OEV RFP Chainlink Response Security Assessment

Protocol Development
1

Summary

Type: RFP Response Assessment

Timeline: From 2025-06-09 To 2025-06-16

Scope

The submission for assessment was received in the context of the Request for Proposal (RFP): Oracle Extractable Value (OEV) Solution for Compound Protocol issued on the Compound Forum. The assessment focused on the information submitted by the Chainlink team, as of June 4, 2025, at 9:39 PM, regarding the proposed OEV solution, commercially named Smart Value Recapture (SVR), and its potential integration into the Compound Protocol.

The assessment did not include a code review of the Chainlink SVR and other third-party infrastructural components that Chainlink relies on.

Introduction

The RFP clearly outlines the motivation behind seeking an OEV vendor for the Compound Protocol. The assessment investigated the information provided by the Chainlink team within their submission and evaluated the proposed solution for any security concerns within the context of intended integrations with Comet Markets.

Vendor Overview

Vendor Information

Vendor Name: Chainlink
Auction Mechanism: Off-chain Order Flow Auction (OFA)
Compound Compatibility: FULL

Architecture

The architectural components involved in the Chainlink SVR infrastructure are described below.

Off-Chain

  • Decentralized Oracle Network (DON): A distributed collection of independent Chainlink oracle node operators responsible for fetching and aggregating data, coming to consensus, producing cryptographically signed oracle reports, and delivering oracle reports to an intended destination (on-chain or off-chain).
  • Private OFA: SVR is modular and future-proof, designed to support multiple OFA providers, beginning with Flashbots’ MEV-Share. MEV-Share is a protocol that redistributes the value extracted from MEV back to the users who generate it. It enables Chainlink to share data related to price oracle update transactions with searchers, who then bid to include these transactions in bundles alongside profitable back-running transactions. This allows Chainlink to ensure that searchers include a distribution of the extracted MEV back to the protocol, specifically from the profits obtained from liquidations that can be triggered after the price update.

On-Chain Components

  • DualAggregator: An on-chain aggregator contract that stores both SVR Price Feed updates and standard feed updates. This contract provides users with the right price depending on whether they come through the normal FeedProxy or the OEVFeedProxy, and acts as a multiplexer for the SVR Price Feed or classical Chainlink Data Feeds.
  • OEVFeedProxy: A proxy contract that points to the SVR DualAggregator, which has the same interface that Compound already uses.

Architecture Overview

The following high-level schematic representation of the core components and interactions of the SVR system is presented by the Chainlink team.

SVR_Arch
SVR_Arch1600Ă—1600 114 KB

Trust Assumptions

In their submission, the Chainlink team states that since Compound already uses Chainlink Data Feeds to secure its total TVL, and because SVR is presented as an extension of these feeds with an on-chain fallback mechanism (implemented in the DualAggregator immutable contract), there are no additional trust assumptions beyond the current reliability and security of the existing Chainlink Data Feeds. Trust in the SVR infrastructure is considered minimal due to an automatic fallback mechanism used as a safety net. In the event of an SVR failure (threshold detection for this is configurable through an on-chain parameter in terms of blocks delay), the liquidation process would revert back to how existing liquidations occur in non-SVR-activated Compound markets. Additionally, the team states that they provide an option for Compound to revert back to standard Data Feeds manually (e.g., via a DAO vote or admin action) at any time.

Both SVR and classical price Data Feeds originate from the Chainlink DON. Consequently, there are no new trust assumptions regarding data origin.

Auctions

SVR relies on existing off-chain OFA providers. The Chainlink team states that initial support includes Flashbots’ MEV-Share. It is important to note that MEV-Share is an OFA mechanism that is specifically tied to MEV-Boost and the architecture of the Ethereum core protocol. While the Chainlink team mentions that multichain capabilities are planned for short/mid-term deployment, they have not specified which OFA solutions will be used on each supported chain. In any case, MEV-Share can only be used as SVR’s OFA exclusively on Ethereum mainnet, and any other OFA solutions used in other chains will introduce different trust assumptions.

