Skip to content
Last updated: February 09, 2026

SCWE-030: Insecure Oracle Data Updates

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

Description

Insecure oracle data updates refer to the failure to properly validate or secure updates to oracle data. This can lead to: - Unauthorized actions by malicious actors. - Loss of funds or data. - Exploitation of the contract's logic.

Remediation

  • Validate updates: Ensure all oracle data updates are properly validated.
  • Restrict access: Restrict update permissions to trusted addresses.
  • Implement timelocks: Add delays to oracle updates to allow for review.

Examples

  • Insecure Oracle Updates 

    pragma solidity ^0.8.0;

contract InsecureOracleUpdates {
    function updatePrice(address oracle, uint newPrice) public {
        Oracle(oracle).updatePrice(newPrice); // No validation
    }
}

  • Secure Oracle Updates 

    pragma solidity ^0.8.0;

contract SecureOracleUpdates {
    address public admin;

    constructor(address _admin) {
        admin = _admin;
    }

    modifier onlyAdmin() {
        require(msg.sender == admin, "Unauthorized");
        _;
    }

    function updatePrice(address oracle, uint newPrice) public onlyAdmin {
        Oracle(oracle).updatePrice(newPrice); // Restricted to admin
    }
}