Mark-to-Truth Auctions

Mark-to-Truth auctions provide a self-correcting, capital-based price discovery mechanism when the pool's spot price is called into question. Instead of relying on external oracles or appraisals, the protocol randomly samples actual assets from the pool and auctions them to discover what the market will actually pay.

Core principle: Truth should cost money. To move the protocol's reference price, participants must put real capital at risk—either through binding bids in auctions or accepting probability of delivery via micro-settlement. Opinions and appraisals don't update marks. Only capital does.

Design philosophy: Match mechanism weight to deviation severity. Small drifts (60-80 bps) get fast, low-friction corrections via informational auctions (RECENTER). Large deviations (200+ bps) get heavyweight proof via real asset sales (WIND-DOWN). Most of the time you're retuning the mark, not liquidating the pool. When things genuinely break, you prove it in cash.

Mark-to-Truth Mental Model

Goal: Oracle-free price discovery that nudges spot toward objective NAV, and proves value in cash when deviations are severe.

How it works:

1. Anyone can challenge the mark by posting a bond.
2. The protocol runs a random-sample, sealed, uniform-price auction of real lots.
3. From the executed book, it computes:
   • Clearing price ($P^*$) and deviation ($\Delta=|P^*-P_0|$)
   • Standard error ($SE=\sqrt{\sigma_b^2+\sigma_{\text{lot}}^2}/\sqrt{k}$)
   • $t$-score ($t=|\Delta|/SE$)
4. Decision:
   • CONFIRM (healthy): $t < t^*$ → keep $P_0$, slash caller.
   • RECENTER (soft reset): $t \ge t^*$ & not extreme → set $P_0 \leftarrow P^*$; informational by default; optional micro-settlement ($f$%) to keep bids honest; protocol LP re-ranges around $P^*$ and adds temporary frictions.
   • WIND-DOWN (severe): $|\Delta| \ge \varepsilon_2$ (confirmed) → execute tranched real sales to cash-prove value until stability returns.

Why it converges: To move the mark you must (i) marshal enough matched notional (scaled with $|\Delta|$), (ii) create a tight book (low $SE$), and (iii) accept a probability of real settlement (micro-fill or full WIND-DOWN). Cheap talk doesn't move price.

Notation / units: Percentages are decimals (10 bps = 0.0010). $P_0$ = current mark, $P^*$ = auction clearing price, $\Delta=|P^*-P_0|$, $k$ = lot count, $SE$ = standard error, $t=|\Delta|/SE$.

---

The problem: when pools lose their anchor

Pool prices can drift from fair value for many reasons. Thin liquidity makes price discovery unreliable. Manipulation pushes prices without fundamental justification. Information goes stale. Death spirals from cascading liquidations create reflexive downward pressure.

TWAP and RWAP provide manipulation resistance for short-term volatility, but they cannot detect sustained mispricings where the pool trades away from what assets are actually worth. When a $100 million pool of luxury watches drifts 120 basis points from fair value and stays there for days, you need something stronger than smoothing functions.

The core challenge: How do you know when the pool is mispriced versus when the market has legitimately re-evaluated the assets? You can't rely on external oracles (subjective, manipulable, stale). You can't trust continuous trading alone (manipulable, thin). You need a mechanism that forces participants to prove their conviction with capital.

Mark-to-Truth auctions are the backstop mechanism that answers this question through actual bids for actual assets. When pool health is questioned, the protocol runs a capital-based price discovery event. Most of the time this just validates the current mark (CONFIRM) or makes a small adjustment (RECENTER). Rarely, it discovers something is fundamentally broken (WIND-DOWN).

The key insight: Not all price movements are created equal. A 60 basis point drift needs different treatment than a 220 basis point crater. The mechanism matches response severity to deviation magnitude, proven through statistical confidence.

---

How it works: auction-driven price discovery

The mechanism works in three phases: first it checks whether an auction is even worth running, then it runs a sealed uniform-price auction on randomly sampled assets, and finally it uses statistical analysis to decide what action to take. Think of it as a forensic investigation where the evidence is capital—not opinions, not appraisals, but actual bids from people willing to put money on the table.

The beauty is in the progression. Pre-flight checks prevent spam and ensure minimal credibility. The auction itself forces price discovery through sealed bids on random samples—no cherry-picking, no gaming the selection. And the outcome rule is mechanical, driven by a single number (the $t$-score) that captures both the size of the deviation and how confident we are about it.

Let's walk through each phase.

Pre-flight checks: can you even run an auction?

