Lesson 5 — Oracle design: Chainlink, TWAP, Pyth
Every DeFi exploit involving a price is, at some level, an oracle exploit. Today: how each oracle design works, where each fails, and how to read an oracle's risk surface.
DeFi protocols cannot natively access off-chain data. Every price they use — for lending, derivatives, options, automated rebalancing — comes from an oracle. The oracle's design decides whether a protocol survives a market move or gets drained. Most users never think about oracles; most major DeFi exploits, when you trace them carefully, are oracle exploits in some form. This lesson is about reading an oracle the same way you read an AMM.
**Chainlink** is the dominant off-chain oracle network. A set of geographically-distributed node operators each pull prices from many CEX and DEX venues, sign their reports, and a Chainlink contract on-chain aggregates them (typically by taking the median). The on-chain price updates when either time has elapsed (heartbeat) or the off-chain price has moved beyond a threshold (deviation). For ETH/USD, the heartbeat is around an hour and the deviation threshold is 0.5 percent — meaning the on-chain price never lags reality by more than that. Chainlink's security model rests on the node-operator set being honest in the majority and on the aggregation being correctly implemented. It is the most-used and most-battle-tested oracle in DeFi; the operating record is strong, with no major losses traceable to Chainlink itself.
**TWAP (Time-Weighted Average Price).** An on-chain oracle that computes the price as an average over a recent time window — typically 10 minutes to several hours. Uniswap V3 publishes TWAPs natively; any protocol can read the time-weighted price for any pool over any window. The security property: to manipulate a TWAP, an attacker must sustain the manipulation across the entire window, which usually requires much more capital and exposes them to arbitrage from third parties. The trade-off: TWAPs lag real prices in legitimate market moves, sometimes by minutes. A protocol that prices liquidations off a 60-minute TWAP will see liquidations triggered up to an hour after the actual price would justify them — fine in normal markets, problematic in fast crashes.
**TWAP manipulation vectors.** Three. First, **shallow-pool manipulation**: if the underlying pool's liquidity is small, even a TWAP across an hour can be moved by sustained trading. Second, **multi-block manipulation**: an attacker who controls block production (or has a strong relationship with builders) can include trades across many consecutive blocks to push the TWAP. Third, **time-window selection**: if a protocol uses a TWAP with too short a window (say, 5 minutes), the manipulation cost is low. The Inverse Finance INV exploit ($15.6M, April 2022) succeeded against a too-short TWAP on a shallow pool.
**Pyth Network.** A first-party oracle: market makers and exchanges publish their prices directly to the Pyth network, which aggregates them. Pyth's security model is different from Chainlink's — Pyth publishers are accountable through staking and slashing, and the network can update prices much more frequently (sub-second). The trade-off: Pyth is newer (mainnet 2021), the publisher set is smaller, and its on-chain footprint requires the consumer protocol to actively pull prices rather than read a continuously-updated feed. Pyth is dominant on Solana and has been growing on EVM chains.
**Off-chain oracle types worth knowing.** RedStone (similar to Chainlink architecturally but more flexible feed creation), Tellor (decentralized but slow), API3 (first-party with a different staking model), Switchboard (Solana-native). Each has its own threat model. The diversity is useful — protocols using a single oracle have a single point of failure; protocols using multiple oracles or requiring agreement between two are more robust.
**The protocol's choice and the user's question.** When a DeFi protocol prices a position, ask: which oracle, on which feed, with what update frequency, on which underlying source? An Aave position priced by Chainlink ETH/USD with median aggregation across many CEX/DEX prices is robustly priced. A small lending protocol pricing collateral off a Uniswap V2 spot price of a $50K-liquidity pool is exposed to flash-loan manipulation. Both market themselves as 'priced fairly.' The mechanism is the difference.
**Composability risk.** Many oracle exploits involve a chain of dependencies. A token's price is reported by an oracle that pulls from a DEX whose price comes from an AMM whose liquidity comes from a lending position. The Mango exploit walked through several of these layers. When evaluating an oracle, follow the chain: where does the price actually come from? What manipulates that? Repeat until you reach a layer whose manipulation cost would exceed the exploit value.
Example
Compare three lending-protocol oracle designs through the same lens. **Protocol A** prices ETH collateral using Chainlink ETH/USD, which aggregates median prices across ~20 CEX/DEX venues with hourly heartbeat and 0.5 percent deviation. Manipulation cost: tens of millions to move the global ETH price by 0.5 percent for an hour, far above any feasible attack. **Protocol B** prices a small-cap token using Chainlink's smaller-cap feed (more limited venue aggregation) with longer heartbeat. Manipulation cost: meaningful but generally above the protocol's TVL. **Protocol C** prices the same small-cap token using a single Uniswap V2 pool's spot price with $50K liquidity. Manipulation cost: a few thousand dollars and a flash loan. Same nominal 'oracle' label; three completely different risk surfaces. The protocol's choice of oracle is one of the load-bearing design decisions; reading the choice critically is one of the highest-leverage things you can do as a DeFi user.
Common mistakes
- Treating 'has an oracle' as 'is safe.' The oracle's design is what matters.
- Assuming all Chainlink feeds are equivalent. Major feeds (ETH/USD, BTC/USD, major stables) are robust; smaller-cap and newer feeds have less venue aggregation and update less frequently.
- Believing TWAPs are immune to manipulation. They raise the cost; they don't eliminate it.
- Forgetting to follow the dependency chain. If oracle A pulls from venue B which pulls from AMM C, your real exposure is to AMM C's manipulability.
- Underestimating the importance of update frequency in fast markets. A heartbeat-only oracle (no deviation trigger) can lag real prices by minutes — sometimes by hours — in stressed conditions.
Check your understanding
A new DeFi options protocol uses a Uniswap V3 30-minute TWAP on a $200K-liquidity pool as its sole price source for settlement. An options expiry is approaching. What is the protocol's primary risk?
Key terms covered
Sources & further reading
- Primary
- Primary
- Primary
- Primary
We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.