# Collateral and Oracle Profile A **Collateral Profile** is the unit of risk configuration. It ties together: * token address + adapter * oracle method * liquidity assumptions * parameter set in RiskRegistry #### Profile IDs Use `bytes32 profileId = keccak256(abi.encode(symbol, token, version))` or explicit constants. #### Liquid collateral eligibility (hard gate) A token may enter the liquid pool only if all are true: 1. **Priceability** * at least two independent pricing sources or a primary + robust sanity check * staleness behavior defined 2. **Liquidation feasibility** * auction can clear meaningful size without relying on multi-day off-chain processes * DEX depth, market-maker commitments, or reliable redemption within short settlement 3. **Transferability** * adapter and auction house can legally/technically hold and transfer the token 4. **Operational transparency** * supply, NAV (if applicable), and key events observable * clear issuer/custodian posture *** ### Oracle and valuation architecture Pricing is the sharp edge of an RWA-collateral protocol. The design must be conservative by default and fail closed. #### 1. Components * **Price Router (`PriceRouter`)** * single read interface for the Ledger: `getPrice(profileId) -> (price, status)` * returns USD price and a status code * **Feed Verifier (`SignedFeedVerifier`)** * accepts signed price messages from authorized signers * verifies quorum and freshness * stores latest accepted value * **Guard Layer (`PriceGuards`)** * sanity checks: max delta, staleness, cross-source divergence, market premium/discount bounds * can place a profile into **restricted mode** #### 2. Price statuses The Ledger must act differently depending on price status: * `OK`: price fresh and within guardrails * `STALE`: too old; issuance disabled; repayments allowed * `DISPUTED`: sources disagree; issuance disabled; may tighten safety checks * `HALTED`: manual stop; only risk-reducing operations allowed #### 3. Pricing methods per asset category **A) Tokenized T‑bills (NAV-based)** **Target behavior:** price increases gradually with accrued yield. **Primary source** * signed NAV/share price from an authorized signer set (issuer admin, fund admin, or designated oracle operators) **Sanity sources** * on-chain market price TWAP (if token trades) * bounded daily drift: NAV should not jump beyond plausible yield + market move bounds **Guardrails** * staleness threshold (tight): if NAV not updated within SLA, set `STALE` * max-change: if NAV changes beyond X bps/day, require multi-signer consensus or halt **B) Tokenized stablecoins** **Target behavior:** price near $1 with depeg detection. **Sources** * external oracle feed (primary) * on-chain DEX TWAP (sanity) * optional: CEX index via signed feed (sanity) **Guardrails** * if price < `0.995` (configurable), issuance disabled automatically * if price < `0.985`, peg rail outflow disabled and safety factor tightened (optional) * staleness triggers restricted mode **C) Tokenized gold** **Target behavior:** price tracks spot gold with token-specific conversion. **Sources** * XAU/USD spot feed (primary) * token market TWAP (sanity) * token-specific ratio (e.g., token represents 1 gram or 1 ounce) **Guardrails** * divergence clamp between spot-implied and market price * staleness and max delta checks #### 4. Oracle message format (signed feed) Use EIP‑712 structured data: * `profileId` * `price` (USD per token unit, AMT precision) * `validAfter`, `validUntil` * `nonce` (optional) * `sourceId` Quorum rules: * N-of-M signers, configurable per profile * reject if less than quorum, stale, or outside bounds