Running an auction costs gas, coordinator time, and participant attention. You don't want someone triggering auctions frivolously just to grief the system or farm rebates. So before anything happens, the protocol checks: Is this caller serious? Has enough time passed since the last auction? Can we actually draw a meaningful sample?

Before triggering an auction, basic anti-spam guards must pass:

• Cooldown elapsed: Minimum time since last auction (typically 48 hours)
• Caller bond posted: $B_{\text{call}} = \max(B_{\min}, \alpha \cdot V) \cdot m_{\text{risk}}$ where $V$ is pool TVL, $\alpha \approx 1$ bp, and $m_{\text{risk}} \in \{1,2,5,10\}$ rises with thin depth, order-book imbalance, or cross-product risk
• Sampling target: Draw $k \geq k_{\min}$ random lots (typically 3-6) via PPS within strata

If these pass, the auction runs. After clearing, we check post-clearing validity to decide if the result is informative. See Trigger Conditions for complete rules.

The auction: sealed, uniform-price, random sample

Here's where capital meets truth. The protocol randomly selects a few assets from the pool—you don't know which ones until after bidding closes—and runs a sealed auction. Everyone submits their bids privately, committed on-chain so they can't be changed. Once bidding closes, all bids become visible, and the auction clears at a single uniform price where supply meets demand. Winners are randomly assigned to lots, so you can't cherry-pick the best items.

Why this structure? Because it eliminates every common manipulation vector. Sealed bidding prevents last-second sniping and front-running. Random sampling prevents cherry-picking (bidders can't avoid the scratched-up Rolex and only bid on the mint-condition Patek). Uniform pricing means everyone pays what they bid—no weird auction dynamics where the winner overpaid. And random allocation means you're bidding on "any sampled lot," not specific items, which keeps pricing honest across the pool.

The protocol runs a sealed, uniform-price auction on randomly sampled lots:

1. Stratify the pool by acquisition ratio or quality band
2. Draw $k$ lots using VRF seed (PPS within strata, anti-cherry-pick)
3. Sealed bidding: Bidders submit price-per-$ for "any sampled lot"
4. Clear at $P^*$: Uniform clearing price where demand meets supply
5. Random allocation: Winners get lots randomly, no cherry-picking

From the executed book, the protocol computes:

• Clearing price $P^*$ and deviation $\Delta = |P^*-P_0|$
• Bid dispersion $\sigma_b^2$ (from executed fills within ±25 bps band)
• Standard error $SE = \sqrt{\sigma_b^2 + \sigma_{\text{lot}}^2}/\sqrt{k}$
• $t$-score $t = |\Delta|/SE$ (signal-to-noise ratio)

Post-clearing validity checks must all pass:

• Matched-notional floor (scaled with claim): matched $\ge \max\{1\% \cdot \text{TVL}, c \cdot |\Delta| \cdot \text{TVL}\}$ where $c \in [0.5,1.0]$. Big claimed moves require deeper books.
• Diversity: $M \ge M_{\min}$ distinct counterparties with fills (e.g., $M_{\min}=3$)
• Concentration: $H \le H_{\max}$ (e.g., 0.45)
• Confidence bound: $SE \le SE_{\max}$ (e.g., 25 bps)

If any validity check fails → INCONCLUSIVE (no mark change; light fixed penalty to cover ops).

See Auction Mechanics for sampling details, Statistical Confidence for formulas, and Kernel Rebates for bidder incentives.

---

The decision: four possible outcomes

Now comes the moment of truth: what do we do with this information? The auction discovered a clearing price $P^*$ that might differ from the current mark $P_0$. It also gave us a measure of confidence—how tight were the bids, how many participants, how dispersed were the results? From these two pieces of data, the protocol needs to make a decision that could be anywhere from "pool is fine, penalize the caller" to "something is catastrophically broken, start selling assets."

The elegance is that one number captures it all. The $t$-score combines the size of the deviation (how far $P^*$ is from $P_0$) with our confidence in that measurement (the standard error $SE$). High $t$-score means the deviation is real and provable. Low $t$-score means it's probably just noise. Combined with hard thresholds on deviation magnitude, this gives us four clean outcomes that handle everything from false alarms to existential crises.

After the auction clears and validity checks pass, the protocol uses a single statistic—the $t$-score $t = |\Delta|/SE$—combined with hard thresholds to pick one of four outcomes.

