★ Oracle source = spot DEX pool (no TWAP)
Midas's assessment for RD-F-053 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL — GREEN] mToken NAV pricing uses MTBillCustomAggregatorFeed, an issuer-push oracle where prices are submitted by a permissioned admin role (M_TBILL_CUSTOM_AGGREGATOR_FEED_ADMIN_ROLE) via setRoundData(). No DEX spot price manipulation surface exists. The underlying IB01/USD Chainlink feed uses 16 oracle nodes with 2% deviation threshold — not a DEX pool. The 244-transaction history on the oracle proxy (Set Round Data pattern) confirms the push-model operation. F053 does not fire: oracle source is not a spot DEX pool, TWAP is not needed in this architecture.
Sources #
- URLChainlink IB01/USD Price FeedChainlink IB01/USD — 0x32d1463EB53b73C095625719Afa544D5426354cB, 16 oracle operators, 2% deviation, Ethereum Mainnet (not a DEX pool)retrieved 2026-05-16
- Sherlock 2024-08 — CustomAggregatorFeed sourcesherlock-audit/2024-08-midas-minter-redeemer CustomAggregatorV3CompatibleFeed.sol: setRoundData() admin-only; prices manually submitted; no DEX pool dependencyretrieved 2026-05-16
- MTBillCustomAggregatorFeed Proxy — EtherscanMTBillCustomAggregatorFeed proxy 0x056339C044055819E8Db84E71f5f2E1F536b2E5b — 244 txs of 'Set Round Data' from single admin address, confirms issuer-push modelretrieved 2026-05-16
Methodology #
Determine whether the primary oracle for any asset/market reads spot price from a single DEX pool without a TWAP window or secondary source.
See the full factor methodology and distribution across all protocols →