While the nine-figure hacks of 2026 grabbed headlines, the smaller ones are more instructive because they are the bugs you and I might actually write. On April 3, 2026, lending protocol Silo Finance lost about $392,000 to a misconfigured oracle. No exotic attack. A price feed that lied, and a contract that believed it. Here is how oracle manipulation works and why it keeps draining protocols.

The shape of every oracle bug

A lending protocol needs to know what your collateral is worth. It asks an oracle. If the oracle can be fooled, the protocol can be fooled: borrow against collateral that is suddenly "worth" far more than it is, or get liquidated when it is suddenly "worth" far less.

Every oracle exploit reduces to the same question: can the attacker move the number the contract trusts, cheaply enough that the manipulation costs less than the profit?

The classic mistake: pricing off a spot DEX pool