Governance Model

The Chainlink team states that the upgradability processes for SVR Feeds follow the same standard practices as those for the existing Data Feeds used by the Compound protocol. Therefore, there should be no additional trust assumptions in this matter.

Historical Performance

SVR is currently being used in production on Aave V3 Core and Prime markets on Ethereum, with market data starting from the beginning of April 2025. More data can be found on the SVR data visualization dashboard. So far, its production usage has resulted in zero bad debt accrual. While the Chainlink team states that SVR covered a price range of $74K–$100K in BTC/USD, including periods of heightened market volatility, we believe there is lack of performance data from scenarios of extreme volatility due to limited production history.

Audits

Chainlink team states that the NCC Group conducted an audit of Chainlink SVR in November 2024, focusing on the changes introduced between the original OCR2Aggregator.sol and the updated DualAggregator.sol at commit ee7f7ad. However, the report of this audit has not been provided to OpenZeppelin team.

Key Differentiators

A key consideration of the Chainlink OEV proposal is that its application adds minimal trust assumptions on top of those of the current Compound market price oracles. The existing mechanisms will be configured as a security fallback for the SVR. The Chainlink team has described an OEV solution that is currently only applicable to Compound mainnet markets.

In addition, SVR relies on a fully off-chain OFA, with no on-chain auction components. This model necessitates trusting the integrity of multiple parties within the OFA supply chain. Nonetheless, since the majority of the computation is relayed off-chain, the gas costs associated with liquidations are generally reduced.

Requested Security and Risk Assessment Responses Checklist

The following table evaluates each of the specific responses given by the OEV vendor to the questions related to security/risk assessment requested by the Compound Governance Working Group.

