Research · Mechanism Design

The Verifiable Quant Layer

On-chain protocols make quantitative decisions they cannot compute. This is about what they must import — and the trust each import requires.

Abstract An on-chain protocol makes quantitative decisions — a loan-to-value ratio, a liquidation price, a margin requirement — but it cannot compute them. The Ethereum Virtual Machine cannot run the volatility, correlation, and liquidity estimates that mature finance uses to price risk,1 and even where it could, the inputs are exogenous and adversarially supplied. Every protocol therefore already imports its intelligence — from governance votes, from risk curators, from oracles — but does so without a theory of trust. That gap, not exotic cleverness, is what the large credit losses of this cycle actually were: a high-value decision riding on a cheaply-corrupted input. I name the object being imported — the map from market state to risk decision, the quant layer — and give a taxonomy of the trust regimes under which it can cross the chain boundary, from discretionary governance to cryptographic proof. These regimes trace a frontier: sophistication, trustlessness, and low latency cannot be had at once. The design rule that follows is sharp, and today absent — assign each decision to the cheapest regime whose cost-to-corrupt exceeds the value a corrupted decision would leak.

1.The heuristic ceiling

Open the risk configuration of any on-chain lending market and you find constants. A collateral factor of 0.8. A liquidation threshold of 0.85. An interest rate that is a piecewise-linear function of utilization with a kink set by a vote. An oracle whose manipulation resistance is a time-averaging window chosen by feel. Each of these is a number a human picked and a human revises. In an options clearing house none of them would be a constant; each would be the output of a model fed by live volatility, correlation, and liquidity, revised continuously as the market moves.

Two facts keep the constants in place. The first is mechanical: the virtual machine cannot run the models. Computation on-chain is metered and capped by the block gas limit, there is no native floating point, and long price histories cannot be held or replayed cheaply — so a covariance estimate, an implied-volatility surface, or a market-impact model is simply infeasible to evaluate in a transaction. This is not a contested claim; it is the standard justification for oracles in the first place, which exist precisely to “perform a computationally intensive… calculation [that] may have been infeasible to calculate on-chain.”1

The second fact is deeper, and survives even if the first is someday engineered away. A protocol that could run the model still could not trust its inputs. Volatility, correlation, order-book depth, the price itself — all are exogenous to the chain, produced somewhere else, and delivered by a party who may profit from lying. A model is only ever as trustworthy as the state it is fed.

So every protocol already outsources its intelligence. It is the one question the design never asks out loud: under what trust regime? The thesis of this essay is that the answer is usually implicit, usually the same for every decision regardless of stakes, and that this is exactly why things break.

The large credit failures of this cycle were not clever exploits of sound systems. They were the predictable cost of importing a high-stakes computation under a trust regime too cheap to corrupt.

Fix the object first. A protocol decision is a map

D = f(θ)

where f is a policy — the LTV rule, the liquidation trigger, the margin formula — and θ is the market state it consumes: prices, volatilities, correlations, liquidity. The chain is very good at one half of this. It can enforce f cheaply and trustlessly: hold the collateral, run the arithmetic of the rule, move the funds if the condition trips. What it cannot do is produce a trustworthy θ, or evaluate a sophisticated f, without importing it from outside. The scarce and dangerous component is therefore neither the enforcement nor the policy in the abstract, but a trustworthy (f, θ) crossing the boundary. Call whatever supplies that crossing the quant layer, and the design question becomes: how do you verify it?

2.The intelligence a protocol needs — and cannot produce

It helps to see how much of real credit underwriting lives on the wrong side of the boundary. Four computations do most of the work in any serious risk engine, and each one fails on-chain for the same three reasons at once — it is compute-heavy, it is hungry for off-chain data, and it is manipulable exactly where it enters.

