Consolidated Price Feed Approach

PreviousGyro Consolidated Price Feeds NextOlympus DAO

Last updated 9 months ago

Consolidated Price Feed Approach

Gyroscope's oracle system prioritizes trust minimization and failure tolerance. Traditional oracles struggle with verifying off-chain price accuracy on-chain. CPF offers a novel solution by consolidating data from various sources (on-chain and off-chain) and assessing its integrity directly on the blockchain. CPF aims to achieve Chainlink's speed (known for its off-chain medianizing process) while offering fallback mechanisms if Chainlink prices deviate. By evaluating data integrity on-chain, CPF empowers Gyroscope to move away from a singular trusted price feed. CPF's ability to detect potential pricing failures automatically strengthens Gyroscope's existing risk mitigation mechanisms. It offers guardrails against known and unknown oracle vulnerabilities, further solidifying the protocol's security posture.

This oracle design was developed for Gyroscope’s use case in the Dynamic Stability Mechanism (DSM), which facilitates the minting and redemption capability of Gyroscope stablecoins. Other types of applications may have different oracle design aims, in particular around liveness vs security prioritization.

Data Sources and Security Risks

Let S be a set of on-chain assets referenced by a DeFi protocol. Consider that ETH is an asset in S and that it is has high market liquidity among all assets in S. Denote the true market prices as $p_{i/j}$ for the price of asset $i∈S$ in terms of asset $j \neq i\in S \bigcup (USD)$ .

The CPF uses data from the following sources, which provide either estimates of true prices or other information that can indicate if price estimates are wrong

Chainlink Prices:

Representation: Denoted as $p̂_{i/USD}$ , these are the prices provided by Chainlink for asset $i∈S$
Mechanism: Chainlink prices are aggregated off-chain . The relay is verified using signed data from off-chain providers.
Security Model:
- Multisig Trust: Chainlink relies on a trusted multisig (multiple signatures) model where a consensus among several nodes determines the price.
- Reputation and Incentives: Includes a node reputation system with potential slashing incentives to align nodes with accurate reporting.
Risks: The system is robust but still relies on a centralized model of trust through the multisig setup, potentially introducing vulnerabilities if the multisig is compromised.

AMM TWAPs (Time-Weighted Average Prices):

Representation: Denoted as $p_{i/USD}$ - for assets $j \neq i \in S$ .
Mechanism: TWAPs provide on-chain price averages over specific durations from AMMs like Uniswap, Balancer, or Curve.
- Security Model:
  - On-Chain Calculation: TWAPs are calculated on-chain, reducing the need for trusted relays.
  - Manipulability: TWAPs can be manipulated since they are derived from trading volumes over time, and they reflect off-chain prices slowly.
Risks: TWAPs can be manipulated through large trades and do not inherently provide USD prices without relying on trusted anchors, such as stablecoins.

Exchange-Signed Prices:

Representation: Denoted as $\bar{p}_{i/USD}$ - for assets $j\neq i ∈ S$ .
Mechanism: TWAPs provide on-chain price averages over specific durations from AMMs like Uniswap, Balancer, or Curve.\
Security Model:
- On-Chain Calculation: TWAPs are calculated on-chain, reducing the need for trusted relays.
- Manipulability: TWAPs can be manipulated since they are derived from trading volumes over time, and they reflect off-chain prices slowly.
Risks: TWAPs can be manipulated through large trades and do not inherently provide USD prices without relying on trusted anchors, such as stablecoins.

Exchange-Signed Prices:

Representation: Denoted as $p^k_{ETH/USD}$ where $k$ represents different exchanges.
Security Model:
- Verified Signatures: Prices are relayed on-chain and verified via signatures from exchanges, avoiding the need for trusted relays.
- Trusted Counterparties: Relies on exchanges as trusted data providers.
Risks: The trust is shifted to the data providers (exchanges), so if they are compromised or act maliciously, the price data can be incorrect.

Consolidation Mechanism

The CPF consolidation mechanism combines two types of checks that cross-reference asset prices:

Relative price checks: compares information about the price of one asset in S relative to another asset in S. Observing DEX markets is well-suited for this as these pairs can trade on DEXs.

Absolute price checks: In the absolute price check, the price of an asset $i ∈ S$ in terms of an external asset (e.g., USD) is checked for consistency with several independent data sources. This effectively ‘grounds’ the mesh of relative price checks. DEXs alone are not well-suited for this as these pairs cannot trade on DEXs.

