Research: BTC/USD Price Oracle on Stellar
Author: Research Date: 2026-06-22 Status: CompleteOverview
PrivateLend requires a reliable, manipulation-resistant BTC/USD price feed to:- Calculate collateral ratios (how much USDC a user can borrow against their BTC)
- Determine when a position is liquidatable (BTC value dropped below liquidation threshold)
- Compute fair liquidation prices
Available Oracles on Stellar (2026)
1. RedStone — RECOMMENDED PRIMARY
Live on Stellar mainnet since: March 4, 2026 BTC/USD feed: Available Standard: SEP-40 (Stellar oracle standard) Architecture: RedStone uses a “pull oracle” model — price data is published off-chain and pulled on-chain only when needed (at transaction time), rather than being pushed on-chain continuously. This is more gas-efficient and avoids stale data. Key metrics:- $8.5B+ Total Value Secured across 70+ blockchains
- 180+ protocols using RedStone
- Zero mispricing events in production
- Sub-second latency price updates
- Deviation-based updates: new price pushed when market moves >threshold
- Time-based updates: daily minimum refresh during low volatility
- SEP-40 compliant: standardized interface for Stellar protocols
2. Pyth Network
Status on Stellar: Available (price feeds live) BTC/USD feed: Available, 30–60 publishers Architecture: Pull oracle. Pyth publishes prices off-chain through a Wormhole-based price service; contracts pull the price on-demand during transaction execution. Key metrics:- Large publisher network for BTC/USD (30–60 institutional publishers)
- Sub-second latency
- Proven across 60+ blockchains
- Core upgrade scheduled July 31, 2026 (requires API key for users)
3. SEP-40 Standard
SEP-40 is Stellar’s native oracle interface standard. RedStone adopted it in June 2026 for RWA assets. Any SEP-40-compatible oracle can be swapped in without contract changes — Writz should build against the SEP-40 interface, not against a specific oracle provider. SEP-40 assets live (June 2026): USDC, EURC, XLM, PYUSD, and several tokenized instruments. BTC/USD via RedStone is available.Oracle Manipulation Attack Vectors
1. Flash loan oracle manipulation
An attacker takes a large flash loan, moves the price of BTC on a DEX (if the oracle reads from a DEX), liquidates an undercollateralized position at the manipulated price, repays the flash loan. Writz exposure: LOW — Writz uses off-chain institutional price feeds (RedStone, Pyth), not on-chain DEX prices. Off-chain feeds cannot be manipulated by on-chain flash loans.2. Single oracle failure / manipulation
A single oracle source fails, is manipulated, or goes stale. All lending decisions are made on bad data. Mitigation: Use multiple independent oracles and take the median price. A median of 3 sources requires 2 to be simultaneously wrong to affect the result.3. Oracle front-running
An attacker observes a large price update in the mempool (or before it’s applied) and liquidates positions milliseconds before the update executes. Writz exposure: MEDIUM — On Stellar, front-running is harder than on Ethereum (no public mempool in the same way), but not impossible. Mitigation: require a price confirmation delay of 1–2 ledgers (~5–10 seconds) before acting on a new price for liquidations.4. Stale price data
The oracle hasn’t updated in a long time. The contract uses an outdated price that doesn’t reflect current market conditions. Mitigation: Reject any price older than X minutes (e.g., 60 minutes for BTC/USD). If no fresh price is available, the protocol enters a “price paused” state — no new borrows or liquidations until a fresh price is available. Existing positions are safe.Recommended Oracle Architecture for Writz
Multi-oracle median design
Implementation path
Build against the SEP-40 interface for all oracle calls. This abstracts the specific oracle provider and allows swapping RedStone for another SEP-40-compatible provider without contract changes.Liquidation price safety
For liquidations specifically, use a conservative price (slightly lower than current) to avoid liquidating based on a momentary price spike:Key Decisions
| Decision | Choice | Rationale |
|---|---|---|
| Primary oracle | RedStone (SEP-40) | Live on Stellar, Blend-compatible, zero mispricing history |
| Secondary oracle | Pyth | Large publisher network, independent source |
| Aggregation | Median of 2–3 sources | Resistant to single-source manipulation |
| Staleness threshold | 60 minutes | BTC/USD volatile — stale data is dangerous |
| Liquidation smoothing | min(current, 5-min lookback) | Prevents front-running and price spike exploits |
| Interface standard | SEP-40 | Provider-agnostic, future-proof |
Last updated: 2026-06-22 Sources: RedStone Oracle on Stellar · RedStone SEP-40 Standard · Pyth BTC/USD Feed · Soroban Bitcoin Price Oracle Demo