Adding a parameter to limit variation to the median price

packages/protocol/contracts/common/FixidityLib.sol

@@ -119,7 +119,7 @@ library FixidityLib {
    * Test newFixed(maxNewFixed()+1) fails
    */
   function newFixed(uint256 x) internal pure returns (Fraction memory) {
-    require(x <= maxNewFixed());
+    require(x <= maxNewFixed(), "newFixed overflow");
     return Fraction(x * FIXED1_UINT);
   }
 
@@ -148,9 +148,9 @@ library FixidityLib {
     pure
     returns (Fraction memory)
   {
-    require(numerator <= maxNewFixed());
-    require(denominator <= maxNewFixed());
-    require(denominator != 0);
+    require(numerator <= maxNewFixed(), "numerator too large");
+    require(denominator <= maxNewFixed(), "denominator too large");
+    require(denominator != 0, "denominator zero");
     Fraction memory convertedNumerator = newFixed(numerator);
     Fraction memory convertedDenominator = newFixed(denominator);
     return divide(convertedNumerator, convertedDenominator);
@@ -189,7 +189,7 @@ library FixidityLib {
    */
   function add(Fraction memory x, Fraction memory y) internal pure returns (Fraction memory) {
     uint256 z = x.value + y.value;
-    require(z >= x.value);
+    require(z >= x.value, "addition overflow");
     return Fraction(z);
   }
 
@@ -199,7 +199,7 @@ library FixidityLib {
    * Test subtract(6, 10) fails
    */
   function subtract(Fraction memory x, Fraction memory y) internal pure returns (Fraction memory) {
-    require(x.value >= y.value);
+    require(x.value >= y.value, "subtract");
     return Fraction(x.value - y.value);
   }
 
@@ -228,24 +228,24 @@ library FixidityLib {
 
     // (x1 + x2) * (y1 + y2) = (x1 * y1) + (x1 * y2) + (x2 * y1) + (x2 * y2)
     uint256 x1y1 = x1 * y1;
-    if (x1 != 0) require(x1y1 / x1 == y1); // Overflow x1y1
+    if (x1 != 0) require(x1y1 / x1 == y1, "Overflow x1y1");
 
     // x1y1 needs to be multiplied back by fixed1
     // solium-disable-next-line mixedcase
     uint256 fixed_x1y1 = x1y1 * FIXED1_UINT;
-    if (x1y1 != 0) require(fixed_x1y1 / x1y1 == FIXED1_UINT); // Overflow x1y1 * fixed1
+    if (x1y1 != 0) require(fixed_x1y1 / x1y1 == FIXED1_UINT, "Overflow x1y1 * fixed1");
     x1y1 = fixed_x1y1;
 
     uint256 x2y1 = x2 * y1;
-    if (x2 != 0) require(x2y1 / x2 == y1); // Overflow x2y1
+    if (x2 != 0) require(x2y1 / x2 == y1, "Overflow x2y1");
 
     uint256 x1y2 = x1 * y2;
-    if (x1 != 0) require(x1y2 / x1 == y2); // Overflow x1y2
+    if (x1 != 0) require(x1y2 / x1 == y2, "Overflow x1y2");
 
     x2 = x2 / mulPrecision();
     y2 = y2 / mulPrecision();
     uint256 x2y2 = x2 * y2;
-    if (x2 != 0) require(x2y2 / x2 == y2); // Overflow x2y2
+    if (x2 != 0) require(x2y2 / x2 == y2, "Overflow x2y2");
 
     // result = fixed1() * x1 * y1 + x1 * y2 + x2 * y1 + x2 * y2 / fixed1();
     Fraction memory result = Fraction(x1y1);
@@ -264,7 +264,7 @@ library FixidityLib {
    * Test reciprocal(1+fixed1()*fixed1()) returns 0 // Testing how the fractional is truncated
    */
   function reciprocal(Fraction memory x) internal pure returns (Fraction memory) {
-    require(x.value != 0);
+    require(x.value != 0, "reciprocal of zero");
     return Fraction((FIXED1_UINT * FIXED1_UINT) / x.value); // Can't overflow
   }
 
