Permissionless-pool lending oracle
Fluid's assessment for RD-F-181 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
F181 concerns whether the lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools. Fluid's internal DEX (Fluid DEX) does have permissionless pool creation via DexFactory. The DEX oracle variants (dexSmartColCLOracle) can read from specific DEX pool reserves. Whether a newly-created permissionless Fluid DEX pool with a worthless token could become an accepted oracle source for a new vault — and whether that vault could be created permissionlessly — requires direct assessment of VaultFactory pool-listing requirements. The profile notes vault creation via VaultFactory but permissionless listing criteria not confirmed. The profiler flagged F181 as LIVE. Gray due to insufficient evidence to determine if a permissionlessly-created DEX pool with a fake token can feed a vault oracle without a TWAP, liquidity floor, or token-age minimum check. This requires direct VaultFactory source inspection which was not completable within this assessment.
Sources #
- GitHubFluid VaultFactory — permissionless vault creationInstadapp/fluid-contracts-public/contracts/protocols/vault/ — VaultFactory; vault creation and oracle linking require further inspectionretrieved 2026-04-29
- Profile §7 — F181 flag00-profile.md §7 — oracle-dependency-analyst flagged F181 as LIVE; permissionless vault creation confirmedretrieved 2026-04-29
Methodology #
Determine whether the lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools, without requiring a TWAP window, liquidity floor, or token-age minimum on the venue side.
See the full factor methodology and distribution across all protocols →