Single-Source Oracle Price Feeds (TEE-Attested)
Introduction: Security and Accuracy for an Oracle System
Our system for reporting asset prices prioritises security and accuracy through the integration of a Trusted Execution Environment (TEE) and a multi-layered validation framework.
Core Security: Trusted Execution Environments
Feed processing occurs within an enclave (a TEE). This secure environment provides cryptographic proof of connection to the original feed source. The use of a TEE ensures that the code executing within it is verifiably the published code, preventing unauthorised modifications and enhancing the integrity of the data pipeline.
Data Integrity and Processing
Each price exported from the enclave is accompanied by an attestation generated by the TEE. This attestation serves as proof that both the time and the price data have not been altered since their reception.
To further ensure accuracy and reliability, we apply the following checks before publishing on-chain:
De-duplication: If the same price is received multiple times, only the first instance is accepted; subsequent duplicates are discarded.
Sanity checks: Incoming prices are compared against the latest prices for the same symbol from other independent sources. If a price is identified as an outlier—significantly deviating from established values—it is automatically rejected.
Stale price removal: To prevent outdated information from influencing validation, stale prices are automatically removed and are not factored into validation processes.
Infrastructure and Operational Resilience
To support the security model, the entire data pipeline is built on highly resilient infrastructure, following industry best practices to ensure high availability and immediate failover.
Low latency and high throughput: The pipeline is architected for low latency and high throughput, using co-location strategies to reduce network latency to data sources so prices are captured and processed quickly.
Redundant monitoring: An independent and sufficiently redundant monitoring system promptly notifies the operations team of any service degradation or anomalous activity, enabling rapid response.
Update Mechanism and Aggregation
To manage update frequency and liveness, one source is assigned as a leader. The leader dictates when the system attempts to publish a new price. If the leader has not updated recently, the system automatically fails over to other sources to keep data timely.
While the system can be configured for a single, attested source, it can also publish aggregated prices—typically a median calculated from five independent sources for an asset to provide a more resilient and representative market price.
For aggregated prices, the system can provide the individual TEE attestations for each price used in the aggregation. This enables full, auditable, end-to-end verification that every component of the medianised price originated from its verified source without tampering.
System Flexibility and On-Chain Security
The system is designed to be highly configurable. Key parameters (such as outlier thresholds or stale-price definitions) can be adjusted and the system redeployed to meet the specific security and performance needs of different assets.
This security-first approach extends to the on-chain smart contracts:
Role-based access: Contracts feature robust role-based access control to prevent unauthorised updates to price feeds.
Multisig administration: Critical administrative functions—such as changing a source or updating a contract—require multisig-signed transactions, distributing trust and removing single points of failure.
Fluctuation checks: Contracts contain checks for large price fluctuations. If an incoming update deviates beyond a set threshold, it is automatically marked as pending and is not activated until validated by a trusted curator.
Resilience Against Common Attack Vectors
This multi-layered architecture provides strong, verifiable resilience against common DeFi exploits:
Data manipulation / malicious sources: A single malicious source is defeated by multiple layers. Off-chain sanity checks reject it as an outlier; if using the aggregated feed, the medianiser ignores the faulty value.
Code tampering and man-in-the-middle (MITM) attacks: The TEE provides cryptographic proof of connection to the original source and guarantees the code being executed is the verifiably published code, making tampering with the data pipeline or processing logic exceptionally difficult.
Stale data attacks: The system actively removes stale prices; the leader/failover mechanism ensures the system remains live if one source stops reporting.
Flash-loan / volatility attacks: Sudden, artificial price swings are caught by two mechanisms: off-chain sanity checks reject the outlier; and if such a price reaches the contract, the on-chain fluctuation check flags it as pending, requiring curator validation.
Compromised admin keys: Role-based access limits potential damage, and multisig requirements for administrative actions ensure a single stolen key cannot alter core parameters or authorise malicious updates.
Summary (Restating the Core)
Our system for reporting asset prices—such as BTC/USDT—prioritises security and accuracy through TEE-based processing and attested outputs. Each price has a TEE attestation proving the time and value were not altered. Additional protections include de-duplication and sanity checks across independent sources. While the system supports aggregation, the core principles of TEE security and stringent validation ensure the safety and integrity of prices even when configured for a single source.
Last updated