Outcome rule (binding and mechanical)

IF  t < t* (default 2.0):
    → CONFIRM (pool healthy; slash caller)

ELSE IF  t ≥ t*  AND  |Δ| < ε₂ (default 150-250 bps):
    → RECENTER (update mark to P*; informational or micro-settlement)

ELSE IF  |Δ| ≥ ε₂:
    → WIND-DOWN SIGNAL (requires confirmation; then progressive real sales)

If validity checks fail (high $SE$, high $H$, low $M$) → INCONCLUSIVE regardless of $t$ or $\Delta$.

Let's break down what each outcome means.

---

CONFIRM: pool was healthy all along

Sometimes someone triggers an auction because they think the pool is mispriced, but the auction proves them wrong. The clearing price comes back within spitting distance of the current mark—maybe 10 or 20 basis points off, maybe even closer. The $t$-score is low, meaning the apparent deviation could easily be explained by random bid dispersion rather than genuine mispricing. The pool was fine. The caller wasted everyone's time.

This isn't just "do nothing." The protocol needs to make frivolous calls expensive, otherwise people will spam auctions hoping to get lucky or farm rebates. So when the pool turns out healthy, the caller loses their bond. And not just a fixed fee—the penalty is convex, scaling with how obviously wrong they were. The closer the auction cleared to the current mark, the more the caller pays. This makes noise-trading or speculative calls economically suicidal.

Trigger: $t < t^*$ (typically $t^* = 2.0$), meaning the deviation $\Delta$ is small relative to the noise $SE$. The auction failed to prove the pool was mispriced.

What happens:

• Keep current mark $P_0$ (no change)
• No asset transfers (auction was informational only)
• Slash caller bond via convex penalty: closer the auction was to current mark, higher the penalty
• No rebates paid (pot rolls to risk fund)

Caller penalty (convex schedule):

$$\text{Loss}_{\text{call}} = F_0 + \lambda_V \cdot \left(\frac{\varepsilon_1 - \Delta}{30 \text{ bps}}\right)^2 \cdot V$$

where F_0 = \7,500$(fixed),$\lambda_V \approx 0.5$bps of pool value$V$, and$\varepsilon_1 = 40$ bps is the healthy band.

Example: $100M pool, auction clears 10 bps from current mark → caller loses $7,500 + $5,000 = $12,500. Frivolous calls are expensive.

Why this works: Negative expected value unless the pool is genuinely mispriced. Callers must believe the deviation is real and provable through capital.

See Trigger Conditions for penalty formulas.

---

RECENTER: soft reset for moderate mispricings

This is the sweet spot—the pool drifted from fair value, but it's not a crisis. Maybe thin liquidity let prices wander, maybe there was stale information, maybe a large trade pushed things around. The auction proves the deviation is real (high $t$-score), but the magnitude isn't so large that it questions the entire pool premise. You need to adjust the mark to reflect new information, but you don't need to start liquidating assets.

The key insight: most corrections should be informational, not executional. Update the reference price, reposition the AMM, add some temporary friction to prevent immediate gaming, and let trading resume. You're not forcing asset sales—you're acknowledging that the market's collective assessment is different from where the pool was priced, and updating accordingly. In V2+, a small fraction of bids might settle randomly (micro-settlement) to keep participants honest, but the default is "price discovery only."

Trigger: $t \ge t^*$ AND $|\Delta| < \varepsilon_2$ (typically 150-250 bps). The auction proved a statistically significant deviation that isn't catastrophic.

What happens:

• Update mark from $P_0$ to $P^*$ (new reference price)
• Informational by default: No asset transfers in V1; bids were escrowed for price discovery
• Optional micro-settlement ($f$%): V2+ enables small fraction (5-10%) of matched notional to settle randomly, adding skin-in-the-game without heavy ops burden
• Protocol LP repositions around new mark (burn old positions, mint new positions ±200 bps around $P^*$)
• Temporary frictions: Flow caps (2-3% TVL/day), entry/exit fees (10-20 bps decaying over 24-72h)
• Refund caller (maybe small bounty)
• Pay kernel rebates to tight filled bids near $P^*$

Micro-settlement formula (V2+):

$$f = \min\Big\{f_{\max}, \kappa \cdot \max(0, t-t^*)\Big\}, \quad \kappa \approx 2\%\text{ per unit }t, \quad f_{\max} \in [5\%, 10\%]$$

Higher $t$-score (stronger signal) → more settlement. Keeps bids honest without forcing large-scale asset transfers.

