There are a few attack vectors that are known.

1. DDoS of oracle APIs. This is obvious but worth mentioning that if a DSP is DDoS'd, say in the event it is providing a price feed during a volatile time, the price feed could potentially not update preventing the contract from performing whatever logic it would if it were receiving an up to date price.