Volatility and covariance. Sizing a haircut needs an estimate of how violently collateral moves and how it co-moves with the debt. That is history plus floating-point linear algebra: unavailable on-chain, and drawn from price series a manipulator can bend. — Portfolio and tail risk. A protocol’s book is a portfolio, but its parameters are set per asset, in isolation, as if correlations were zero. Real economic capital is a tail measure — a CVaR over the joint distribution, with wrong-way risk — and it is not computable one silo at a time. — Liquidity and market impact. The safe size of a liquidation depends on how much depth exists to absorb it; dumping collateral at an oracle mid-price assumes a liquidity that is not there. That depth lives in off-chain order books and obeys a square-root law of impact that the chain cannot see.12Forward-looking calibration. The information that matters is implied, not realized: the option surface prices the market’s view of future risk, and it is quoted on venues the protocol has no native access to.

The pattern is total. Everything required to price risk well is heavy, external, and corruptible at the input; everything the chain does natively — enforce the rule, move the asset — is light, internal, and trustless. Finance’s intelligence and crypto’s trust sit on opposite sides of a single boundary. The interesting engineering is not on either side. It is the boundary itself.

3.Five ways to cross the boundary

There is no single way to bring (f, θ) on-chain; there are several, and they differ in the one variable that matters — what, exactly, gets verified — and therefore in cost, latency, and how they fail. Ordered from the weakest guarantee to the strongest, there are five regimes.

R0 — Discretionary. Humans compute f(θ) off-chain and push the result through a privileged transaction. This is the status quo for risk parameters: a quantitative firm such as Gauntlet or Chaos Labs simulates the book and recommends collateral factors, caps, and curves, which a DAO then enacts by vote.11 Nothing is verified — you trust the actor’s competence and honesty. The sophistication is unbounded (it is just people with models), but the latency is days and the failure mode is staleness and capture.

R1 — Attested. A named party signs (f, θ) off-chain and the chain checks a signature. Pyth works this way: 90-plus first-party publishers submit their own prices, an aggregate is formed, and the consumer pulls a signed update into its own transaction, where the contract verifies the signatures before use — a feed that refreshes every 400 milliseconds.2 RedStone and Chronicle place signed payloads in calldata and verify them on demand; zkTLS notarizes that a datum genuinely came from a given web source. Verification is a signature check — fast and cheap — and the sophistication is unbounded, because a signer can compute anything. You trust that the signer does not lie and is not compromised.

R2 — Aggregated. A committee computes independently and a threshold signature attests the aggregate. Chainlink’s off-chain reporting has the nodes agree on a single report, a quorum sign it, and one transaction carry the median on-chain, so cost is amortized across the whole committee.3 You no longer trust one signer, but an honest majority; the failure mode is collusion, or a data source all of them share.

R3 — Optimistic. A value is asserted with a bond, a challenge window opens, and anyone may dispute by posting their own bond; undisputed assertions settle as true, and disputes escalate to a staked-token vote. This is UMA’s optimistic oracle, and its trust is purely economic — the bond makes honesty the profitable strategy, provided at least one rational watcher exists.4 Any assertion is expressible, and the happy path is cheap; you pay in latency (the challenge window) and in the assumption that someone is watching.

R4 — Proven. The computation itself is proven correct. A zero-knowledge machine-learning system such as EZKL compiles a model into a circuit and emits a validity proof, checkable by an on-chain verifier, that the output really is f applied to the committed inputs.5 Here you trust mathematics rather than any party. The price is severe: proving cost climbs with model size, inputs must be quantized, and anything approaching a large model is infeasible to prove on-chain today — so R4 buys its trustlessness by capping how sophisticated f can be.

RegimeYou trustVerified byLatencyFails when
R0 Discretionaryan actornothingdaysstale / captured
R1 Attesteda signera signaturesub-secondsigner lies
R2 Aggregateda majoritya threshold sigseconds–minmajority colludes
R3 Optimistica watcher existssilencechallenge windowno one watches
R4 Provenmathematicsa proofproving timebad input / bug

The five regimes for importing (f, θ), ordered by strength of guarantee. Sophistication runs the other way: R0 and R1 impose no limit on the model, R4 imposes the tightest.

