Backup oracles (Chainlink + Tellor)

Backup Oracles

Following up on the discussion started on Discord, this proposal will update RAI’s ETH Oracle with a new implementation.

Currently the system relies on Chainlink for ETH prices. All contracts that rely on the ETH oracle have at least this parameter still governed.

The new implementation aims to retain the ability to quickly swap oracles in case of a problem (~5 day governance process), but mitigates the introduction of a malicious implementation, enforcing a delay to entrust it and therefore allowing more time for the community to notice and cancel the change before it occurs.

Prices will now be reported through an overlay. It includes a list of trusted implementations and governance can swap in between them at the same speed an oracle swap can be done right now.

For new implementations to be trusted, an initial governance vote is required. A 60 day delay is then enforced before the implementation is included in the trusted implementation list. During the delay, governance can cancel the process through a vote, and after the delay anyone can call a function that executes the change. In order for the system to use the new implementation, another vote is required.

Summing up, swaps between trusted oracles can be done through a single vote, new oracles can be included with a 60 day delay.

For a start we will have two trusted implementations, the currently used Chainlink oracle (that will keep on being the active system oracle) and a Tellor oracle implementation.

New Contracts

Overlay: 0xBf26309B0BA639ABE651dd1e1042Eb3C57c3e100
Chainlink: 0xE2e1Cf7C3A3959157A9b64cAF9675114396d451c
Tellor: 0x2c88408E036B7d0B015B92862c9D93197C72775C

The contracts above are setup fully, with the Chainlink and Tellor contracts fully ungoverned, and the overlay owned only by GEB_PAUSE_PROXY (governance timelock).

Both the Tellor oracle and the overlay implementations were audited by Solidified (report).

Contracts affected

All contracts that rely on the ETH price feed:

  • FEED_SECURITY_MODULE_ETH
  • GEB_DEBT_FLOOR_ADJUSTER
  • GEB_FIXED_REWARDS_ADJUSTER
  • GEB_MINMAX_REWARDS_ADJUSTER

From the above, GEB_DEBT_FLOOR_ADJUSTER is partially ungoverned, and the rest are still fully governed.

In this proposal we change the ETH oracle on all of them to the new overlay.

Along this change I propose we fully ungovern the OSM (FEED_SECURITY_MODULE_ETH), using the opportunity to further ungovern the system.

The remainder periphery adjuster contracts still have several parameters that could change, so they can be ungoverned at a later date.

RAI Oracle

The proposal will not touch the RAI oracle nor the contracts that use it. Tellor does not provide a RAI feed at the moment, so setting it up is needed before the change. Additionally, the only core contract that relies on it is the PID Controller, still fully governed. Before ungoverning it a similar overlay should be put in place.