This pillar addresses the risks introduced by reliance on external systems: oracles, bridges, keeper networks, other programs invoked via CPI, and off-chain data sources. Controls focus on mapping dependencies, ensuring oracle resilience, handling staleness, and containing the blast radius of any single dependency failure.
All external dependencies, oracles, bridges, keeper networks, other programs invoked via CPI (including transitive CPI targets and Token-2022 transfer hook programs or authorities), and off-chain data sources are enumerated with explicit trust assumptions documented for each. For every dependency, the failure mode is specified: what happens if it lies, goes stale, or disappears. Trust boundaries are clearly drawn, distinguishing what the protocol verifies from what it assumes correct.
Price feeds use multiple independent sources where feasible. Aggregation method is documented (median, TWAP, weighted). Confidence intervals or deviation thresholds are enforced on-chain. Known threat vectors for the specific oracle setup (e.g., low-liquidity Pyth feeds, Switchboard permissioned feeds, slot vs. timestamp on validator outage, pull-oracle failures during congestion) are identified and mitigated. Oracle selection rationale is documented: why this provider, for this asset, at this update frequency.
Maximum acceptable age for every external input is defined and enforced on-chain. Fallback behavior when inputs are stale or unavailable is specified. Liveness monitoring is in place for all critical feeds.
Impact of a single compromised dependency (program, oracle, token, etc.) is bounded. No single failure can unnecessarily drain the protocol. Exposure per external dependency is capped or isolated, e.g., per-market oracle assignment, bridge deposit limits, maximum exposure per collateral type.