Reference Oracle

Oracle price feeds are set in the HOT to give the system a reference source of manipulation-resistant prices. There are two Oracle price feeds, one for token0/USD price and another for token1/USD price. One can then calculate the square-root Oracle price for the HOT, which is implemented in the HOTOracle contract. The current implementation uses Chainlink oracles for both price feeds, but it is possible to replace them with alternative oracles by using wrapper contracts.

Security

The use of oracles is purely a safety measure against a malicious/compromised Liquidity Manager and to protect against certain spot-price manipulation attacks. It achieves this by placing bounds on the price the HOT Signer can quote Solvers. Separately, there are bounds on both the volume a Manager can quote a Solver, and the number of HOT Quotes that can be processed per block.

Critical functions such as Liquidity Deposits, HOT swaps, and AMM spot price updates are checked against the Oracle price.

Max Deviation

We do not assume that the oracle is precise, hence the maxOracleDeviationBips allows for reasonable deviation between the square-root spot price and the square-root oracle price. The deviation protects deposits and swaps against spot price manipulation attacks. We do no check the deviation during withdrawals, to ensure that they remain completely permissionless at all times. This means that LPs can safely withdraw from the pool, even in case of a faulty oracle.

During depositLiquidity, the call will revert with the error HOT__depositLiquidity_spotPriceAndOracleDeviation if the current spot price deviates too far from the reference oracle. This prevents front-running liquidity deposits within certain price manipulation bounds. Additionally, periphery contracts can set even stricter slippage protection conditions on deposits.

During _hotSwap, the call will revert with the error HOTParams__validatePriceConsistency_hotAndSpotPriceNewExcessiveDeviation if the Solver's quoted price deviates more than hotMaxDiscountBips from the new AMM spot price. This prevents a malicious or compromised HOT Signer from giving out exploitative HOT Quotes, beyond these prescribed deviation bounds.

Before updating AMM spot price using setSqrtSpotPriceX96 inside _hotSwap, the call will revert with the error HOTParams__validatePriceConsistency_newSpotAndOraclePricesExcessiveDeviation if the new AMM spot price deviates from the oracle price by more than maxOracleDeviationBips. This prevents a compromised HOT Signer from making malicious AMM spot price shifts, beyond these prescribed deviation bounds.

A low maxOracleDeviationBips gives greater flexibility to the Signer to price HOT Quotes and flexibly update the AMM's spot price, at the cost of placing more trust in the Liquidity Manager. The manager should set this bound appropriately depending on the precision of the oracle and the volatility of the asset. Users who deposit through Liquidity Provider should be aware of all of the above price deviation bounds.

Stale Price

The pool checks that the price feed has been updated recently. The error HOTOracle___getOraclePriceUSD_stalePrice means that it has been a long time since the oracle got updated, hence as a safety measure critical pool operations such as liquidity deposits, HOT swaps, and AMM state updates are closed. Users can still withdraw liquidity and swap via the AMM with constant fees.

The time after which the oracle price is considered stale is set during deployment with the help of these public variables: maxOracleUpdateDurationFeed0 & maxOracleUpdateDurationFeed1