So revert back to coinbase pro. A multisig could then steal the system. It’s too much power.
Reverting to Coinbase won’t work if the coin isn’t on there.
Maybe we could add an emergency function that the multisig could call that would revert to using Chainlink’s main oracles that Aave and others use. That way the multisig can’t update the contracts to something unexpected.
I’m glad to see others voicing their support in adding Chainlink to the Compound protocol, I think it’s the right long term move. In regards to multisig, it looks like most people are leaning towards either the community multisig or the governance contract. If the former gets chosen by the community as the desired solution, I’d like to voice my interest in becoming one of the signers to help improve the multisig’s decentralization and therefore price feed security. For context, I was a pre-seed investor in Compound in November 2017. If I am added to the Compound community multisig, I will faithfully relay the community’s sentiments in my contributing transactions within the multisig process.
That’s a great point. When we add more assets that will be a problem. Maybe our internal oracle infrastructure will have some competition.
Hi all,
Katherine here from reputation.link, an independent analytical service to Chainlink. We’re thrilled by the proposed integration, and we can assist by providing insights into the security and reliability offerings of the Chainlink network. We’re here to provide that additional context to the Compound community about Chainlink as a solution - to help you understand the value of secure feeds.
We understand that there is so much value being secured by some of these data feeds, so it is important for you to do due diligence and really assess the price feeds and individual oracles that are supporting those feeds to ensure that you’re comfortable and willing to proceed with the integration.
As Johann mentioned, Chainlink has deployed all the necessary contracts onto the Kovan testnet to test the deployment process. Once the feeds are up on Ethereum mainnet, you will be able to visualise them on reputation.link. For example, check out the ETH/USD feed that is utilised by Synthetix and several other protocols. You can visualise how many (and which) oracles are securing that individual feed, and if there have been any deviations or failures on that feed. You can view round specific information, such as the price returned by each oracle on the feed, and if the returned prices deviated from the aggregated price. This provides the Compound community insights to understand the security guarantees of the data provided by the Chainlink network.
Johann touched upon the performance of Chainlink nodes during downtime events like when Infura went offline. During this outage, the Chainlink network and its node operators showed incredible resilience. For those interested, we provided an autopsy of the event here.
Depending on what your community decides to do with the admin key for each price feed, you’re absolutely right in assuming you can utilise reputation.link, to conduct due diligence on all of the verified Chainlink nodes, and hand pick specific nodes that meet your use case. Our homepage provides a list of the top ten best performing oracles. Explore the individual profiles of each Chainlink oracle and evaluate their reliability through visualising their on-chain performance (such as their average latency when responding to requests).
Our goal is to provide a premium experience for you to do your research on the quality of node operators for your integration. We can provide any insight you’d like to derive from the Chainlink network. We’re happy to assist in any way, to help ease the integration.
Update: 3/31/2021
After a lot of community feedback and debate, a number of changes have been made to the proposal since I first posted it.
-
Compound Governance is going to be the admin on the contracts. That gives the community the ability to add/remove reporters for each market. Governance will also be the admin on the main oracle contract that controls which markets to support.
-
An emergency function will exist for each market that the Compound Community Multisig controls. In the unlikely event that something happens with one of the oracle contracts that requires immediate intervention, the emergency function will switch the price feed to the Chainlink v2 contracts that are widely used in DeFi.
-
After a lot of debate and we’re going to continue using Uniswap v2 as an anchor. Once v3 launches, we’ll upgrade the contracts for v3 and send it to governance for approval.
The plan is to publish the revised contracts on testnet in the coming weeks for the community to review. Once feedback has been implemented, we’ll send the contracts for audit. After the audit, we’ll move towards governance.
High level: The oracles that Aave, Sythentix, and others use are Chainlink v2. Those have an admin multisig that Chainlink and other stakeholders control. The system we’re developing is purpose-built for Compound. The community controls admin permissions, emergency functionality, anchor specifications, reporters per-market, and who the reporters are. We are essentially swapping Open Oracle/Coinbase for a community-designed version of Chainlink and maintaining the Uniswap anchor.