One subtlety is worth stating because it dissolves a common hope. Only R4 verifies the computation; R1, R2, and R3 verify a proxy for it — a signer, a majority, a silence. And even R4 does not verify that θ was true: a proof establishes that f was correctly applied to the input you were handed, not that the input described the world. The oracle problem — is the input real? — is never dissolved by cryptography. It is only ever pushed to the edge of the system, where it becomes the irreducible question of who is trusted to sign the world.

4.The trilemma, and the one rule that follows

Lay the regimes against three properties a designer wants — the sophistication of the model that crosses, the trustlessness of the crossing, and its latency and cost — and no regime holds all three. R4 buys trustlessness by surrendering sophistication and speed. R1 buys sophistication and speed by surrendering trustlessness. R3 buys sophistication cheaply by surrendering latency. R0 buys sophistication alone and pays with everything else. None dominates; each is a corner of a frontier. It follows that the perennial question — which oracle, which risk system, is best? — is a category error. There is no best. There is only a match between a decision and a regime.

What supplies the match is the observation that a decision and a regime can be measured in the same unit: money. Every decision has an exploitable value-at-risk VD — the profit an attacker extracts by corrupting it once. Every regime has a cost-to-corrupt CR — the price of bribing the signer, buying the majority, out-bonding the disputers, or moving the manipulable input beneath it. A decision is safe under a regime precisely when corrupting it costs more than it pays:

assign D to the cheapest R such that CR > VD

That is the whole design rule, and it is almost never followed. Protocols route every decision — the slow parameter on a deep, hard-to-move asset and the live liquidation price on a thin, trivially-moved one — through the same regime, usually one oracle and one governance process. The rule says this is wrong in both directions at once: it over-pays for security on the decisions that never needed it, and, fatally, it under-secures the decisions where VD is large and the input beneath the regime is cheap to move.

5.The ledger: mismatch versus bug

Read the incident record through the rule and it sorts into two piles. Either a loss was a regime mismatch — a decision whose cost-to-corrupt fell below its exploitable value — or it was something the quant layer was never going to fix.

~$116MMango Markets — MNGO perp mark manipulated ~1,000% with ~$5M, then borrowed against6
~$45MPancakeBunny — AMM spot used to size mint rewards, bent by a flash loan10
~$34MHarvest Finance — vault share priced off a Curve pool ratio, cycled 32×10

Mango Markets is the pure case. In October 2022 an attacker used about five million dollars to inflate a thinly-traded perpetual roughly tenfold in an hour, drove the oracle that marked it as collateral, and borrowed some hundred million against the inflated mark.6 A decision with an enormous VD — mark-to-borrow — was riding on an input whose CR was five million dollars in a market no one else was defending. The rule states the outcome in advance: that mark needed a regime whose cost-to-corrupt exceeded the borrow it enabled, or a liquidity-conditioned floor on how far it could move; it had neither. The same shape recurs across the ledger — bZx (2020), Harvest (2020), Cheese Bank (2020), PancakeBunny (2021) all read the spot price of a shallow pool as truth, and all were corrected by a flash loan cheaper than the reserves it unlocked.810

A different mismatch is latency, not price. When an attacker built an outsized illiquid position against Aave in November 2022, the collateral could not be sold to cover the debt when the trade unwound, leaving the protocol with roughly $1.6M of bad debt.9 No oracle was fooled; the risk parameter was simply set in R0, where the latency is days, and days is far too slow to reprice a concentration that moves in minutes. The rule says a fast-moving, high-VD parameter cannot live in the slowest regime — which is now, tellingly, exactly the migration underway: firms like Chaos Labs increasingly push parameter updates through automated risk oracles that act within DAO-approved bounds, dragging that decision out of R0 toward a faster regime.11

And then the honest column. Euler Finance lost about $197M in March 2023 — the largest of them all — and it was not a mismatch.7 A donation function omitted a solvency check, letting the attacker force his own account into a bad state and self-liquidate at a discount; the imported θ was perfectly fine, and the fault lay in the on-chain f. A verified quant layer, however sophisticated, would not have prevented it. (The funds were later returned in full.) It has to be said plainly, because the value of the framework is exactly its ability to exclude: separating the regime mismatches, which the taxonomy fixes, from the code bugs, which it does not, is itself the discipline. When you do the sort, most of the large credit losses fall in the first pile — the predictable consequence of importing a high-stakes computation under a regime too cheap to corrupt.