@@ -277,9 +277,9 @@ library FixidityLib {
    * Test divide(maxFixedDividend()+1,1) throws
    */
   function divide(Fraction memory x, Fraction memory y) internal pure returns (Fraction memory) {
-    require(y.value != 0);
+    require(y.value != 0, "division by zero");
     uint256 X = x.value * FIXED1_UINT;
-    require(X / FIXED1_UINT == x.value);
+    require(X / FIXED1_UINT == x.value, "division overflow");
     return Fraction(X / y.value);
   }
 

packages/protocol/contracts/stability/SortedOracles.sol

@@ -6,14 +6,20 @@ import "./interfaces/ISortedOracles.sol";
 import "../common/Initializable.sol";
 import "../common/linkedlists/AddressSortedLinkedListWithMedian.sol";
 import "../common/linkedlists/SortedLinkedListWithMedian.sol";
+import "../common/FractionUtil.sol";
+import "../common/FixidityLib.sol";
+import "../common/UsingPrecompiles.sol";
 
 // TODO: Move SortedOracles to Fixidity
 /**
  * @title Maintains a sorted list of oracle exchange rates between Celo Gold and other currencies.
  */
-contract SortedOracles is ISortedOracles, Ownable, Initializable {
+contract SortedOracles is ISortedOracles, Ownable, Initializable, UsingPrecompiles {
   using SafeMath for uint256;
   using AddressSortedLinkedListWithMedian for SortedLinkedListWithMedian.List;
+  using FractionUtil for FractionUtil.Fraction;
+  using FixidityLib for FixidityLib.Fraction;
+
   // All oracle rates are assumed to have a denominator of 2 ^ 64.
   uint256 public constant DENOMINATOR = 0x10000000000000000;
 
@@ -23,8 +29,11 @@ contract SortedOracles is ISortedOracles, Ownable, Initializable {
   mapping(address => SortedLinkedListWithMedian.List) private timestamps;
   mapping(address => mapping(address => bool)) public isOracle;
   mapping(address => address[]) public oracles;
+  mapping(address => uint256) private limitedMedianRate;
+  mapping(address => uint256) private limitedMedianRateTimestamp;
 
   uint256 public reportExpirySeconds;
+  FixidityLib.Fraction public maxMedianChangeRatePerSecond;
 
   event OracleAdded(address indexed token, address indexed oracleAddress);
 
@@ -44,14 +53,17 @@ contract SortedOracles is ISortedOracles, Ownable, Initializable {
 
   event ReportExpirySet(uint256 reportExpiry);
 
+  event MaxMedianChangeRatePerSecondSet(uint256 rate);
+
   modifier onlyOracle(address token) {
     require(isOracle[token][msg.sender], "sender was not an oracle for token addr");
     _;
   }
 
-  function initialize(uint256 _reportExpirySeconds) external initializer {
+  function initialize(uint256 _reportExpirySeconds, uint256 _maxChangeRate) external initializer {
     _transferOwnership(msg.sender);
     reportExpirySeconds = _reportExpirySeconds;
+    setMaxMedianChangeRatePerSecond(_maxChangeRate);
   }
 
   /**
@@ -63,6 +75,26 @@ contract SortedOracles is ISortedOracles, Ownable, Initializable {
     emit ReportExpirySet(_reportExpirySeconds);
   }
 
