Protocol Guard Rails

Oracle Validity

Drift Protocol's dependence on external oracle accounts requires thoughtful consideration of the data point in the streams received.

In the program [code], this is encoded as a spectrum from Valid to Invalid, with a few different categories of questionability that depend on the action taken (ordered by severity):

  • Invalid

  • TooVolatile

  • TooUncertain

  • InsufficientDataPoints

  • StaleForMargin

  • StaleForAMM

  • Valid

The processing of new data is as follows:

1

Retrieve new data point

Obtain the latest oracle data point.

2

Sanitize new data point

Sanitize the retrieved data before using it in calculations.

3

Update state variables

Update the relevant on-chain state (e.g., TWAP-related state) with sanitized inputs.

4

Check validity of unsanitized new data point vs updated state

Validate the unsanitized new data point against the updated state to determine its validity category.

Processing data this way is meant to prevent a single new data point from creating a shock to the state variables (i.e., TWAP). A complete list of block conditions for actions is described in the code.

  • The on-chain oracle TWAP calculation will also be shrunk proportional to the duration of the invalid period to avoid erroneous funding payment magnitudes.

  • Blocking on InsufficientDataPoints can help improve resiliency against oracle manipulation.

Oracle Divergence

For perpetuals markets, there are checks to validate_market_within_price_band for the following actions:

  • fill_order

  • settle_pnl

  • resolve_perp_pnl_deficit

The check validates that the 5-minute oracle TWAP vs AMM reserve price is within approximately 10% (see PriceDivergenceGuardRails in the code for exact parameters).

It's important to note that:

  1. AMM reserve price always updates with valid oracle data for the AMM.

  2. New data points for the 5-minute oracle TWAP are sanitized to be within 10%, 20%, or 50% of the last TWAP value depending on the ContractTier.

Thus, it may take multiple intervals to bypass these circuit breakers for sufficiently large price moves.

For spot markets, there are safety initial margin requirement checks for the following actions:

  • place_order

  • withdraw

A user's assets/liabilities when calculating total collateral for initial margin checks (for withdraws and placing orders) will be the lesser/greater (respectively) of the 5-minute oracle TWAP and current oracle price. This lowers leverage extended by the protocol to users with positions in volatile markets.

Exchange & Market Status

ExchangeStatus and MarketStatus can be updated to prevent certain actions when specific issues are identified (see state definitions in the code: https://github.com/drift-labs/protocol-v2/blob/8b46cfc628f317e4f07cd62f111dd73fabff8a96/programs/clearing_house/src/state/state.rs#L35). These actions can include:

  • funding rate updates

  • liquidations

  • AMM fills

  • any fills

  • withdraws

PreviousDelisting ProcessNextSecurity