Example: Auction clears at $P^* = P_0 - 85$ bps with $t=3.2$. Mark updates to $P^*$, protocol LP re-ranges, 8% of matched notional settles randomly (winners take delivery), trading reopens with flow caps.

See RECENTER for complete mechanics and Settlement Models for why hybrid informational/executional design was chosen.

---

WIND-DOWN: prove it in cash

Now we're in crisis territory. The auction didn't just find a moderate mispricing—it discovered a chasm between what the pool thinks assets are worth and what the market will actually pay. A 200+ basis point deviation that persists across multiple auctions isn't noise or temporary illiquidity. It's a fundamental question: are these assets actually worth what we thought?

When opinions diverge this much, there's only one way to find truth: force actual sales and see what real buyers pay with real cash. WIND-DOWN is the mechanism's heavyweight artillery—progressive, tranched liquidation that proves value through binding transactions. Sell 10% of assets. See what price they clear at. Recenter the pool to that price. Wait and see if the market accepts it or if another auction triggers. Repeat until either prices stabilize (proving the new mark is right) or you've liquidated the entire pool (proving the original valuation was wrong). Capital, not opinions, determines truth.

Trigger: $|\Delta| \ge \varepsilon_2$ (typically 150-250 bps), confirmed by second auction or governance. The deviation is so large it questions the entire premise of the pool.

What it does: Progressive, tranched liquidation to prove value through real sales, not opinions. Sell 5-10% of assets per tranche, recenter AMM to clearing price, reopen trading under flow caps, test if market accepts the new mark. Repeat until convergence or full liquidation.

The wind-down loop (deterministic):

1. Auction tranche: Sell 5-10% of pool assets; assets transfer to winners (real purchases)
2. Recenter AMM: Update mark to $P^*_i$, reposition protocol LP
3. Reopen trading: 48-72h observation window under flow caps and temporary fees
4. Check stop criteria: Price convergence (<3-5% drift)? Liquidity restored? Cash buffer adequate (20-30%)?
   • YES → Stop wind-down, return to normal ops (75-90% of assets remain)
   • NO → Next tranche

Stop criteria (halt if ANY met):

• Convergence: Last 2-3 tranches' prices differ by <3-5%
• Liquidity: On-chain depth/volume restored
• Cash buffer: USDC reserves ≥20-30% of remaining pool value
• Governance affirmation

Key distinctions:

• Assets transfer: Unlike CONFIRM/RECENTER, winners' bids become binding purchases
• High fees: 5-10% (custody, logistics, legal) apply only to wind-down sales
• Most stop early: Typically 10-25% sold over 2-4 tranches proves price, remaining 75-90% stays in pool
• Full liquidation rare: Only if no convergence after extended tranching

Example: First auction shows $\Delta = 220$ bps. Second auction 72h later confirms. Sell 10% tranche → prices stabilize at $P^*_1 = P_0 - 180$ bps. Second tranche clears at $P^*_2 = P_0 - 175$ bps (3% convergence). Stop criteria met. Pool continues with 80% of assets + $18M USDC reserves.

See WIND-DOWN for complete mechanics.

---

INCONCLUSIVE: auction wasn't credible

Sometimes an auction runs and clears with what looks like a significant deviation, but when you examine the details, there's no there there. Maybe bids were wildly dispersed—nobody agreed on what price made sense. Maybe one whale dominated the entire book, making it less "price discovery" and more "one entity's opinion with capital." Maybe only one or two bidders showed up, so you don't have competitive consensus.

These validity checks exist because an auction can produce a number without producing truth. If the standard error is too high, the confidence is too low, or the participation is too thin, we can't trust the result—even if the clearing price looks dramatically different from the current mark. Better to say "this auction was inconclusive, try again with better participation" than to move the mark based on unreliable data. The caller pays a light penalty to cover operational costs, but doesn't get fully slashed like they would for a false CONFIRM.

Trigger: Validity checks fail even if $t$ or $\Delta$ look significant. Specifically:

• $SE > SE_{\max}$ (dispersion too high, no consensus)
• $H > H_{\max}$ (concentration too high, sybil/collusion risk)
• $M < M_{\min}$ (too few distinct counterparties)

What happens:

• Keep current mark $P_0$ (no change)
• No asset transfers
• Light caller penalty: Fixed fee $F_0$ only ($7,500) to cover ops
• No rebates paid
• Cooldown before next auction attempt

Why this exists: An auction can clear with large $\Delta$ but still be uninformative if:

• Bids are too dispersed (market has no consensus)
• One whale dominates (no competitive price discovery)
• Only 1-2 bidders filled (thin participation)

Example: Auction clears 180 bps below current mark, but $SE = 45$ bps (threshold is 25 bps) and one entity filled 70% of notional. Result: INCONCLUSIVE. Caller pays $7,500, mark unchanged, try again with better participation.