+  /**
+   * @notice Sets the maximum change rate for median.
+   * @param rate Maximum median change rate as unwrapped Fraction.
+   * @return True upon success.
+   */
+  function setMaxMedianChangeRatePerSecond(uint256 rate) public onlyOwner returns (bool) {
+    maxMedianChangeRatePerSecond = FixidityLib.wrap(rate);
+    require(rate < 500000000000000000000, "Rate must be smaller than 0.0005");
+    emit MaxMedianChangeRatePerSecondSet(rate);
+    return true;
+  }
+
+  /**
+   * @notice Get maximum median change rate.
+   * @return Max median change rate as unwrapped fraction.
+   */
+  function getMaxMedianChangeRatePerSecond() public view returns (uint256) {
+    return maxMedianChangeRatePerSecond.unwrap();
+  }
+
   /**
    * @notice Adds a new Oracle.
    * @param token The address of the token.
@@ -137,7 +169,6 @@ contract SortedOracles is ISortedOracles, Ownable, Initializable {
     address lesserKey,
     address greaterKey
   ) external onlyOracle(token) {
-    uint256 originalMedian = rates[token].getMedianValue();
     uint256 value = numerator.mul(DENOMINATOR).div(denominator);
     if (rates[token].contains(msg.sender)) {
       rates[token].update(msg.sender, value, lesserKey, greaterKey);
@@ -164,9 +195,68 @@ contract SortedOracles is ISortedOracles, Ownable, Initializable {
       address(0)
     );
     emit OracleReported(token, msg.sender, now, value, DENOMINATOR);
+    recomputeRate(token);
+  }
+
+  /**
+   * @notice a * b^exp
+   */
+  function fractionMulExp(FixidityLib.Fraction memory a, FixidityLib.Fraction memory b, uint256 exp)
+    internal
+    view
+    returns (FixidityLib.Fraction memory)
+  {
+    uint256 numerator;
+    uint256 denominator;
+    (numerator, denominator) = fractionMulExp(
+      a.unwrap(),
+      FixidityLib.fixed1().unwrap(),
+      b.unwrap(),
+      FixidityLib.fixed1().unwrap(),
+      exp,
+      18
+    );
+    return FixidityLib.newFixedFraction(numerator, denominator);
+  }
+
+  function recomputeRate(address token) internal {
+    uint256 originalMedian = limitedMedianRate[token];
     uint256 newMedian = rates[token].getMedianValue();
+    uint256 td = now.sub(limitedMedianRateTimestamp[token]);
+    if (
+      limitedMedianRateTimestamp[token] != 0 &&
+      maxMedianChangeRatePerSecond.unwrap() != 0 &&
+      td < 1 days
+    ) {
+      FixidityLib.Fraction memory maxChangeRate = fractionMulExp(
+        FixidityLib.fixed1(),
+        maxMedianChangeRatePerSecond.add(FixidityLib.fixed1()),
+        td
+      )
+        .subtract(FixidityLib.fixed1());
+      // Check if it is safe to multiply
+      if (maxChangeRate.unwrap() < FixidityLib.maxFixedMul() * FixidityLib.fixed1().unwrap()) {
+        uint256 maxChange = maxChangeRate.multiply(FixidityLib.wrap(originalMedian)).unwrap();
+        if (newMedian > originalMedian) {
+          if (maxChange < newMedian.sub(originalMedian)) {
+            newMedian = originalMedian.add(maxChange);
+          }
+        } else {
+          if (maxChange < originalMedian.sub(newMedian)) {
+            newMedian = originalMedian.sub(maxChange);
+          }
+        }
+      }
+    }
+    // Cannot become too large, or might overflow multiplications
+    require(
+      newMedian < FixidityLib.maxFixedMul() * FixidityLib.fixed1().unwrap(),
+      "Median rate exceeds limit"
+    );
+    limitedMedianRateTimestamp[token] = now;
+    limitedMedianRate[token] = newMedian;
     if (newMedian != originalMedian) {
-      emit MedianUpdated(token, newMedian, DENOMINATOR);
+      emit MedianUpdated(token, newMedian, numRates(token) == 0 ? 0 : DENOMINATOR);
     }
   }
 
@@ -185,7 +275,7 @@ contract SortedOracles is ISortedOracles, Ownable, Initializable {
    * @return The median exchange rate for `token`.
    */
   function medianRate(address token) external view returns (uint256, uint256) {
-    return (rates[token].getMedianValue(), numRates(token) == 0 ? 0 : DENOMINATOR);
+    return (limitedMedianRate[token], numRates(token) == 0 ? 0 : DENOMINATOR);
   }
 
   /**
@@ -250,13 +340,9 @@ contract SortedOracles is ISortedOracles, Ownable, Initializable {
    */
   function removeReport(address token, address oracle) private {
     if (numTimestamps(token) == 1 && reportExists(token, oracle)) return;
-    uint256 originalMedian = rates[token].getMedianValue();
     rates[token].remove(oracle);
     timestamps[token].remove(oracle);
     emit OracleReportRemoved(token, oracle);
-    uint256 newMedian = rates[token].getMedianValue();
-    if (newMedian != originalMedian) {
-      emit MedianUpdated(token, newMedian, numRates(token) == 0 ? 0 : DENOMINATOR);
-    }
+    recomputeRate(token);
   }
 }

packages/protocol/migrations/05_sortedoracles.ts

@@ -8,5 +8,5 @@ module.exports = deploymentForCoreContract<SortedOraclesInstance>(
   web3,
   artifacts,
   CeloContractName.SortedOracles,
-  async () => [config.oracles.reportExpiry]
+  async () => [config.oracles.reportExpiry, config.oracles.maxChangeRatePerSecond]
 )

