Anemos Blockchain on X Anemos on GitHub

A Consensus-Embedded Price Oracle: Slash Deviation, Never Absence

June 3, 2026
A Consensus-Embedded Price Oracle: Slash Deviation, Never Absence

A USD-pegged stablecoin needs a USD price, and a new chain has no native source. The oracle is the true blocker, so we designed it first. The key constraint: the price must be a pure function of on-chain data, so a node that was offline and re-syncs derives the identical value.

Price rides in the block, not in a transaction

We do not touch the consensus vote or certificate hot path — the riskiest code in the chain. Instead, each block a deterministic ~committee subset (ranked by Hash(seed‖valNum) over the committed H−1 sortition seed, so every node re-derives it with zero storage) signs the canonical message H(height‖valNum‖price) with its validator BLS key and gossips a PriceVote. The proposer aggregates the subset’s votes into one BLS aggregate in a block-body OracleData section, whose hash is folded into Block.Hash(). The existing precommit certificate therefore attests the oracle data with zero certificate-format change.

At commit, every node re-derives the subset, checks the signers are a subset that meets the quorum, verifies the aggregate, takes the median, bounds it to ±10% of the running price, and eases the accepted price toward it with a slow integer EMA — a genuine TWAP that converges over ~1/α blocks, not this block’s median. Below quorum the proposer emits no section, the last price carries forward, and a staleness cap halts mint/redeem after N quorum-less blocks.

Omission vs. commission

  • Absence is never slashed. A node offline for minutes simply didn’t submit; it pays only a soft availability-score dip. This is what makes a flaky or Android node safe to run.
  • Deviation is slashed. A signed price outside the tolerance band forfeits a small fraction of stake per period; the forfeited ANM is moved into the reserve it endangered — a transfer, not a burn. A split-committee guard suppresses slashing when deviators are ≥ half the attesters, so an honestly bimodal committee is never punished.

The trust ceiling

Moving a median requires controlling a majority of that block’s subset, and even a fully captured subset moves the committed price by at most ~0.25% that block (move cap + slow EMA). The EMA’s memory integrates hundreds of attestations across many independent random subsets — effectively the whole committee — so dragging the peg requires a sustained majority over many blocks. Committee seats are stake-weighted VRF sortition, bond-lagged, and rotation-capped, so that reduces to an honest-majority-of-stake assumption — the same one consensus already makes. We are honest that this is the ceiling, and we lead the defense with economic security, source diversity, the TWAP, the move cap, and the quorum floor.