See Statistical Confidence for threshold calibration.

---

Outcome summary table

Quick reference for all four outcomes:

Outcome	Trigger	Mark Change	Assets Transfer	Caller Bond	Rebates	Next Steps
CONFIRM	$t < t^*$ (healthy)	None	❌ No	Slashed (convex)	❌ None	Pool continues normally
RECENTER	$t \ge t^*$ AND $\|\Delta\| < \varepsilon_2$ (moderate)	→ $P^*$	❌ No (V1)	Refunded	✅ Yes ($R$ distributed)	Mark reset, flow caps, temporary fees
WIND-DOWN	$\|\Delta\| \ge \varepsilon_2$ (severe, confirmed)	→ Progressive liquidation	✅ Yes (tranches)	Refunded	Varies	Sell tranches until stable or full exit
INCONCLUSIVE	Validity checks fail ($SE$, $H$, $M$ thresholds)	None	❌ No	Light penalty ($F_0$ only)	❌ None	Cooldown, try again

Critical distinction: CONFIRM, RECENTER, and INCONCLUSIVE are informational (price discovery only) in V1. WIND-DOWN is executional (assets actually sold). V2+ adds micro-settlement to RECENTER for stronger skin-in-the-game.

---

Why this works: three layers of defense

At this point you might be thinking: "Okay, this is a clever mechanism, but what actually stops someone from gaming it?" It's a fair question. Any pricing system that can move multi-million dollar marks becomes a target for manipulation. Derivatives traders who'd profit from moving the reference price, short sellers who want to trigger death spirals, or just opportunists looking to exploit edge cases.

The answer is that the mechanism doesn't rely on one clever trick—it relies on three interlocking properties that make manipulation expensive, detectable, and ultimately self-defeating. Capital-based truth means attackers can't just spam fake signals—they have to put real money at risk. Statistical robustness means random noise doesn't trigger action—you need signal strength. And the manipulation detection layer means even if you somehow bypass the first two, the cost of persistent manipulation is prohibitive.

Let's break down each layer.

The mechanism achieves capital-based truth through three interlocking properties.

1. Capital-based truth, not opinions

No cheap talk: Oracles, appraisals, and external feeds don't move the mark. Only actual capital deployed to buy actual assets (or credible commitment via micro-settlement in V2+) creates price discovery.

Skin in the game: In WIND-DOWN, bidders receive real assets at their bid price. If they overpay to manipulate, they own overpriced assets. In RECENTER with micro-settlement, bidders face 5-10% probability of taking delivery—enough to make fake bids costly.

Capital-based truth is objective: If bidders put $10M on the table for an asset at price $P^*$, that's what it's worth—not what someone's spreadsheet says.

2. Statistical robustness prevents noise from moving marks

Confidence-driven decisions: High standard error $SE$ prevents action when market has no consensus. The auction itself provides both the estimate ($P^*$) and its confidence ($SE$)—no second verification needed.

Scaled matched-notional floor: Big claimed moves require deeper books. If you claim the pool is off by 200 bps, you need to marshal proportionally more capital than a 40 bps claim.

Concentration guards: Counterparty aggregation and Herfindahl checks prevent one whale or small cabal from dominating. $M \ge 3$ distinct entities and $H \le 0.45$ ensure competitive price discovery.

3. Manipulation is expensive and detectable

Caller penalty is convex: Triggering auctions when the pool is healthy costs $7.5k-$30k depending on how wrong you were. Repeated frivolous calls burn capital fast.

Double attack surface: To move the mark persistently, you must manipulate both auction bids AND on-chain spot liquidity. Spot trading continues between auctions and immediately tests whether the new mark is credible. If spot drifts away from $P^*$, the next auction will catch it.

Settlement risk: In V2+ micro-settlement and WIND-DOWN, attackers face real inventory risk. Push the price down to hurt shorts? You might have to buy assets you don't want. Push it up to pump derivatives? You're paying above fair value and getting randomly selected for delivery.

Dispersion backstop: Manipulated auctions typically show high $SE$ (you can't coordinate many bidders tightly without raising red flags). Result: INCONCLUSIVE, no mark change, attacker wasted gas and bonds.

