Pessimistic Price Oracle
Grace Pessimistic Price Oracle (PPO) improves upon the previous generation of FiRM’s PPO design. This new iteration of PPO renders most flashloan, multi-block and even multi-day collateral inflation and debt deflation attacks ineffective. This allows Grace to dramatically reduce the risk of on-boarding new collateral types and on-chain price feeds that were previously considered too risky.
Collateral PPO
The PPO prevents the borrowing power of each collateral from exceeding the lowest recorded price of the collateral over the past 2 weeks based on the collateral factor. This removes the incentive of single and multi block attacks because a collateral price inflation attack cannot be profitable regardless of the oracle price originating from the potentially vulnerable price feed.
For example, let's say the current ETH collateral 2-week low was $1000. Say ETH has a 50% collateral factor, meaning that you can only borrow 50% of its value. A few days later, ETH oracle price suddenly rises to $3000. Normally you would be able to borrow $1500 (50%). However, this is a problem. Because your collateral's entire value was $1000 only a few days ago, and now you're able to borrow more than its previous value. Therefore, there is a potential for a profitable manipulation here.
In this case, the PPO will temporarily reprice ETH down to $2000. Because at $2000 and 50% collateral factor, you are only able to borrow the lowest value of your collateral, which is $1000, but not more. At $2000 ETH, there is no incentivize to manipulate the oracle. At the same time, ETH is still priced much higher than the low ($2000 instead of $1000).
Most times, the PPO will continue to price collateral based on the live oracle price. However, based on the rule outlined above, if the collateral price makes any dangerous swings, the PPO makes sure that these swings are capped to eliminate incentive for manipulation.
Debt PPO
Grace PPO also adds a similar mechanism for pricing debt tokens, where the highest recorded price over the past 2 weeks is used. This prevents a another class of manipulation attacks where an attacker may try to artificially reduce the price of borrowed tokens in order to increase the amount of tokens that can be borrowed per collateral.
Unlike the collateral PPO above, debt PPO does not take collateral factor into consideration. It is a simpler mechanism that simply uses the highest 2-week debt price.
Last updated