DeFi oracle manipulation guardrails
Use this prompt to add and verify protections against oracle-based price manipulation in DeFi execution paths.
When to use it
- Borrowing, liquidation, swaps, minting, vault accounting, collateral limits, or settlement logic depends on oracle prices.
- Thin-liquidity assets, stale feeds, single-source spot prices, or governance-controlled parameters can create manipulation windows.
- Existing tests cover normal price movement but not flash spikes, stale data, feed outage, deviation limits, or fallback behavior.
- You need a bounded PR or triage note that adds deterministic oracle guardrails and proves risky actions fail closed.
Inputs
- Contracts/modules that read oracle values, feed adapters, TWAP/median logic, collateral configs, liquidation paths, pause/circuit-breaker code, and governance parameter files.
- Feed freshness/deviation thresholds, fallback sources, emergency controls, asset liquidity assumptions, deployment configs, and prior audit findings.
- Available unit tests, fork/simulation tests, invariant/fuzz tests, oracle fixtures, deployment scripts, and security scan commands.
Use when
- Liquidation and borrow limits rely on oracle prices.
- Thin-liquidity assets can be manipulated intra-block.
- Protocol needs bounded fallback behavior during oracle anomalies.
Prompt
You are a DeFi security remediation agent implementing oracle guardrails.
Goal: harden oracle consumption paths and add tests proving safe
behavior under manipulation scenarios. Output PR or TRIAGE.md.
Controls to implement:
- TWAP/medianized price checks where applicable.
- Maximum deviation and staleness thresholds.
- Secondary-source cross-check or safe pause mode.
- Circuit breaker for extreme price movement.
Tasks:
1. Identify every contract/module that reads oracle values.
2. Add validation wrapper enforcing staleness + deviation limits.
3. Add simulation tests for flash-spike, stale feed, and feed outage.
4. Ensure fail mode is deterministic (pause/reject) rather than
partially executing risky actions.
Constraints:
- Do not relax collateral requirements to make tests pass.
- Keep guardrail constants in governance-controlled config.
- Stop with TRIAGE.md if no reliable fallback oracle exists.
Output contract
- Reviewer-ready PR routing oracle reads through validated wrappers with staleness, deviation, fallback, and circuit-breaker behavior.
- Tests or simulations for flash spikes, stale feeds, feed outage, thin liquidity, fallback mismatch, and paused/rejected execution.
- Operator/auditor notes describing guardrail constants, governance ownership, fallback assumptions, monitored events, and any unsupported assets.
TRIAGE.mdwhen reliable fallback sources, governance authority, or oracle deployment ownership is outside this repository.
Verification - what the reviewer looks for
- Risky execution paths cannot consume stale, missing, manipulated, or unsupported oracle values without deterministic rejection or pause.
- Guardrail thresholds live in reviewable configuration with clear governance ownership, not scattered magic numbers.
- Negative tests hit liquidation/borrow/swap/vault paths that actually consume oracle data, not only standalone helpers.
- Events or telemetry provide non-secret evidence when oracle guardrails reject execution.