Data Required (Question) Supplied Comment
a) Trust Assumptions
i) List new trust assumptions Compound would take on Yes No additional trust assumptions on top of currently used Data Feeds.
ii) Identify actors Compound needs to trust Yes Data Feeds and the decentralized oracle networks that power those feeds, Trust in the OFA infrastructure is minimized through the automatic fallback mechanism.
iii) Outline potential issues and consequences Yes Situations where the OFA fails to operate as expected, SVR’s recapture efficiency would decrease or Compound would fall back to using standard Data Feeds.
iv) Clarify who operates oracle nodes (team/third parties/decentralized) Yes Decentralized DON nodes operators.
v) Describe consequences and mitigations for component misbehavior Yes The same security that applies to the existing Data Feeds used by Compound also applies to SVR Feeds.
b) Audits
i) Provide links/summaries of completed audits Yes Code audits and summaries of findings have been highlighted, but reports have not been provided.
ii) Indicate if any parts are closed-source/proprietary Yes The Chainlink node software, the DualAggregator contract, and the Flashbots’ MEV-share code are open-source, nonetheless, the latter two apply only to the mainnet instance of SVR.
iii) Explain assurance methods for security Yes Battle tested Chainlink data feed code as an emergency fallback.
c) Production Testing and Simulations
i) Detail how product testing has occurred Yes Currently being used in production on Aave V3 Core and Prime markets on Ethereum mainnet, covering ~30% of Aave’s TVL on Ethereum.
ii) Specify if tested in major market volatility or only simulations Yes Tested in real markets since April 2025.
iii) Provide post-mortem analyses and transparency examples Yes A SVR data visualization dashboard is provided.
iv) Describe issues encountered (if any) and resolution processes Yes Zero bad debt accrual in Aave markets during the usage period.
d) Oracle Accuracy and Manipulation Resistance
i) Explain mechanisms ensuring oracle price accuracy Yes SVR Feeds use the same Chainlink DON infrastructure that secures the existing Data Feeds.
ii) Detail protection against malicious price manipulation Yes Data Feeds, including SVR Feeds, leverage multiple layers of decentralized data aggregation at the data provider, node operator, and network levels to mitigate central points of failure and manipulation.
iii) Confirm no backdoor for price spoofing exists Yes Oracle reports are cryptographically signed by a quorum of independent node operators and validated on-chain before any price oracle reports can be made available to consuming protocols.
e) Failure Modes
i) Thoroughly describe worst-case scenarios Yes Not thoroughly described.
ii) Explain auction failure handling Yes In the event of an auction or transmission failure of the DualAggregator contract will fall back to providing data from standard Data Feeds.
iii) Clarify if liquidations revert automatically to Compound default Yes The fallback price source is the standard Data Feeds, which are currently the default in Compound.
iv) Specify risk periods without liquidation capability Yes The maximum block delay before falling back to default Data Fees is configurable via an on-chain parameter.
v) Walk through hypothetical “nightmare scenario” and mitigation No
f) Insurance and Recourse
i) Confirm availability of insurance or recourse Yes Insurance fund not proposed.
ii) Specify willingness to establish insurance fund Yes Open to discussion.
iii) Explain compensation process for incorrect liquidations/bad debt No
iv) Indicate if revenue allocation for insurance is proposed No
g) Upgrade and Maintenance Security
i) Explain governance for upgrades Yes Not detailed, same standard practices used for existing Data Feeds.
ii) Describe controls around contract/system updates Yes Not detailed, same standard practices used for existing Data Feeds.
iii) Provide details on communication protocols for changes No
h) Responsible Disclosure
i) Confirm existence of responsible disclosure program Yes Immunefi and Hacker One with a maximum bounty reward of $3M.
ii) Provide links or descriptions for bug bounties/guidelines Yes Immunefi and Hacker One.
iii) Describe internal disclosure process if no formal links available N/A
i) Security Incident Monitoring and Management
i) Provide security incident management protocol Yes Real-time monitoring and alerting for all the DONs, OFA streams, and on-chain activity.
ii) Explain incident communication with clients No
iii) Describe continuous monitoring practices Yes SVR Feeds are supported by 23/7/365 on-call rotations with subject matter experts.
j) Developer Support
i) Provide developer documentation and best practices links Yes Smart Value Recapture (SVR) Feeds Chainlink Documentation.
ii) Confirm developer support availability Yes A dedicated team at Chainlink Labs on call is in contact with the relevant parties in the Compound community.
iii) Specify support format provided Yes Chainlink documentation webpage.
iv) Provide contact details for proposal inquiries Yes On Telegram at @CL_Raoul and @ash_cll.
k) Real-time Metrics
i) Confirm provision of real-time metrics on liquidations/OEV Yes Values proposed: Recapture Chance (%), Recapture Rate (%), Total collateral liquidated, Total liquidation bonus, Total value recaptured and Number of liquidations.
ii) Explain data sourcing methodology and metric calculation Yes Metrics derived from on-chain data via transaction logs.
iii) Detail verification processes for DAO members Yes Validity can be verified by independently calculating the same metrics using on-chain data.
iv) Clarify DAO metrics sharing approach Yes Plans to create a near real-time dashboard.

Conclusion

In summary, Chainlink’s Smart Value Recapture (SVR) is a compelling extension of its existing Data Feeds. Its architecture, though technically detailed only for mainnet markets at the moment, leverages a DualAggregator contract to ensure a reliable fallback to standard Data Feeds in case of failure, minimizing new trust assumptions. While the system has performed well on Aave V3 since April 2025, it lacks exposure to extreme market scenarios. The formal code audit report from NCC Group was not supplied for this assessment.

Overall, Chainlink thoroughly addressed the security and risk checklist. The primary considerations for Compound remain SVR’s limited production history, the missing audit report, and the fact that multichain implementation details are not yet fully specified.

We would like to thank the Chainlink team for their submission and their responses to our questions.