Circuit Breakers

The CPF system incorporates a series of circuit breakers designed to safeguard the protocol from faulty oracle data and broader risks, such as smart contract vulnerabilities. These circuit breakers act as automatic safety mechanisms to ensure the system’s integrity.

Flash Crash Circuit Breaker

The flash crash circuit breaker activates the protocol's safety mode if there are sudden, significant changes in the reported oracle prices. This feature is crucial for preventing abrupt market movements from causing instability within the protocol.

Mechanism: The circuit breaker monitors the price of an asset $p_{x,t}$ as reported by Chainlink at time $t$ . It compares the current price to the price at a previous time.
Trigger Condition: The circuit breaker triggers if the price change exceeds a predetermined threshold $\theta _{x, flash}$ .

Excessive flow rate circuit breaker

In addition to the flash crash circuit breaker, the CPF system includes an excessive flow rate circuit breaker to further safeguard the protocol against extreme anomalies. This mechanism initiates a safety mode, effectively pausing protocol operations over a designated period to protect against both oracle exploits and potential smart contract bugs.

Mechanism: The Gyroscope protocol's Excessive Flow Rate Circuit Breaker watches for abnormally fast asset movements. It tracks recent flows using an exponential moving sum and triggers a block or safety mode if thresholds are crossed. This
Safeguards against exploits and bugs by pausing operations during suspicious activity.
Trigger Conditions: The circuit breaker triggers when asset flows exceed a preset limit, blocking the transaction to prevent large losses. If flows are less severe but still above another threshold, the transaction is allowed but the system enters safety mode to mitigate risks by pausing certain operations. This protects the Gyroscope protocol from exploits and bugs by reacting to abnormal minting and redemption activity of its stablecoins.

Oracle guardian mechanism

The Gyroscope protocol prioritizes security with a robust safety mode. This two-layered defense system safeguards against exploits and bugs by pausing operations when necessary.

Mechanism: The Gyroscope protocol implements a safety mode mechanism with two layers of defense. A DAO-elected whitelist of oracle guardians can initiate safety mode for a defined period, offering a manual pause function in case of emergencies like oracle failures or suspected smart contract bugs. The DAO has the authority to update the guardian list at any time.
Trigger Conditions: The trigger condition for safety mode is two-fold. Ideally, a vigilant oracle guardian would identify a potential issue and initiate safety mode before an exploit occurs. However, if an exploit happens first, the excessive flow rate circuit breaker, which is an automated system monitoring asset movements, will automatically trigger safety mode to prevent further damage. Once safety mode is activated, regardless of the trigger, the oracle guardians have the ability to extend the duration of the pause to allow for further investigation and mitigation efforts.

PreviousGyro Consolidated Price Feeds NextOlympus DAO

Last updated 9 months ago

Data Sources and Security Risks

The CPF uses data from the following sources, which provide either estimates of true prices or other information that can indicate if price estimates are wrong

Chainlink Prices:

Representation: Denoted as $p̂_{i/USD}$ , these are the prices provided by Chainlink for asset $i∈S$
Mechanism: Chainlink prices are aggregated off-chain . The relay is verified using signed data from off-chain providers.
Security Model:
- Multisig Trust: Chainlink relies on a trusted multisig (multiple signatures) model where a consensus among several nodes determines the price.
- Reputation and Incentives: Includes a node reputation system with potential slashing incentives to align nodes with accurate reporting.
Risks: The system is robust but still relies on a centralized model of trust through the multisig setup, potentially introducing vulnerabilities if the multisig is compromised.

AMM TWAPs (Time-Weighted Average Prices):

Representation: Denoted as $p_{i/USD}$ - for assets $j \neq i \in S$ .
Mechanism: TWAPs provide on-chain price averages over specific durations from AMMs like Uniswap, Balancer, or Curve.
- Security Model:
  - On-Chain Calculation: TWAPs are calculated on-chain, reducing the need for trusted relays.
  - Manipulability: TWAPs can be manipulated since they are derived from trading volumes over time, and they reflect off-chain prices slowly.
Risks: TWAPs can be manipulated through large trades and do not inherently provide USD prices without relying on trusted anchors, such as stablecoins.

