The transaction log shows a single anomalous event: block 18723452 on Arbitrum. A wallet labeled ‘0x7aB…9cD’ executed a swap through a forked Compound lending pool. The swap itself was trivial—250 ETH for 89,000 USDC.e. But the event log recorded two distinct liquidations of the same user position within the same block.
The first liquidation was priced at 0.9876 USDC per USDC.e. The second, five milliseconds later, at 0.9214. The difference was not a flash loan attack. There was no reentrancy. There was no oracle manipulation in the traditional sense. The price feed did not lie. But it did hide.
This is not a story about Chainlink manipulation or a faulty TWAP. This is a story about the silent killer in DeFi: the assumption that a price feed, when verified as ‘non-manipulable,’ is safe. Static code does not lie, but it can hide. And what hides in the shadows of a five-line patch is a $48 million vulnerability that went undetected for eight months.
Context: The Protocol Mechanics
The target was a fork of Compound V2 deployed on Arbitrum, branded as ‘AgriVault’—a yield aggregator that offered leveraged farming on stablecoin pairs. The pool in question was the USDC.e / native USDC vault. Both tokens are supposed to be pegged 1:1. AgriVault used a custom price feed that averaged the rates from three sources: a Chainlink USDC/USD feed, a Uniswap V3 TWAP on the USDC.e / native USDC pair, and a Block oracle snapshot.
The design was intended to prevent manipulation by requiring at least two of three feeds to agree within a 0.5% tolerance. This is standard practice. Many audits have blessed similar multi-sourced oracles. The contract was audited by a reputable firm in January 2025. The audit report, publicly available, concluded: ‘The price feed logic is resistant to single-source manipulation. No critical issues.’
But the audit missed a subtle asymmetry in how the three feeds were updated. The Chainlink feed updated every 60 seconds. The TWAP updated every 3 blocks (~24 seconds). The Block oracle snapshot was updated only on each first interaction of a new block—a design intended to reduce gas costs. The patch that introduced this optimization was a five-line change in commit a4f3c2e, merged three days after the audit completed.
Core: Code-Level Analysis and the Trade-Off
Let me reconstruct the logic chain from block one. I’m going to walk through the exact code that created the window.
The price oracle contract, AgriOracle.sol, had a function getPrice() that executed the following logic (pseudocode):