Oracle-manipulation-proof borrow cap

Save (formerly Solend)'s assessment for RD-F-073 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

November 2022 USDH oracle exploit demonstrates that isolated pool borrow caps were insufficient vs oracle manipulation: attacker spent $113K USDC to pump USDH price 10x via single-source Switchboard/Saber oracle, then borrowed $1.26M against inflated collateral value. Post-exploit: protocol added multi-source oracle requirements and restored funds. Current borrow-cap vs oracle-pool-depth adequacy for all reserves unverifiable without on-chain reads. Historical failure pattern documented.

Sources #

URL
Solend Isolated Pools Exploitation Nov 2022 — ImmuneByteImmuneByte detailed analysis: attack mechanics — write-lock Saber account, predict oracle slot update, $113K cost for $1.26M yieldretrieved 2026-05-17
URL
DeFi Protocol Solend Struck by $1.26M Oracle Exploit — CoinDeskCoinDesk: USDH oracle exploit Nov 2022; single Switchboard source from Saber pool manipulated; $1.26M drained from Stable, Coin98, Kamino isolated poolsretrieved 2026-05-17

Methodology #

Determine whether the per-asset borrow cap is ≤ (oracle pool depth × manipulation-resistance multiplier).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol save factor RD-F-073 score yellow collected_at 2026-05-17 15:20:15