Skip to content

Introduce Predict oracle lifecycle cap#1068

Open
pei-mysten wants to merge 1 commit into
pei/predict-oracle-admin-cap-renamefrom
pei/predict-oracle-lifecycle-cap
Open

Introduce Predict oracle lifecycle cap#1068
pei-mysten wants to merge 1 commit into
pei/predict-oracle-admin-cap-renamefrom
pei/predict-oracle-lifecycle-cap

Conversation

@pei-mysten

@pei-mysten pei-mysten commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • Add MarketOracleLifecycleCap for lifecycle-only operations: expiry creation, explicit settlement, and settled-market compaction.
  • Move registry::create_expiry_market, market_oracle::settle_if_possible, and expiry_market::compact_storage to require the lifecycle cap instead of the high-privilege writer cap.
  • Bind lifecycle caps to both a writer cap ID and a Pyth Lazer feed ID, so lifecycle-created markets authorize the intended writer cap and reject use with the wrong feed.
  • Update the Predict gas benchmark setup to create both the writer cap and lifecycle cap.

Stack

Security rationale

Before this PR, a service holding the oracle cap for lifecycle work also had price-writing and oracle-config authority. That made a compromised lifecycle/market-management pod much more dangerous than its job required.

This split narrows the blast radius:

  • HFT and quoter services hold MarketOracleWriterCap and can continue to update prices, SVI, and oracle config for authorized markets.
  • Lifecycle services hold MarketOracleLifecycleCap and can create future expiries, explicitly settle from already-valid oracle data, and compact settled markets, but cannot write prices or tune oracle bounds.
  • Lifecycle caps are feed-bound via pyth_lazer_feed_id, preventing a lifecycle cap for one asset/feed from creating markets for another.
  • Newly-created markets seed their authorized writer-cap set from the lifecycle cap stored writer_cap_id, so lifecycle can provision markets for HFT without holding the writer cap object.

Tests

  • sui move test -p packages/predict -i 100000000 oracle_cap_tests
  • sui move test -p packages/predict -i 100000000 registry_create_tests
  • sui move test -p packages/predict -i 100000000 market_oracle_settlement_tests
  • sui move test -p packages/predict -i 100000000 compact_storage
  • sui move test -p packages/predict -i 100000000 market_oracle_update_prices_tests
  • sui move test -p packages/predict -i 100000000 market_oracle_update_svi_tests
  • sui move test -p packages/predict -i 100000000 market_oracle_set_bounds_tests
  • npx --yes --package @mysten/prettier-plugin-move prettier-move -c $PWD/packages/predict/**/*.move
  • git diff --check
  • ./packages/predict/simulations/node_modules/.bin/tsc -p packages/predict/simulations/tsconfig.json --noEmit --types node

@pei-mysten pei-mysten mentioned this pull request Jun 10, 2026
Open
@pei-mysten pei-mysten force-pushed the pei/predict-oracle-lifecycle-cap branch from 3c4277b to bc67a56 Compare June 10, 2026 21:15
@pei-mysten pei-mysten changed the title Split Predict oracle admin and lifecycle caps Introduce Predict oracle lifecycle cap Jun 10, 2026
@pei-mysten pei-mysten changed the base branch from main to pei/predict-oracle-admin-cap-rename June 10, 2026 21:16
@pei-mysten pei-mysten force-pushed the pei/predict-oracle-admin-cap-rename branch from 4b3bd9a to 07944bd Compare June 10, 2026 21:31
@pei-mysten pei-mysten force-pushed the pei/predict-oracle-lifecycle-cap branch from bc67a56 to a79d571 Compare June 10, 2026 21:35
@pei-mysten pei-mysten force-pushed the pei/predict-oracle-lifecycle-cap branch from a79d571 to 13d17bc Compare June 10, 2026 21:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pei-mysten