I think this is a good way to do it, nice progress.
I love seeing all this progress being made! This is looking really good for the Compound protocol.
Thank you for update and transparency on this proposal’s progress
I hope the proposal can be realized soon
I really love this approach. Great progress and excited to see this come to fruition.
Awesome effort getty! Will definitely get behind this once it’s put to vote
Thanks for all of your hard work on this @getty!
I am convinced that an upgrade is necessary and I haven’t seen any preferable alternative.
Signaling my support and I will encourage the rest of StanfordCrypto to support it as well.
Polychain is largely supportive of this proposal as a short-term solution.
We definitely echo some concerns about Chainlink: It’s effectively a semi-trusted system that has been very slow at taking steps to enhance cryptoeconomic security (still no staking, random shuffling of nodes, few integrations of primary data sources). Generally, we don’t find this model to be aligned with COMPs values… However, a semi-trusted oracle that works is better than a decentralized oracle with insufficient guarantees. Additionally, the fact that the COMP community will be able to select reporters and will have control over the admin multisig is a reasonable tradeoff. We should treat these reporters as trusted parties, and, of course, should prioritize selecting reporters who are aligned with the Compound Protocol.
Overall, we still think the medianizer route is the optimal solution, but building out the Compound community’s version of Chainlink is a step in the right direction, as this will then enable Chainlink to be safely used in a medianizer built by the COMP community (along with centralized exchange data (signed off-chain) & eventually price data from liquid DEXs).
Big thanks to @getty for taking the lead on this.
First, want to thank @getty for the hard work he’s put in to research.
Historically, Chainlink was rejected by the Compound Labs team for the following reasons:
- Smart contract risk surface
- Manual administration (risk of error)
- Reliance on third-parties to post prices (with no guarantees that they would be posted accurately, or at all)
In its current form, the suggested approach is a security risk to the protocol, and I will be voting against it.
Simply put, the “core” Chainlink is safer than an offshoot.
- Creating an offshoot introduces new contracts / risks
- The manual administration is shifted from a dedicated organization, to a decentralized one. Compound governance moves slowly, and is poorly equipped to be rotating reporters, whether through a 7-day governance process, or a multi-sig. This idea is madness.
The risks of Chainlink can be offset in other ways; including it as part of a median, or anchoring it to Uniswap or the current system. Carefully designed, this can abate the risk of prices not being posted, or posted incorrectly.
If you read both of the LINK whitepapers you will know that every argument you mentioned above has been debunked. Instead you pretend. Compound is deliberately undercutting their systems to extract rent of it using flashbots among other means. They don’t want to integrate chainlink because it means honesty and they can’t profit from that.
This is the critical moment in time to decide whether trust wins or not, and people like Leshner are a roadblock.
After discussing the proposal with Robert, we have come up with an adjusted plan that he, Polychain, and blck will support.
The high-level idea is:
-
We are going to use the main Chainlink oracles instead of building our own.
-
The Uniswap anchor will be tightened to 15%. (I am going to do some research, but 15% is what we’re going with as of now)
-
USDC and USDT are going to be continued to be pegged at 1. If someone wants to use USDT as collateral in the future, they will need to add an oracle.
-
If a Chainlink price is outside of the anchor, it will not update. We will add an additional feature that will allow the community multisig to choose to use the Uniswap price.
The Chainlink team will get started on this change, and I’ll follow up with more details and docs as we have them.
Overall I think this is good news, and I am excited about the progress.
Thanks for the update @getty. I’m pleased to hear we are honing in on an oracle implementation that has broad community support. FWIW I tend to agree with Robert in that Compound governance’s 7-day process is not ideally suited to manage reporters, and going with a “core” solution is the safer bet.
Looking forward to the next update!
@getty I’m very excited to hear this! Thanks for the hard work everyone.
Please let me know how I can help with this.