Summary
The current oracle accepts prices from a single signer. A compromised or manipulated keeper can submit any price they want. Using multiple independent price sources with median selection significantly raises the attack cost.
Proposed Design
- Allow up to N (configurable, default 3) trusted signer addresses per token
- Each execution call includes a price submission from each registered signer
- The oracle computes the median of submitted min prices and median of max prices
- A minimum quorum (e.g., 2-of-3) must submit for the price to be valid
Keeper Protocol Change
Keepers must collect signed prices from all registered signers before calling any execution function.
Acceptance Criteria
Affected Contracts
oracle, all handler contracts
Summary
The current oracle accepts prices from a single signer. A compromised or manipulated keeper can submit any price they want. Using multiple independent price sources with median selection significantly raises the attack cost.
Proposed Design
Keeper Protocol Change
Keepers must collect signed prices from all registered signers before calling any execution function.
Acceptance Criteria
Affected Contracts
oracle, all handler contracts