6.What protocols actually need

The lesson is not “a better oracle,” and it is not “more decentralization” chanted at every layer. It is a typed boundary: each risk decision annotated with the value a lie about it would earn, and assigned the cheapest regime whose cost-to-corrupt clears that value. The oracle for a slow parameter on the deepest collateral on Earth and the oracle for a liquidation trigger on a micro-cap should not be the same object. Today they routinely are.

The endgame is an interface, not a monolith. A protocol would declare, per decision, the regime it requires — this liquidation price needs at least R2; this parameter tolerates R3 — and a competitive market of quant-layer providers, the signers and committees and disputers and provers, would supply verified (f, θ) to that specification. The intelligence gets as sophisticated as finance demands; the trust gets as strong as the stakes require; and the two are decoupled — which is the only arrangement under which a protocol can have both.

The romance of the word “trustless” is what made the boundary invisible. Naming it — and pricing every crossing against what a lie about it would earn — is how on-chain credit finally gets to be quantitative without getting to be fragile.

Methods & sources

This is a mechanism-design argument, not an empirical study; its anchors are the primitives’ own documentation and primary post-mortems of named incidents, dated and linked below. Loss figures are the numbers reported by regulators or first-party analyses, not independent reconstructions. Two deliberate omissions of number: zk-ML proving times, costs, and feasible model sizes are kept qualitative because the official tooling publishes no benchmarks (the circulating figures are secondary); and UMA’s exact vote thresholds and window are described by mechanism, not quoted, for the same reason. The market-impact point is developed in the companion essay.12

  1. EVM compute limits & the rationale for oracles — Antonopoulos & Wood, Mastering Ethereum, Ch. 11 (“Oracles”); no native floating point, gas-metered computation.
  2. Pyth pull oracle — first-party publishers, signed updates verified on submission, 400 ms feeds — docs.pyth.network (official).
  3. Chainlink Off-Chain Reporting — committee agrees a report, quorum threshold-signs, one transaction carries the median — docs.chain.link (official).
  4. UMA Optimistic Oracle — assert-with-bond, challenge window, dispute escalates to a staked-token vote; trust is economic — docs.uma.xyz (official).
  5. zk-ML — EZKL compiles an ONNX model to a Halo2 circuit with an on-chain verifier; proving cost scales with model size, inputs quantized, large models infeasible today — docs.ezkl.xyz (official; performance figures deliberately not quoted).
  6. Incident: Mango Markets, Oct 2022 — ~$116M (SEC; ~$110M taken, ~$67M returned via a governance settlement) — oracle/price manipulation of the MNGO perp — SEC Press Release 2023-13.
  7. Incident: Euler Finance, Mar 2023 — ~$197M, a missing solvency check in donateToReserves plus self-liquidation (a code bug, not oracle manipulation); funds later returned in full — Chainalysis post-mortem; Euler recovery blog.
  8. Incident: bZx, Feb 2020 — ~$1M across two flash-loan attacks using DEX spot as the oracle — samczsun, “So you want to use a price oracle”.
  9. Incident: Aave CRV episode, Nov 2022 — ~$1.6M residual bad debt from illiquid collateral against a static parameter (a parameter/market failure, not a code bug); attempt failed — The Defiant; Blockworks.
  10. Incidents: Harvest Finance, Oct 2020, ~$34M (SlowMist); PancakeBunny, May 2021, ~$45M (Amber Group); Cheese Bank, Nov 2020, ~$3.3M (PeckShield) — all AMM/pool spot used as the price feed.
  11. Risk-parameter management — Gauntlet and Chaos Labs simulate and recommend lending parameters, enacted through DAO governance; Chaos Labs’ on-chain “Risk Oracles” push updates within governance-set bounds — Aave governance forum; Chaos Labs docs.
  12. Market impact & the square-root law — see The Dimensional Shift (this site).