Eight lines. Five guards. Zero exploits.

Trust the oracle.Verify the integrator.

Five mathematically-verified guardrails between your protocol and the next oracle manipulation attack.

src/lib.rs

use safe_oracle::{lastprice, SafeOracleConfig};
 
let price = lastprice(
    &env, &asset,
    &reflector, &registry,
    &SafeOracleConfig::default(),
)?;
// 5 guards validated before this line.

View on GitHub →Read the docs

$0.0M

Drained

YieldBlox

0

Tests

Passing

0

Critical

Findings

0

Guards

Active

DEVIATION·

STALENESS·

CROSS-SOURCE·

LIQUIDITY·

THIN SAMPLING·

CIRCUIT BREAKER·

ED25519·

SOROBAN·

STELLAR SDEX·

AUDITED·

OPEN SOURCE·

310 TESTS PASSING·

DEVIATION·

STALENESS·

CROSS-SOURCE·

LIQUIDITY·

THIN SAMPLING·

CIRCUIT BREAKER·

ED25519·

SOROBAN·

STELLAR SDEX·

AUDITED·

OPEN SOURCE·

310 TESTS PASSING·

The Attack

One $5 trade

$10.2Mdrained.

On February 22, 2026, an attacker manipulated a thin SDEX market with a single $5 trade to inflate collateral valuation on a Stellar lending protocol. They walked away with $10.2 million.

Reflector worked. Stellar worked. Blend V2 worked. The oracle reported the price it observed. The protocol trusted it.

The gap was integrator-side. safe-oracle closes that gap.

What was missing

Thin LiquidityNo Deviation GuardNo Volume Check

Sources: Rekt News · Halborn analysis · Script3 official statement

The Solution

Five guards.
Defense in depth.

Each guardrail closes a specific attack vector observed in real DeFi exploits. Mathematically validated, empirically tested.

Layer 1

Deviation

Sudden price spikes

Layer 1

Staleness

Outdated feeds

Layer 1

Cross-Source

Oracle disagreement

Layer 2

Liquidity

Thin SDEX volume

Layer 2

Thin Sampling

Low trader count

Plus: Circuit Breaker — auto-halt on first violation

How It Works

Five steps. One result.

01

Reflector Call

Your contract calls safe_oracle::lastprice() instead of Reflector directly.

02

Layer 1 — Oracle Checks

Deviation, staleness and cross-source disagreement validated against feed mechanics.

03

Layer 2 — Market Checks

SDEX 30-minute volume and unique-trader count validated against on-chain liquidity.

04

Circuit Breaker

Auto-halt after the first violation. Governance manual override available.

05

Result

Validated price returned — or Err with the specific violation type.

Architecture

Purely defensive.

Run a scenario and watch a borrow request flow through five guards — validated before it ever reaches your business logic.

Request flow

idleactivepassfail

USER

borrow()

mock-lending

safe_oracle::lastprice()

safe-oracle

Layer 1

Oracle

Layer 2

Market

Breaker

Auto-halt

awaiting result

Run scenario

IdlePick a scenario to run the guards

Mechanism

Mathematically validated.

Every threshold below is calibrated for production deployment. Each is configurable per-integrator. Defaults reflect mainnet-grade security margins observed against real attack patterns.

max_deviation_bps

2000

Max price change between updates (20%)

max_staleness_seconds

300

Max oracle data age (5 min)

previous_max_staleness_seconds

900

Max prev price age (15 min)

min_liquidity_usd

$10k

Min 30m SDEX volume threshold

min_trade_count_1h

5

Min unique trader count

circuit_breaker_halt_ledgers

720

Halt window on violation (~1h)

Infrastructure

Modular by design.

Six independent components. Adopt the whole stack or only the guard you need — each is a clean, isolated boundary.

01On-chain

Layer 1 Guardrails

Deviation, staleness, cross-source. Validates oracle output before it reaches your logic.

02On-chain

Layer 2 Guardrails

Liquidity volume + thin sampling. Validates market microstructure on-chain.

03On-chain

Circuit Breaker

Auto-halt on first violation. Per-asset isolation. Manual governance override.

04On-chain

Liquidity Registry

Signed snapshots from off-chain attesters. Authoritative source for Layer 2 checks.

05Off-chain

oracle-watch

Rust service. Monitors SDEX, signs snapshots, dispatches Slack / PagerDuty / webhook alerts.

06Platform

Soroban-Native

Built for Stellar Soroban 25. WASM contract + reqwest off-chain. No bridges.

Operator

Plug in your stack.

oracle-watch dispatches the same alert to every configured sink. Add a webhook URL, deploy. Five shipped — more easily added.

Discord

Incoming webhook to any channel. Bold, alert-prefixed body.

ORACLE_WATCH_DISCORD_WEBHOOK_URL

Telegram

Bot sendMessage to a channel or group. Plain-text body.

ORACLE_WATCH_TELEGRAM_BOT_TOKEN

Slack

Block Kit message — header + code-blocked body, amber accent.

ORACLE_WATCH_SLACK_WEBHOOK_URL

PagerDuty

Events API v2 incident. Dedup-key hash collapses repeats.

ORACLE_WATCH_PAGERDUTY_INTEGRATION_KEY

Generic

POST { message, source } JSON to any URL. Custom headers.

ORACLE_WATCH_GENERIC_WEBHOOK_URL

Custom sink

Implement WebhookSink (kind() + send()), register in build_sinks().

impl WebhookSink for MySink { … }

Live on Stellar

Testnet · operational

Proven on-chain.

Three contracts deployed. 17 oracle-watch attestations. The first adversarial replay rejected at the protocol layer — every hash public and verifiable.