1 Like
2

Hi all, Ash from Chainlink Labs here. We’d like to thank OpenZeppelin for the thorough review of our proposal to integrate Chainlink Smart Value Recapture (SVR) into Compound to recapture liquidation MEV. Their feedback is greatly appreciated, and we welcome the opportunity to clarify some key points and provide additional context for the community.

1. Architecture

OpenZeppelin accurately captured the core functionality of SVR’s architecture. We’d like to elaborate further on two strategic components of its design: the use of decentralized oracle networks (DONs) and the underlying market structure of the searcher market.

Defense-in-depth security is the heart of all Chainlink services. Through this security-first approach, the Chainlink platform now actively secures over $63 billion in DeFi TVL across hundreds of applications, representing 67% of oracle market share. Beyond DeFi, Chainlink is increasingly being adopted by leading institutions, such as J.P. Morgan and Swift, to power their digital asset and blockchain projects. This includes powering complex multi-asset, multi-chain, multi-jurisdiction Delivery-vs-Payment (DvP) workflows with tokenized assets that use Chainlink oracles for onchain data delivery, cross-chain interoperability, automated compliance, and legacy system connectivity.

The same rigorous approach we take to building infrastructure solutions for our institutional partners is applied to all Chainlink services, including SVR. With Compound being a top-5 lending protocol ranked by TVL with $2.9B in total deposits, it is paramount to carefully manage the protocol’s risk exposure.

Decentralized Oracle Networks (DONs): Chainlink DONs leverage independent node operators geographically distributed across the world and include leading telecommunication providers Swisscom, Deutsche Telekom (T-Mobile), and Vodafone.

Chainlink SVR leverages the same decentralized oracle network infrastructure that is already widely adopted within DeFi, including by the Compound protocol itself. Chainlink DONs, through Compound’s use of Chainlink Data Feeds, have secured Compound lending markets over the past four years without fail and through extreme periods of volatility (e.g. Luna, Celsius, FTX and the Covid crashes).

Liquidators on Compound who currently monitor price updates coming from Chainlink Data Feeds can opt to onboard Chainlink SVR, leveraging support and resources provided by Chainlink Labs. This will enable them to continue participation in an open liquidation market and generate a new stream of revenue for Compound.

Searcher Market and Auction Infrastructure: The creation of a robust searcher market is not only central to maximizing the rate at which OEV can be recaptured, but also critical for maintaining the solvency of Compound markets. OEV recapture solutions operate as a two-sided marketplace that matches lending protocols (who need to liquidate at-risk loans to maintain solvency) with searchers (profit-motivated entities who are willing to liquidate at-risk loans). If an OEV solution does not support a robust set of independent searchers—due to technical integration complexity, impractical bond requirements, or ecosystem immaturity—then the risk of failed auctions is significantly higher, particularly under times of market stress when timely liquidations are critical for protocol solvency.

Chainlink SVR stands out as the optimal OEV solution for lending markets, not only by leveraging Chainlink’s proven DON infrastructure, but its ability to tap into existing searcher ecosystems by integrating with established MEV auction providers that already have a diverse and active searcher set. Today, Chainlink SVR’s deployment on Ethereum is integrated directly with Flashbot’s MEV-Share, simplifying the process of onboarding searchers via minimal integration friction to SVR auctions.

For Compound on Base, SVR will use Flashbots MEV-Share at launch in the coming weeks, maintaining the same censorship-resistant guarantees. Chainlink has prioritized maximum decentralization and reliability by rigorously onboarding high-quality, third-party searchers. As a result, the industry’s most competitive independent searchers (e.g. iBribe2Much, Wintermute, and Riposte) are already integrated with Chainlink SVR and actively winning bids.

2. Performance Activity

“While the Chainlink team states that SVR covered a price range of $74K–$100K in BTC/USD, including periods of heightened market volatility, we believe there is lack of performance data from scenarios of extreme volatility due to limited production history… It lacks exposure to extreme market scenarios.”