Exchange-Signed Prices:

Representation: Denoted as $\bar{p}_{i/USD}$ - for assets $j\neq i ∈ S$ .
Mechanism: TWAPs provide on-chain price averages over specific durations from AMMs like Uniswap, Balancer, or Curve.\
Security Model:
- On-Chain Calculation: TWAPs are calculated on-chain, reducing the need for trusted relays.
- Manipulability: TWAPs can be manipulated since they are derived from trading volumes over time, and they reflect off-chain prices slowly.
Risks: TWAPs can be manipulated through large trades and do not inherently provide USD prices without relying on trusted anchors, such as stablecoins.

Exchange-Signed Prices:

Representation: Denoted as $p^k_{ETH/USD}$ where $k$ represents different exchanges.
Mechanism: Prices are like Coinbase or Binance and verified on-chain.
Security Model:
- Verified Signatures: Prices are relayed on-chain and verified via signatures from exchanges, avoiding the need for trusted relays.
- Trusted Counterparties: Relies on exchanges as trusted data providers.
Risks: The trust is shifted to the data providers (exchanges), so if they are compromised or act maliciously, the price data can be incorrect.

Consolidation Mechanism

The CPF consolidation mechanism cross-references different types of price information from different sources to determine a likelihood that a set of prices is correct. It takes as input the prices $p̂_{i/USD}$ , $\bar{p}_{i/USD}$ & $p^k_{ETH/USD_k}$ for $j\neq i ∈ S$ and flags whether the set of prices $p̂_{i/USD}$ $|$ $i ∈ S$ is likely to be correct or not given the consistency of the information available. The mechanism can be calibrated to have high manipulation costs and high Denial of Service (DoS) costs.The consolidation mechanism draws inspiration from the design of the which incorporates a UniswapAnchoredView, while adding a new structure to consolidating information. In the Open Price Feed, the USD price of an asset is reported by an external oracle and, as a sanity check, is not allowed to deviate too far from the USDC price of that asset reported by a TWAP on Uniswap.

The CPF consolidation mechanism combines two types of checks that cross-reference asset prices:

Relative price checks: compares information about the price of one asset in S relative to another asset in S. Observing DEX markets is well-suited for this as these pairs can trade on DEXs.

Absolute price checks: In the absolute price check, the price of an asset $i ∈ S$ in terms of an external asset (e.g., USD) is checked for consistency with several independent data sources. This effectively ‘grounds’ the mesh of relative price checks. DEXs alone are not well-suited for this as these pairs cannot trade on DEXs.

Circuit Breakers

Flash Crash Circuit Breaker

Mechanism: The circuit breaker monitors the price of an asset $p_{x,t}$ as reported by Chainlink at time $t$ . It compares the current price to the price at a previous time.
Trigger Condition: The circuit breaker triggers if the price change exceeds a predetermined threshold $\theta _{x, flash}$ .

Excessive flow rate circuit breaker

Mechanism: The Gyroscope protocol's Excessive Flow Rate Circuit Breaker watches for abnormally fast asset movements. It tracks recent flows using an exponential moving sum and triggers a block or safety mode if thresholds are crossed. This
Safeguards against exploits and bugs by pausing operations during suspicious activity.
Trigger Conditions: The circuit breaker triggers when asset flows exceed a preset limit, blocking the transaction to prevent large losses. If flows are less severe but still above another threshold, the transaction is allowed but the system enters safety mode to mitigate risks by pausing certain operations. This protects the Gyroscope protocol from exploits and bugs by reacting to abnormal minting and redemption activity of its stablecoins.

Oracle guardian mechanism

The Gyroscope protocol prioritizes security with a robust safety mode. This two-layered defense system safeguards against exploits and bugs by pausing operations when necessary.

Mechanism: The Gyroscope protocol implements a safety mode mechanism with two layers of defense. A DAO-elected whitelist of oracle guardians can initiate safety mode for a defined period, offering a manual pause function in case of emergencies like oracle failures or suspected smart contract bugs. The DAO has the authority to update the guardian list at any time.
Trigger Conditions: The trigger condition for safety mode is two-fold. Ideally, a vigilant oracle guardian would identify a potential issue and initiate safety mode before an exploit occurs. However, if an exploit happens first, the excessive flow rate circuit breaker, which is an automated system monitoring asset movements, will automatically trigger safety mode to prevent further damage. Once safety mode is activated, regardless of the trigger, the oracle guardians have the ability to extend the duration of the pause to allow for further investigation and mitigation efforts.