[VPD-349] PriceDeviationSentinel Contract

[web3rover]

Summary

• Add DeviationSentinel contract that monitors price deviations between ResilientOracle and SentinelOracle, automatically pausing borrow/supply and zeroing collateral factors when large
  deviations are detected, and restoring them when prices normalize
• Add SentinelOracle, PancakeSwapOracle, and UniswapOracle as on-chain price sources for deviation comparison
• Add comprehensive unit tests, fork tests, and deployment scripts for BSC testnet

Problem

Price manipulation or oracle lag can leave markets exposed. The DeviationSentinel provides an automated circuit breaker that a trusted keeper can trigger when oracle prices diverge beyond a
configured threshold.

How It Works

1. Deviation detected → Sentinel stores current CF/LT in marketStates, sets CF to 0, and pauses supply/borrow
2. Deviation resolves → Sentinel restores stored CF/LT and unpauses actions
3. Protection against stale state → If governance creates new e-mode pools or changes CF while the market is paused, the restore logic skips uninitialized pools (storedCF == 0 && currentCF != 0) and avoids restoring LT = 0 to prevent liquidation risk

DeviationSentinel State Conflicts with Governance Actions

A conflict arises when governance (VIP) needs to modify a market's parameters (CF, LT, pause state, or e-mode configuration) while DeviationSentinel has an active deviation state for that market.

Scenario A — Governance changes CF without calling resetMarketState

1. Deviation detected → Sentinel stores CF = 80%, sets CF = 0, pauses supply
2. Governance VIP sets CF = 60% (new risk parameter) directly on the comptroller
3. Deviation resolves → Sentinel restores CF = 80% (the stale stored value)
4. Result: The governance-intended CF = 60% is silently overwritten with the old 80% value — a security risk where the protocol operates with a higher CF than governance approved

Scenario B — Governance calls resetMarketState but doesn't handle pause state

1. Deviation detected → Sentinel stores CF = 80%, sets CF = 0, pauses supply
2. Governance calls resetMarketState → clears all stored state (borrowPaused = false, cfModifiedAndSupplyPaused = false, stored CFs cleared)
3. Governance VIP sets CF = 60%
4. Deviation resolves → Sentinel sees borrowPaused = false and cfModifiedAndSupplyPaused = false, so it does nothing
5. Result: Supply remains paused with no automated recovery path via the Sentinel if governance didn't manually unpause

Scenario C — E-mode changes (add/remove pool or market)

1. Sentinel has stored CFs for pool IDs [1, 2, 3]
2. Governance creates a new e-mode pool (ID 4) or removes market from pool 2
3. On restore, Sentinel iterates corePoolId() to lastPoolId() — it may try to restore a CF for a pool the market is no longer in, or skip a newly added pool, leading to incorrect state

Required Governance Procedure

When governance needs to intervene on a market with an active deviation state, the VIP must follow this exact order:

1. resetMarketState(market) — Clears all stored state (pause flags, stored CFs/LTs). Note: this clears the sentinel's tracking but does not unpause on the comptroller
2. Make all protocol changes (new CF/LT values, e-mode pool changes)
3. Unpause supply/borrow on the comptroller manually — Since resetMarketState only clears sentinel state, governance must explicitly unpause the actions that the sentinel had paused
4. handleDeviation(market) — Re-evaluates the market against the current oracle prices with a clean slate

Why This Procedure Works in Every Scenario

By explicitly unpausing and then calling handleDeviation, the sentinel captures the fresh governance-intended state:

• Deviation still exists at VIP execution → handleDeviation stores the NEW CF values (set by governance in step 3), sets CF to 0, and re-pauses the market. When the deviation resolves later,
  the sentinel restores the correct governance-intended CF. ✓
• Deviation already resolved by VIP execution → handleDeviation is a no-op since no deviation is detected. The market stays unpaused with the new CF values. ✓
• E-mode pool changes (Scenario C) → handleDeviation iterates the updated pool list (corePoolId() to lastPoolId()) and stores the correct new pool configuration. ✓

The market being re-paused when a deviation still exists is the correct behavior — the sentinel should continue protecting the market, just with the updated parameters.

