Hey guys, I’m writing this post which I initially sent on the Discord governance channel as a hope that it will help answer the thoughtful questions which have been asked by the community as well as some of the possible doubts which some of you might have. We’re discussing a very key and important aspect for the protocol security here, hence I want to take the time to give as many details and information for the Compound community to be able to reach an informed decision on this topic. It’s great to be having these conversations which in my view are always a positive sum game for the DeFi space and its security.
The specification of our oracle networks is described within our documentation (e.g. Chainlink Decentralised Data Model), covering when updates occur, the contracts used, and how the network is kept decentralized. Keep in mind, the documentation describes how our mainnet price feeds currently work. This architecture was made to be fully modular for any community or DAO who would want to start running/coordinating their own Chainlink data feeds. Hence, things such as the proxy contract which allow for the network to be upgraded to the latest release of the feeds could be removed from this architecture if the Compound community doesn’t want the multisig to own this kind of power. Having an admin key on the oracle network is not strictly required, but an important consideration is that while new network contracts can be deployed, this takes time to pass governance so having this capability of upgradability can be a large advantage. For instance, if the Compound community wanted to scale up the number of nodes on a feed for a market which grew in value, they would have to redeploy a new contract with more node operators and then pass an on-chain governance vote to point to this newly deployed contract. The process could create delays which could result in unintended consequences.
The role of the multisig admin key is essentially the one of a group of coordinators. Oracle networks are inherently complex as they combine multiple non-deterministic off-chain data points. Unplanned events can and do happen (huge gas spikes, issues with data sources, etc…) In these situations, the coordinators can efficiently prevent these events from adversely affecting the network through the necessary changes. These coordinators would also be able to add/remove nodes, for instance as the value on Compound grows, it can add more and more reputable entities with a proven on-chain performance history to the set of oracles powering the price feed, scaling up the network’s security. Again, this is not a requirement, price feeds can and will work without a multisig, however it’s just about assessing the risks you’re willing to take here. Both approaches do bring about their own set of challenges. This is all about incentives in the end, right now, the assumption is that the multisig owners for Compound would have way too much at stake in the system (COMP token exposure) for them to be malicious here. As Wayne mentioned on Discord, an attack by them would likely not result in any net benefits for them and would destroy both the implicit stake they have in the system as well as their reputation. This is an important point to consider in regards to the likelihood of such adversarial admin key usages. However, as mentioned before, the multisig is not a requirement and the Compound community can go with whichever approach that is preferred based on the security assumptions and trust model that is desired.
The requirement for nodes to post price data on-chain is based upon the economic incentives of being a Chainlink node in both the short term and the long term. In the short term, nodes who fail to post prices would not get paid and would eventually get removed from the price feed for their non-activity (either by the multisig coordinators or the deployment of a new price feed to replace the previous). Medium to long term the nodes would harm their reputation as a service provider in both the Chainlink network and any other external services they provide (nodes on mainnet include traditional enterprises like Deutsche Telekom’s T-Systems and premium data providers like Kaiko). I think it’s important to emphasize this point can also be seen in the current Open Oracle design as it’s a trust based assumption regarding Coinbase: e.g Coinbase has an incentive to not act maliciously or carelessly as this would affect their main business. This trust dynamic based on reputation and revenue is the same for the Chainlink nodes, e.g. why would Deutsche Telekom’s T Systems act maliciously in a way that could adversely impact their company which generates $100B+ billion in revenue a year? However with the system we’re proposing, we’re counting on many different independent parties in different industries, distributed geographically across many different jurisdictions and with a plethora of different business models. Hence, the risk here is very distributed which makes an overall takedown of the network far less likely than relying on one single category of providers.
Additionally, the loss of reputation would result in the opportunity cost of losing all future revenue in the Chainlink Network (nobody would choose to include or keep an unreliable node in their feeds), representing a strong financial incentive to continue publishing prices to capture this growing revenue. Historically, looking at the performance of Chainlink node operators over the past two years, the financial incentive structure has worked as designed with nodes publishing on-chain updates even during extreme network congestion (1,500 gwei) and downtime events like when Infura went offline. This historical on-chain data can be reviewed on independent analytic services like Chainlink Market and https://reputation.link, which can be used to determine which nodes have the strongest economic incentive to continue their services into the future as well as monitor the current performance of selected nodes in all price feed networks they participate in.
Chainlink price feeds also support historical circuit breakers to prevent the consumption of any potential outlier data points by comparing a new price update to previous updates, without the downsides of DEX based TWAPs which can become inaccurate during market volatility due to the time delay. A circuit breaker isn’t a requirement but it can provide an additional safety net if it is a desired feature. Our main worry right now around DEX based circuit breakers which we would like to make clear is that in the case of a flash crash, a TWAP would be an extremely lagging indicator, meaning it would give an outdated stale price point, preventing people from liquidating collateral on time. Hence, if a token falls 50% in 30 minutes, liquidators won’t be able to liquidate positions in time as the TWAP will show a huge deviation with the primary price feed, causing a false positive to occur. This could result in the whole platform becoming under collateralized. So, I would advise to be very careful about circuit breakers and if you decide to use one here. I am happy to discuss this further as I understand there’s nuances at play here when upgrading a critical component of Compound’s infrastructure, but I wanted to provide some additional clarity on where we are coming from.
Ultimately, I want to make it clear that our attention is and always has been to offer these Chainlink price feeds and oracle networks as a neutral technology that communities such as Compound can shape and build around your needs however you feel like it. Compound could go with a multisig or without, similarly you could go with a circuit breaker or without, this is entirely up to you and the community, depending what risk assumptions are willing to be taken.
Our goal here is to provide our experience and expertise as a project that has been working exclusively on oracles with developers and researchers for 4 years, to create the most modular, redundantly secured technology for DeFi to grow and succeed. Hence, we want to advise and share our experience and what we think is the best approach for Compound. However, this is all in the hands of the community and we will assist you in whichever path you deem is best for your protocol. Everyone on this forum has a stake in making sure Compound grows to a trillion dollar protocol and beyond, not only for the sake of the community but for the whole of the DeFi space and the creation of a new more inclusive and economically fair financial system. We’re here to assist you in this path and adventure in making this a reality and hope our contribution can be the establishment of a fully fledged and secure price feed system which will allow the Compound community to achieve its ultimate vision as a money market protocol.