In order to migrate to the Open Price Feed, the community should be convinced that it’s a good idea, or discover reasons why it’s not. This topic exists to discuss and publicly review the technical merits of the proposal. This project has been developed 100% transparently in this public repository on GitHub.
We view this oracle change as a final milestone in decentralization the protocol, by removing the permissioned poster role. The current mechanics are designed for an off-chain reporter anchored to an on-chain price. The prices coming from Coinbase off-chain must agree within a 20% tolerance of the prices coming from Uniswap on-chain, otherwise they will be rejected.
A full specification for the proposed oracle can be found here.
The Coinbase Reporter reads from the Coinbase Price Oracle.
In an extreme circumstance in which Coinbase believes their reporter key may have been compromised, the reporter also has the ability to sign an ‘invalidation’ message. Anyone may post this message to the chain, and the Open Price Feed will fall back to only using the Uniswap anchor prices, until a new oracle can be chosen.
A certain amount of time (anchor period) is elapsed before the contract is fully initialized. From that point on, whenever prices are posted, the Uniswap price accumulators are read, and updated if a new anchor epoch is possible. The time-weighted average price (TWAP) is the difference in the current and epoch forming accumulators, divided by the amount of time elapsed. In this way, we guarantee the accumulators are at least a certain distance apart, and thus the TWAP is taken over a long enough period of time.
In practice, we expect 30 minutes to be long enough to make Uniswap price manipulation attacks prohibitively expensive, however this also comes with some assumptions about the size of the market that must be considered. See also this discussion of oracle integrity and this analysis of price manipulation.
Adding New Tokens
The oracle is designed to support pricing tokens before or after they have a cToken wrapping them. Listing new tokens requires deploying a new view contract however, as all configuration variables are immutable. We also intend to post prices for a few more tokens which have reported prices, and which can thus be added to the protocol without changing oracles again.
What kind of quality assurance has been done?
We are still in the process of testing this code, which involves rigorously writing unit and integration level tests.
Open Zeppelin Audit
The code is currently being audited, we expect to have an initial report by the end of this week. The code can then be adjusted as needed based on feedback, and with additional testing.
Protocol Forking Simulations
We are working on creating hypothetical simulations demonstrating that the proposed new oracle, if elected, continues to operate successfully within the protocol.
We are working with Certora to formally specify and check properties of the contracts. We are still integrating feedback based on their analyses and findings. See the pull request in the GitHub repository for tracking changes.
Where are the proposed deployments?