Some updates and new results since the original post.
Mechanism refresher
An openOracle report is two limit orders, a buy and a sell, at the same price. The orders are locked until either the timer runs out or one is taken. To take one of the limit orders, you must replace them with larger ones at a new price. When the timer runs out without a dispute, the price is settled. Any disputes reset the timer.
Censorship defense
We’ve refined the censorship model since the original post. FOCIL doesn’t change things much at the adversarial limit given the block stuffing angle. The defense is simpler: to settle a mispriced oracle report, the attacker must bribe out every dispute opportunity for the entire settlement window. Very roughly, for a linear external notional N with initial oracle liquidity L, price error R > \kappa (otherwise disputes are unprofitable and censorship is unnecessary), cost to report \kappa, and assuming the attacker’s counterparty is totally passive, the required settlement time for a grief ratio G is:
The definition of T depends on bribery context: under per-block bribery (e.g. ePBS), each block is an independent bribe event. Without strong commitment infrastructure, each non-contiguous streak of the same producer is an independent event. Under credible long-horizon commitments, each unique economic entity as a producer is an independent event. The settlement window must contain enough independent events to satisfy the grief ratio. If the attacker is themselves a block producer for some fraction of blocks, they don’t need to bribe themselves, so T should be scaled up to account for their expected concentration.
Parasitic open interest (external notional latching onto an oracle report without paying for it) drives N up and L/N down, weakening the grief ratio. However, this seems unstable, since the original attacker can add their own notional to the same report, exploiting anyone who latched on. Alternatively, contrived oracle games can be constructed to exploit parasitic OI directly. Standing parasitic liquidity seems to get selected out of existence before the paying oracle user submits a price request.
Oracle accuracy
The disputer’s EV for taking a mispriced limit order at distance D from true price against an adversary who counter-disputes at distance A is:
where Q(A) is the double-no-touch probability (price stays within \pm A for the settlement time) and M is the multiplier. If the disputer calibrates against the worst-case adversarial counter-dispute, we see
Under a normal distribution, this maximizes at A \approx 0.84 \cdot \sigma(T) with C \approx 0.65 \cdot \sigma(T). Disputes are profitable when D > C \cdot M, giving honest dispute barriers at approximately \pm\, 0.65 \cdot M \cdot \sigma(T).
Including swap fees F_s and protocol fees F_p, the disputer’s EV becomes:
As a conservative threshold, fees are purely additive to required edge, so the dispute distance shifts from D > 0.65 \cdot M \cdot \sigma(T) to roughly D > 0.65 \cdot M \cdot \sigma(T) + F_s + F_p. In practice, the swap fee reduces the loss to an adversary on a counter-dispute (the (A - F_s) term), so the actual barrier can be tighter.
Settlement probability inequality
Dispute frequency is governed by a more fundamental condition than the swap fee. With multiplier M, per-round settlement probability Q, and dispute probability P = 1 - Q, with any per-round proportional cost c > 0, the total expected cost of the oracle game is a geometric series:
which converges only when:
This is what actually governs dispute frequency, not the swap fee. The swap fee shifts the dispute barriers (adding ~F_s to the required edge), which widens the no-dispute band and pushes Q higher, but the fundamental constraint is the Q inequality above. The escalation halt caps the oracle game size, breaking the divergence, but as long as it’s high enough relative to external notional, a manipulator still faces extreme costs when adding too many disputes.
Manipulation bounds
We now have a fuller analysis of manipulation strategies for linear notionals, where a manipulator wants to bias the settled oracle price in their favor as much as possible, and has a completely passive counterparty. We assume smaller multipliers and none to very small F_s and F_p in the oracle game, since this maximizes oracle accuracy for linear notionals.
The strongest manipulation strategy in the absence of censorship seems to be selective delay: the manipulator only reports the true price, but decides whether to delay or settle based on which has higher utility. A very rough way to think about this attack is to delay when the price is against you, and let it settle when it’s in your favor.
Under a normal distribution, using backward induction over the oracle game rounds, the expected bias from this strategy is approximately (0.15\text{–}0.20) \cdot \sigma(T) under reasonable parameterizations (L/N \approx 10\%, M \approx 1.20). This is much smaller than the dispute barriers themselves. Higher initial liquidity fractions reduce bias further at the tradeoff of more initial reporter cost.
Wrong-price strategies (reporting a deliberately incorrect price) come in two flavors. In the first, the manipulator places a wrong price and continuously updates it to stay just inside the dispute barriers. This has positive extraction but requires many rounds with very low per-round survival probability which is impractical with exponential game growth. In the second, the manipulator reports a wrong price and lets the honest network dispute at standard barriers. Here, the conditional survival bias under reasonably low multipliers nearly exactly offsets the placement advantage, yielding close to zero extraction.
Oracle game fee routing
The prior contract had a single hardcoded address accruing all oracle game protocol fees. The current contract lets the oracle game creator specify a protocolFeeRecipient at creation time. Fees can be routed to the parties who paid for the oracle game (e.g. split between lender and borrower in a lending setup), burned by setting the recipient to address(0), or directed anywhere else.
Initial reporter bounty
The initial reporter bears risk from being disputed, losing in expectation unless compensated. To find the market-clearing compensation for this, we use a bounty contract that starts small and escalates exponentially each round (e.g. 1.5x per round). The first reporter to submit claims whatever the bounty has grown to. If conditions are unfavorable (high volatility, high gas), no one reports until the bounty grows enough. The realized payout reveals the true cost of initial reporting under those conditions.
Open work
The goal is a unified DP formulation where the external notional payoff can be any function (linear, binary, convex, etc.) and the manipulator has access to the full strategy space: delay, wrong-price reporting, ePBS censorship bribery, and settlement, all in a single backward induction. Sweep across oracle game parameterizations (L/N, M, T, fee schedules) and distribution families to map out expected extraction across the full space. Right now the linear and binary notional analyses are separate, the linear analysis assumes a normal distribution, there is an assumption of no censorship (e.g. a cooperative L2 sequencer), and the price process is continuous rather than discrete block times. Unifying these under arbitrary payoffs, distributions, inclusion models, and discrete-time dynamics is the main thing left to do.
In conclusion
The oracle problem is hard and the math is non-trivial. We could easily have made mistakes (as there were in the original writeup) or missed attack vectors. It’s been difficult to get substantive feedback on this approach so far, so if you see holes in the analysis or have constructive criticism, we’d genuinely appreciate it.
Full writeups and derivations at Oracle Accuracy & Cost - openOracle and Economic Bounds - openOracle and Attack Vectors - openOracle.
The contract has no privileged access, no admin keys, and no upgradeability. MIT licensed.
Current oracle contract: openOracle/src/OpenOracle.sol at bab490aeeae992c8ae28fb2286dff96d393c96b2 · openOracleProject/openOracle · GitHub