The request-response is usually seen in server to client communication. This, however, does not make it appropriate in all cases in the context of Ethereum. Given that the data changes infrequently (not often), a publisher subscriber or even immediate read might be more suitable.

Data AuthenticationGiven that we assume that the source of data is trustworthy and authoritative, a question still remains: how do we trust such a mechanism?The main reason behind such a question might be that data can be tampered with. This can be especially dangerous if future elections/lottery/etc are done on chain.There are two main ways of data authentication:Authenticity proofsTrusted execution environments (TEEs)Authenticitiy proofs are cryptographic guardantees that the data has not been tampered with. Based on a lot of techniques (digitally signed proofs), they shift the trust from the data carrier to the attestor.This way, by verifying the data on chain, we can prevent tampered data before using it.

PreviousTokensNextDecenralized Applications(DApps)

Last updated 2 years ago