Contracts Added

Contract	Description
DeviationSentinel	Core sentinel logic — deviation detection, pause/unpause, CF store/restore
SentinelOracle	Aggregates multiple oracle sources for sentinel price comparison
PancakeSwapOracle	TWAP oracle using PancakeSwap V3 pools
UniswapOracle	TWAP oracle using Uniswap V3 pools

Test Plan

• Unit tests for DeviationSentinel (deviation handling, CF restore, new pool protection, LT=0 edge case)
• Unit tests for PancakeSwapOracle, UniswapOracle, SentinelOracle
• Fork tests for DeviationSentinel on BSC
• Deployed and verified on BSC testnet

NOTE: As discussed with @fred-venus Will work on this comment in future versions.

[fred-venus]

I am thinking should we put it governance repo like https://github.com/VenusProtocol/governance-contracts/pull/163/files

[Debugger022]

Both the PancakeSwapOracle and UniswapOracle contracts share the same core logic, so we could consolidate them into a single common oracle contract instead of maintaining two separate ones.

Additionally, we could further improve security by aggregating and comparing price data from multiple DEXs, rather than relying on a single source.

[fred-venus]

Yeah, i agree both points. That's for sure something we could do, together with what u mentioned TokenConfig has only one field, i am thinking we can have more fields:

we could support amm pools array for one asset and each pool attached with a weight, and get price can simply return:
price1 * weight1 + price2 * weight2 etc..

wdty ?

[Debugger022]

yeah it's sounds good

[GitGuru7]

implementation LGTM, left few nitpicks

[GitGuru7]

we can consider reverting when isTrusted is unchanged to avoid unnecessary storage writes and also emit the previous value for better tracking.

[GitGuru7]

applicable to other similar setters

[Debugger022]

The current implementation is correct and functional. Your suggestions are valid optimizations:

1. Reverting on unchanged value saves gas by avoiding redundant SSTORE operations
2. Emitting previous value improves off-chain tracking and event indexing

However, the current simpler approach has benefits:

• Idempotent behavior (no unexpected reverts)
• Less code complexity
• Callers don't need to check current state before calling

Since the setter will primarily be called by a whitelisted address, we can assume incorrect parameters won’t be sent. Given that the code is already deployed on mainnet, I’d suggest skipping this. @fred-venus WDYT?T?

[fred-venus]

i am open, can skip

[GitGuru7]

Can we consider avoiding the storedCF == 0 check and rely only on currentCF != 0 when restoring values? If a CF is updated via a VIP during the pause, should the sentinel still reset it, or is the current behavior intentional ?

[Debugger022]

The check is correct and intentional. It distinguishes between:

1. storedCF == 0 because never stored (new pool created during pause) → skip if currentCF != 0 to preserve governance's new pool config
2. storedCF == 0 because original CF was 0 → restore allowed if currentCF is also 0

See line 475-477 comments:

If storedCF is 0 and currentCF != 0, this pool was added after _setCollateralFactorToZero, so we skip restoring to avoid overwriting new pool config with zero values.

[GitGuru7]

Suggested change

/// @notice Emitted when collateral factor is updated

[Debugger022]

As the code is already deployed on mainnet, I would suggest to skip this @fred-venus WDYT?

[fred-venus]

yeah, can skip

[GitGuru7]

On restore, the event assumes currentCF is always 0, but if governance updates the CF during the pause, this may not hold. Should we consider emitting the actual previous value instead (from currentCF) for better accuracy and traceability?

[Debugger022]

The current behavior is intentional. The event tracks DeviationSentinel's state transitions:

• On pause: oldCF = original CF → newCF = 0 (sentinel zeroing)
• On restore: oldCF = 0 → newCF = storedCF (sentinel restoring from what it set)

If governance modifies CF during the pause, that's a separate action outside the sentinel's scope. The sentinel's event accurately reflects: "I'm restoring from 0 (what I set) to the stored value.

Does this make sense?

[github-actions]

Package	Line Rate	Branch Rate	Health
DeviationSentinel	88%	86%	✔
DeviationSentinel.Oracles	93%	90%	✔
Interfaces	100%	100%	✔
LeverageManager	94%	80%	✔
Libraries	29%	33%	❌
PositionSwapper	12%	10%	❌
SwapHelper	100%	100%	✔
Summary	74% (487 / 661)	60% (227 / 376)	➖

[fred-venus]

merge as vip has will be proposed soon

[fred-venus]

cc @Debugger022 , once the audit report is available, feel free to create a new pr