Oracle Risk
Oracle risk measures the reliability of the price feeds used to value vault collateral. A weak oracle doesn't just affect one metric — it can cascade into a mispriced liquidation or an inaccurate composite Ozone Score. Ozone evaluates oracle risk at three levels and surfaces it alongside market and protocol risk for every monitored vault.
Why oracle risk matters
DeFi lending protocols rely on oracles to determine whether a borrower's collateral covers their loan. If an oracle feed is:
- Accounting-derived (not market-discovered), it may diverge from the real liquidation price under stress
- Upgradeable, its logic can change without its address changing — silently altering how prices are computed
- Multi-hop, a single weak feed in a chain of dependencies degrades the entire price path
Oracle failures have historically preceded the largest DeFi bad-debt events. Ozone makes this risk explicit and quantified.
Three scoring levels
Oracle scores are built bottom-up across three levels:
Level 1: Oracle contract score (per feed address, 0.0–1.0)
↓ geometric mean
Level 2: Market oracle score (per lending market)
↓ allocation-weighted average
Level 3: Vault oracle score (per vault, shown in Ozone UI)
Level 1 — Oracle contract score
Each price feed address is scored 0.0–1.0 based on its architecture, governance surface, and dependency risk. Scores are deterministic: the same architecture always produces the same score.
| Source type | Score range | What drives the score |
|---|---|---|
| Chainlink V2 (major pairs, e.g. ETH/USD) | 0.9–1.0 | Decentralized node network, wide coverage, proven track record, tight deviation threshold |
| Chainlink V2 (thinner coverage) | 0.6–0.7 | Lower/inconsistent liquidity, spread risk, shorter operational history |
| Lido Wrapper + Chainlink | 0.5–0.6 | Two-hop derivation: wstETH → stETH via Lido wrapper, then stETH → ETH via Chainlink. Each extra contract in the path adds failure surface. |
| ERC-4626 Vault Rate | 0.3–0.4 | Price is totalAssets / totalSupply — accounting-derived, not market-discovered. No independent price aggregation. |
| Upgradeable Proxy | 0.1–0.2 | Logic can change without address change (ERC1967/UUPS). Admin surface can alter price derivation silently. |
| Permissioned ERC-4626 | 0.1–0.2 | Manager-gated vault with redemption queues, exit windows, and transfer restrictions. Price may not reflect realizable value. |
Any feed with upgradeability, admin controls, or permissioned access is capped and can never reach the reference-grade tier (0.9–1.0). Documentation quality or claimed monitoring does not raise this cap.
Level 2 — Market oracle score
A lending market typically uses multiple feeds in its price path (e.g. collateral feed × collateral wrapper / loan feed). The market-level oracle score is the geometric mean of all individual feed scores.
Why geometric mean, not arithmetic mean?
Feeds in a price path are chained — if one fails, the entire price is unreliable. Geometric mean penalizes weak links in a way arithmetic mean does not:
| Feeds | Geometric mean | Arithmetic mean |
|---|---|---|
| 1.0, 0.7 | 0.837 | 0.850 |
| 1.0, 0.4, 0.7 | 0.654 | 0.700 |
| 1.0, 0.2, 0.7 | 0.519 | 0.633 |
| 1.0, 0.0, 0.7 | 0.000 | 0.567 |
The last row illustrates the zero-out property: a single hardcoded-price feed (score 0.0) makes the entire market oracle score zero, regardless of how strong the other feeds are. This is the correct behavior — a fixed-price adapter provides no price discovery.
Real examples from Morpho PYUSD markets:
| Market | Weakest feed | Market oracle score |
|---|---|---|
| PYUSD/cbBTC | Chainlink PYUSD/USD (0.7) | 0.837 |
| PYUSD/wstETH | Lido wrapper (0.6) | 0.749 |
| PYUSD/sUSDe | ERC-4626 vault rate (0.4) | 0.654 |
| PYUSD/syrupUSDC | Permissioned vault (0.2) | 0.519 |
| PYUSD/sUSDS | Upgradeable proxy (0.2) | 0.461 |
Level 3 — Vault oracle score
For vaults that allocate across multiple markets (e.g. MetaMorpho vaults), the vault-level oracle score is the allocation-weighted average of market oracle scores. Markets with higher capital allocation carry more weight.
Vault oracle scores are computed at query time and displayed directly in the Ozone dashboard.
Oracle tiers
| Score range | Tier | What it means |
|---|---|---|
| 0.9–1.0 | Reference-grade | Decentralized oracle network, multiple independent data sources, high volume, market-discovered prices. Trusted baseline. |
| 0.7–0.8 | Moderate risk | Reliable feed but with concentration risk, spread risk, or cross-rate derivation. Functional under normal conditions; weaker under stress. |
| 0.5–0.6 | Elevated risk | Multi-hop price derivation (wrappers, adapters). Additional failure surfaces beyond the base feed. |
| 0.3–0.4 | High risk | Accounting-derived price (totalAssets/totalSupply). No market price discovery — price reflects protocol accounting state, not trading activity. |
| 0.1–0.2 | Very high risk | Upgradeable proxy, permissioned vault, or feeds with an opaque control path. Logic or parameters can change without on-chain visibility. |
| 0.0 | No oracle value | Fixed price adapter (hardcoded $1). No price discovery of any kind. |
How oracle risk affects the Ozone Score
Oracle risk is one of three dimensions in the composite Ozone Score alongside market risk and protocol risk. The three dimensions are combined using geometric mean at the composite level, which means a critically weak oracle score can significantly pull down the composite — even if market and protocol risk are strong.
Example — AAVE FRAX:
| Dimension | Score |
|---|---|
| Market risk | 0.820 |
| Oracle risk | 0.200 |
| Protocol risk | 0.931 |
| Ozone Score (geometric mean) | 0.535 |
| Arithmetic mean (for comparison) | 0.650 |
The oracle score of 0.2 alone accounts for an 18% penalty versus what a simple average would produce. This is intentional: oracle failure is a tail risk that correlates with market stress — oracles are most likely to fail exactly when accurate pricing matters most.
See How Ozone Scores Work for the full score composition methodology.
Oracle deep-dives
For contract-level analysis of specific oracle architectures, see the Oracle Deep-Dives in the Risk Engine Validation Report: