Oracle Tier Evidence
Evidence document for oracle risk classification. Covers per-feed scoring, tier definitions, geometric mean aggregation, and source tiering. Supports Tests 1.1, 4.1, and 5. For term definitions, see the Glossary. For data sources, see Data Provenance.
Per-Feed Oracle Scores
Each oracle contract is scored 0.0-1.0 based on architecture, governance surface, and dependency risk. Scores are deterministic and grid-based — the same architecture always produces the same score. For source queries, see Data Provenance — Per-Feed Scores.
Evidence Table
| Network | Address | Source Type | Pair | Score | Tier |
|---|---|---|---|---|---|
| eth | 0x5f4ec3df9cbd43714fe2740f5e3616155c5b8419 | Chainlink V2 | ETH/USD | 1.00 | Reference-grade |
| eth | 0x8fffffd4afb6115b954bd326cbe7b4ba576818f6 | Chainlink V2 | USDC/USD | 1.00 | Reference-grade |
| eth | 0x2665701293fcbeb223d11a08d826563edcce423a | Chainlink V2 | cbBTC/USD | 1.00 | Reference-grade |
| eth | 0xa569d910839ae8865da8f8e70fffb0cba869f961 | Chainlink V2 | USDe/USD | 1.00 | Reference-grade |
| eth | 0x8f1df6d7f2db73eece86a18b4381f4707b918fb1 | Chainlink V2 | PYUSD/USD | 0.70 | Moderate risk |
| eth | 0x4f67e4d9bd67efa28236013288737d39aef48e79 | Lido Wrapper + Chainlink | wstETH/ETH | 0.60 | Elevated risk |
| eth | 0x9d39a5de30e57443bff2a8307a4256c8797a3497 | ERC-4626 Vault Rate | sUSDe/USDe | 0.40 | High risk |
| eth | 0xa3931d71877c0e7a3148cb7eb4463524fec27fbd | Upgradeable Proxy (ERC1967) | sUSDS/USDS | 0.20 | Very high risk |
| eth | 0x80ac24aa929eaf5013f6436cda2a7ba190f5cc0b | ERC-4626 Vault (Permissioned) | SyrupUSDC/USDC | 0.20 | Very high risk |
Chainlink Feed Classification
138 Ethereum mainnet feeds classified by Chainlink's own risk categories, mapped to our scoring tiers:
| Chainlink Category | Feed Count | Score | Tier |
|---|---|---|---|
| Low | 29 | 1.00 | Reference-grade |
| Medium | 69 | 0.70 | Moderate risk |
| High | 18 | 0.40 | High risk |
| Very High / New | 22 | 0.20 | Very high risk |
Tier Definitions
| Score Range | Tier | What It Means |
|---|---|---|
| 0.9-1.0 | Reference-grade | Decentralized oracle network, multiple data sources, high volume, market-discovered prices. Trusted baseline. |
| 0.7-0.8 | Moderate risk | Reliable feed but with concentration risk, spread risk, or cross-rate derivation. Functional under normal conditions, weaker under stress. |
| 0.5-0.6 | Elevated risk | Multi-hop price derivation (wrappers, adapters) or overridden Medium feeds with thin liquidity. Additional failure surfaces beyond the base feed. |
| 0.3-0.4 | High risk | Accounting-derived prices (ERC-4626 totalAssets/totalSupply), deprecating feeds, or heightened volatility assets. No market price discovery — price reflects protocol state, not trading activity. |
| 0.1-0.2 | Very high risk | Upgradeable proxy contracts, permissioned vaults, near-zero volume assets, or feeds with hack/bridge-failure history. Logic can change without notice; redemption is mediated. |
Source Tiering Verification (Test 5)
| Source Type | Score | Client Expected Range | Match |
|---|---|---|---|
| Upgradeable proxies | 0.20 | 0.1-0.2 | Yes |
| Accounting-derived (ERC-4626) | 0.40 | 0.3-0.4 | Yes |
| Permissioned vault (MaplePool) | 0.20 | N/A (should never be reference-grade) | Confirmed: capped at 0.20 |
Hard rule: Any feed with an admin surface, upgradeability, or permissioned access is capped and can never achieve reference-grade (0.9-1.0).
Deep-Dive Analysis References
Each oracle score is backed by a contract-level analysis that walks the full chain (read path, write path, control path), evaluates risk dimensions, and documents incident analogs. These analyses are the proof artifacts behind the scores.
| Oracle | Score | Deep-Dive |
|---|---|---|
| sUSDe / USDe (ERC-4626 vault rate) | 0.40 | sUSDe analysis |
| sUSDS / USDS (upgradeable proxy) | 0.20 | sUSDS analysis |
| SyrupUSDC / USDC (permissioned vault) | 0.20 | MaplePool analysis |
| wstETH / ETH (Lido wrapper + Chainlink) | 0.60 | Lido wrapper analysis |
Each deep-dive contains:
- Contract architecture: how the price path works, including proxy/implementation relationships
- Risk dimension assessment: upgradeability, admin surface, price derivation, external dependencies, staleness, manipulation surface, complexity
- Incident analogs: relevant historical failures from similar architectures
- Why this score: explicit "why not higher" and "why not lower" reasoning
ERC-4626 Tiering Rationale (Test 4.1)
Score: 0.40 (High risk)
Example: sUSDe (0x9d39a5de30e57443bff2a8307a4256c8797a3497) — full analysis
Price derivation: share_price = totalAssets / totalSupply
Why High risk (not Moderate or Reference):
- Price is accounting-derived, not market-discovered
- Protocol-dependent: Ethena mechanics, reward vesting, admin controls
- Balance-based sensitivity: direct transfers alter the exchange rate
- No independent price aggregation from trading venues
Why not Very high risk (0.2):
- Underlying asset (USDe) is liquid with Chainlink feed
- Deterministic ERC-4626 accounting
- No thin-DEX TWAP manipulation vector
- No upgradeability or permissioning
Composite Score Aggregation (Test 1.1)
The final risk score combines three dimensions — Market Risk, Oracle Risk, and Protocol Risk — using geometric mean. A catastrophic weakness in any single dimension drags the entire composite down. For source queries and timestamps, see Data Provenance — Composite Aggregation.
Three-Dimension Composite: Production Examples
| Pool | Market | Oracle | Protocol | Geo Mean | Arith Mean | Penalty |
|---|---|---|---|---|---|---|
| AAVE WBTC | 0.996 | 0.85 | 0.931 | 0.924 | 0.926 | -0.2% |
| AAVE LINK | 0.975 | 0.90 | 0.931 | 0.935 | 0.936 | -0.1% |
| AAVE wstETH | 0.928 | 0.70 | 0.931 | 0.846 | 0.853 | -0.9% |
| AAVE BAL | 0.851 | 0.20 | 0.931 | 0.541 | 0.661 | -18.1% |
| AAVE FRAX | 0.820 | 0.20 | 0.931 | 0.535 | 0.650 | -17.8% |
| AAVE GHO | 0.750 | 0.00 | 0.931 | 0.000 | 0.560 | -100% |
| Morpho PYUSD/cbBTC | 0.707 | 0.837 | 0.926 | 0.818 | 0.823 | -0.6% |
| Morpho PYUSD/sUSDS | 0.615 | 0.461 | 0.926 | 0.640 | 0.667 | -4.0% |
Key observations:
- BAL and FRAX match the client's test case directly: Market and Protocol are strong (~0.85, ~0.93), but Oracle is Very High Risk (0.20). Geometric mean drops to ~0.54, an 18% penalty vs arithmetic mean.
- GHO with a fixed-price oracle (0.00) produces a composite of 0.00 regardless of Market and Protocol scores. This is the geometric mean's zero-out property — one catastrophic dimension eliminates the entire score.
- High-quality pools (WBTC, LINK) where all three dimensions are strong show <1% difference between geometric and arithmetic mean.
Geometric Mean Aggregation (Test 1.1)
When a lending market depends on multiple oracle feeds in its price path, the market-level oracle score uses geometric mean — not arithmetic mean.
Why Geometric Mean
A weak oracle feed drags the entire price path. If one feed is unreliable, the market's price reliability is fundamentally compromised, regardless of how strong the other feeds are.
geometric_mean(1.0, 0.2) = 0.447 vs arithmetic_mean(1.0, 0.2) = 0.600
geometric_mean(1.0, 0.7) = 0.837 vs arithmetic_mean(1.0, 0.7) = 0.850
geometric_mean(0.7, 0.4) = 0.529 vs arithmetic_mean(0.7, 0.4) = 0.550
The geometric mean ensures that a single catastrophic weakness cannot be masked by strength elsewhere in the price chain.
Market-Level Evidence
Real Morpho Blue markets with computed oracle scores:
| Market | Feeds | Individual Scores | Geometric Mean | Arithmetic Mean | Difference |
|---|---|---|---|---|---|
| PYUSD/cbBTC | cbBTC/USD, PYUSD/USD | 1.0, 0.7 | 0.837 | 0.850 | -1.5% |
| PYUSD/wstETH | wstETH/ETH (Lido+CL), ETH/USD, PYUSD/USD | 0.6, 1.0, 0.7 | 0.749 | 0.767 | -2.3% |
| PYUSD/sUSDe | USDe/USD, sUSDe vault rate, PYUSD/USD | 1.0, 0.4, 0.7 | 0.654 | 0.700 | -6.6% |
| PYUSD/syrupUSDC | USDC/USD, SyrupUSDC vault, PYUSD/USD | 1.0, 0.2, 0.7 | 0.519 | 0.633 | -18.0% |
| PYUSD/sUSDS | USDS/USD, sUSDS proxy, PYUSD/USD | 0.6, 0.2, 0.7 | 0.461 | 0.500 | -7.8% |
All geometric mean values verified against production (see Data Provenance — Oracle Scores for queries).
Key observation: The geometric mean penalty grows sharply as the weakest feed deteriorates. In PYUSD/syrupUSDC, the permissioned vault feed (0.2) drags the geometric mean 18% below the arithmetic mean. This is the correct behavior — a chain is only as strong as its weakest link.
Three-Level Architecture
| Level | Scope | Aggregation Method | Rationale |
|---|---|---|---|
| 1 | Individual oracle contract | Deterministic scoring | Each feed assessed independently |
| 2 | Market (all feeds in price path) | Geometric mean | Chained dependencies — weak link dominates |
| 3 | Vault (across allocated markets) | Weighted average by allocation USD | Not directly related markets — diversification matters |