OpenZeppelin issues audit report on Compound’s oracle system

What is OpenZeppelin?

They are a team of computer scientists that perform security audits and code reviews for some of the biggest names in the cryptocurrency sector. They have audit most, if not all defi protocols.

What is an oracle?

An oracle is a program/smart-contract that computes prices for cryptocurrency assets. These programs usually source prices from multiple exchanges and have various rules for how "true prices" are arrived at and furnished to other defi projects that rely on accurate market prices to operate safely.

Key takeaways from OpenZeppelin's audit of Compound’s oracle system:

- The oracle’s “official” price for an asset is the median of a set of prices reported by the trusted sources. Therefore, it only takes 50% of the sources to go rogue in order to manipulate the oracle’s price at will.

- It is unclear how many sources the Open Oracle will trust, but the lower the number of sources, the easier it would be to conduct this attack.

- In an scenario of high price volatility, a trusted source may report a sharp variation of an asset’s price. As a consequence, the newly calculated median price may easily fall out of the acceptable range defined by the anchor price.

Right now these sorts of attacks, while possible, are not likely as the "trusted" addresses that feed Compound's oracle are hard-coded into the smart contract itself (before it was deployed on the ethereum main-net) so they can't be swapped out without re-launching the contract again.

The really good thing is that no high severity issues were found in the Compound Oracle, which is really reassuring.