packages/protocol/migrationsConfig.js

@@ -82,6 +82,7 @@ const DefaultConfig = {
   },
   oracles: {
     reportExpiry: 10 * 60, // 10 minutes
+    maxChangeRatePerSecond: 0, // not checked
   },
   random: {
     randomnessBlockRetentionWindow: (60 * 60) / 5, // 1 hour to match attestationExpiryBlocks

packages/protocol/test/stability/sortedoracles.ts

@@ -7,6 +7,7 @@ import {
   NULL_ADDRESS,
   timeTravel,
 } from '@celo/protocol/lib/test-utils'
+import { toFixed } from '@celo/utils/lib/fixidity'
 import BigNumber from 'bignumber.js'
 import * as _ from 'lodash'
 import { SortedOraclesContract, SortedOraclesInstance } from 'types'
@@ -25,7 +26,7 @@ contract('SortedOracles', (accounts: string[]) => {
 
   beforeEach(async () => {
     sortedOracles = await SortedOracles.new()
-    await sortedOracles.initialize(aReportExpiry)
+    await sortedOracles.initialize(aReportExpiry, 0)
   })
 
   describe('#initialize()', () => {
@@ -39,7 +40,63 @@ contract('SortedOracles', (accounts: string[]) => {
     })
 
     it('should not be callable again', async () => {
-      await assertRevert(sortedOracles.initialize(aReportExpiry))
+      await assertRevert(sortedOracles.initialize(aReportExpiry, 0))
+    })
+  })
+
+  describe('#setMaxMedianChangeRatePerSecond', () => {
+    const newMaxMedianChangeRatePerSecond = toFixed(0.000001)
+    const denominator = new BigNumber(2).pow(64)
+    const smallChange = new BigNumber(2).pow(64).plus(1)
+    const largeChange = new BigNumber(2).pow(64).multipliedBy(2)
+    beforeEach(async () => {
+      await sortedOracles.addOracle(aToken, anOracle)
+      await sortedOracles.report(aToken, denominator, denominator, NULL_ADDRESS, NULL_ADDRESS, {
+        from: anOracle,
+      })
+    })
+    it('should update maxMedianChangeRatePerSecond', async () => {
+      await sortedOracles.setMaxMedianChangeRatePerSecond(newMaxMedianChangeRatePerSecond)
+      assertEqualBN(
+        await sortedOracles.getMaxMedianChangeRatePerSecond(),
+        newMaxMedianChangeRatePerSecond
+      )
+    })
+    it('should revert when called by a non-owner', async () => {
+      await assertRevert(
+        sortedOracles.setMaxMedianChangeRatePerSecond(newMaxMedianChangeRatePerSecond, {
+          from: accounts[1],
+        })
+      )
+    })
+    it('should emit the MaxMedianChangeRatePerSecondSet event', async () => {
+      const resp = await sortedOracles.setMaxMedianChangeRatePerSecond(
+        newMaxMedianChangeRatePerSecond
+      )
+      assert.equal(resp.logs.length, 1)
+      const log = resp.logs[0]
+      assertLogMatches2(log, {
+        event: 'MaxMedianChangeRatePerSecondSet',
+        args: {
+          rate: new BigNumber(newMaxMedianChangeRatePerSecond),
+        },
+      })
+    })
+    it('should allow a small change', async () => {
+      await sortedOracles.setMaxMedianChangeRatePerSecond(newMaxMedianChangeRatePerSecond)
+      await timeTravel(10, web3)
+      await sortedOracles.report(aToken, smallChange, denominator, NULL_ADDRESS, NULL_ADDRESS, {
+        from: anOracle,
+      })
+      assertEqualBN((await sortedOracles.medianRate(aToken))[0], smallChange)
+    })
+    it('should limit a large change', async () => {
+      await sortedOracles.setMaxMedianChangeRatePerSecond(newMaxMedianChangeRatePerSecond)
+      await timeTravel(10, web3)
+      await sortedOracles.report(aToken, largeChange, denominator, NULL_ADDRESS, NULL_ADDRESS, {
+        from: anOracle,
+      })
+      assert((await sortedOracles.medianRate(aToken))[0].lt(largeChange))
     })
   })