Clarification: Chainlink SVR is live in production as the largest value-securing OEV recapture solution. SVR alone would be the second-largest oracle solution by value secured, behind the Chainlink network itself as a whole. Source

1600Ă—977 35.8 KB

Chainlink SVR as of 06-20-2025 secures $8.2B, whilst API3 secures less than $400M and Redstone lacks a production-ready solution.

Chainlink SVR has secured up to $10B (at recent highs) in total value for assets on Aave’s Core and Prime markets on Ethereum, demonstrating robust performance with 11 independent third-party searchers who have won bids, and another 10 onboarding. The system boasts an average onchain price update delay of less than 1 block and has accrued $0 in bad debt for Aave, indicating high efficiency and reliability. In the last 30 days, SVR successfully processed 51 liquidations with $2.1M in debt repaid, with an average recapture rate of ~75.8% (~77% in the past 7 days) (source).

Further proving its battle-tested nature, SVR effectively managed significant market volatility across various assets.

Data from March 29 to June 20, 2025 for SVR-activated markets on Aave:

  • BTC ranged between $76.2k to $111.6k (a 46% range relative to the min)
  • ETH ranged between $1,472 to $2,813 (a 91% range)
  • LINK ranged between $10.9 to $17.42 (a 60% range)
  • AAVE ranged between $125.09 to $308.19 (a 146% range).

This performance underscores SVR’s capacity to operate effectively amidst considerable market fluctuations while securing significant value. These numbers come from onchain data and public dashboards—the same transparency we plan to bring to Compound.

3. Code Quality and Audits

“Chainlink team states that the NCC Group conducted an audit of Chainlink SVR in November 2024, focusing on the changes introduced between the original OCR2Aggregator.sol and the updated DualAggregator.sol at commit ee7f7ad. However, the report of this audit has not been provided to OpenZeppelin team.”

Clarification: One point of clarification is that the auditor that was used was Trail of Bits not NCC Group in this case. The full audit for the SVR core contracts and auction logic has been shared privately with OpenZeppelin.

As part of our security practice, which is aligned with industry standards, every change to the SVR core contracts is subject to additional internal audit and fuzz-testing before entering a new chain deployment. To the extent possible, we would be happy to provide these reports to members of the DAO upon request.

4. Multi-Chain Deployment

“While the Chainlink team mentions that multichain capabilities are planned for short/mid-term deployment, they have not specified which OFA solutions will be used on each supported chain. In any case, MEV-Share can only be used as SVR’s OFA exclusively on Ethereum mainnet, and any other OFA solutions used in other chains will introduce different trust assumptions.”

Clarification: We are expanding SVR to Base in the next 2-3 weeks. Once completed, the roll-out of rollup-boost to OP-Stack L2s will make Flashbots MEV-Share compatible with standardized OP-Stack Chains. Deployment on Arbitrum and Polygon will follow shortly after the roll-out on Base.

Closing

We appreciate OpenZeppelin’s feedback and the DAO’s desire to mitigate risk. We believe that the data shows that SVR is a mature, efficient, and well-audited solution backed by the largest, most battle-tested oracle infrastructure in the industry. Evidenced once again by its performance in volatile market conditions as recently as the past week.

SVR has a vibrant open market of searchers already active, which creates resiliency against a single searcher not bidding, allows any current Compound searcher to permissionlessly onboard, and supports an efficient bidding market. The importance of this efficient, open market of high-quality searchers can’t be overstated.

We remain fully committed to working hand-in-hand with Compound delegates, the upcoming Foundation, and the relevant service providers to ship a solution that maximizes recaptured value without increasing protocol risk.

We welcome further questions and will continue providing additional materials that the community requests.

3

OpenZeppelin received the Trail of Bits report for the audit at commit 716eed762a95da4775314f4aecf8690a1e67f44a.

1 Like