The core issue here though is that a medianizer always weighs each input equally, actually increasing the risk of data manipulation attacks by assuming each source is of a equal quality at all times. This is an issue no matter what collection of sources are used:
-
Weighing raw exchange data equally with decentralized price feeds that aggregate data from a multitude of exchanges is an issue as it overweighs a select few exchanges. This lowers the cost of manipulation by reducing the number of exchanges a malicious actor has to manipulate to affect the final median value, especially if volume/liquidity consolidates away from those select few exchanges.
-
Weighing data raw from different exchanges equally presents an issue as every exchange has a different level of liquidity and volume (different cost of manipulation). This overweighs exchanges with less volume/liquidity and underweighs those with higher volume/liquidity. Additionally, if volume consolidates to a small number of exchanges, then a malicious actor only has to manipulate the low volume/liquidity exchanges to affect the median value.
-
Weighing different price feed oracle solutions equally is an issue each price feed generates its data in different ways. Some price feeds fetch raw data from a predefined selection of exchanges weighing each equally and thus not generating proper market coverage, while other price feeds fetch from multiple data aggregation firms who have full time data quality teams and monitoring tools in order to generate proper market coverage by weighing each exchange by its real volume/liquidity. Additionally, some price feeds make the mistake of pulling from both raw exchanges and data aggregators, weighing each equally and thus overweighing a select few exchanges.
Essentially, such a medianizer design is vulnerable to these types of issues regardless of what inputs are used. As a result, I do not think this medianizer design will be tamper-resistant enough against data manipulation in order to properly secure a $5.6Bn market, particularly when there already exists decentralized price feed solutions that can be integrated into Compound today like Chainlink that provides proper market coverage.
We have already seen from the DAI Liquidation event that you don’t need to move the entire market to manipulate a price oracle that operates without proper market coverage. Even a highly liquid exchange like Coinbase can deviate from the market wide price, so if the medianizer is overweighing a select few exchanges, then only those exchanges needs to be manipulated (not the whole market) to affect the oracle. While lower liquidity assets are more vulnerable to these issues I’ve listed, the lack of market coverage is actually an issue for all assets on the Compound protocol.