---

Default parameters

Mechanism design is useless without concrete numbers. You can have the most elegant incentive structure in theory, but if you set the caller bond too low, you get spammed with frivolous auctions. Set it too high, and nobody can afford to trigger legitimate challenges. Same with every threshold—too tight and the system becomes overly sensitive to noise, too loose and it can't catch genuine mispricings.

These parameters are the protocol's immune system calibration: sensitive enough to detect real problems, robust enough not to overreact to every market fluctuation. The values below are starting points for a $100M pool, scaled and adjusted based on asset class volatility, liquidity depth, and operational constraints. They're not magic numbers—they're educated guesses that get refined as real data rolls in. But they need to start somewhere, and these are defensible defaults based on what we know about RWA market microstructure and auction dynamics.

Reasonable starting values for a $100m pool:

Parameter	Value	Purpose
Sampling
Min sample size $k_{\min}$	3 lots	Minimum statistical validity
Typical sample size $k$	3-6 lots (adaptive)	Balance statistics with operational feasibility
Min matched notional	1% of pool value	Total $ value of filled bids (prevents tiny auctions)
Stratification parameter $\beta$	0.5-1.0	Lot heterogeneity scaling
Anti-sybil
Min counterparties $M$	3	Prevent single-entity dominance
Single-entity fill cap	40-50%	Cap per-counterparty share
Max Herfindahl $H_{\max}$	0.4-0.5	Concentration threshold
Outcome thresholds
Healthy band $\varepsilon_1$	40 bps	Tolerance for "no change"
Wind-down band $\varepsilon_2$	150-250 bps	Systemic mispricing threshold
Max standard error $SE_{\max}$	25 bps	Required confidence for action
Caller economics
Min caller bond $B_{\min}$	$25,000	Minimum skin in game
Bond coefficient $\alpha$	1 bp of $V$	Pool-scaled bond
Fixed penalty $F_0$	$7,500	Base nuisance fee
Penalty coefficient $\lambda_V$	0.5 bps of $V$ per (30 bps)²	Scaled false-alarm fee
Maker rebates
Rebate pool $R$	0.5-1.0 bp of matched notional	Incentivize tight bidding
Rebate kernel $\delta$	15-25 bps	Width of rebate window
Per-entity rebate cap	25%	Anti-gaming limit
Post-recenter
Flow caps	2-3% of pool per period	Post-recenter flow limits
Cooldown (auction)	48 hours	Time between auctions
Cooldown (recenter)	24-72 hours	Post-recenter settlement period
Entry/exit fee $\xi$	10-20 bps decaying to 0	Temporary post-recenter friction
Wind-down confirmation time $T$	48-72 hours	Time for second auction or governance

---

Comparison to alternatives

Every design choice exists in context. Mark-to-truth auctions aren't the only way to price assets—they're just one approach in a design space with trade-offs. To understand why this mechanism works for RWAs, it helps to see what it's solving against. External oracles are the default answer in DeFi, and continuous spot markets are how most liquid assets get priced. Both have strengths. Both break down for illiquid, unique, real-world assets.

The comparison isn't academic. When you're building a protocol, you need to justify why you're adding operational complexity (running auctions, coordinating bids, managing settlement) instead of just using an oracle feed or trusting spot prices. The answer is that oracles are opinions dressed up as data, and spot markets can stay wrong for extended periods when liquidity is thin. For RWAs, capital-based truth isn't optional—it's the only path to credible pricing.

vs. External oracles

Mark-to-Truth Auctions	External Oracles
Capital-based (actual bids)	Opinion-based (reported prices)
Manipulation requires owning mispriced assets	Manipulation only requires corrupting feed
Works for illiquid/unique assets	Struggles with thin markets
No oracle dependency or attack surface	Trust/centralization assumptions
Self-contained confidence (SE from auction)	No measure of feed reliability
Economic truth (provable on-chain)	Legal truth (trust external source)

Why oracle-free wins for RWAs:

1. Appraisals are subjective: Two experts can value the same rare asset 30% apart. Oracles just pick one opinion.
2. Stale data: Appraisals are done once, maybe annually. Markets move daily.
3. Manipulation surface: Corrupting a feed operator is cheaper than buying actual mispriced assets.
4. Legal complexity: Licensed appraisers, regulatory compliance, jurisdictional issues.
5. Bootstrap problem: How do you price something that rarely trades? Oracles have no answer; auctions discover it.

Capital-based truth is objective: If bidders put $10M on the table for an asset, that's what it's worth—not what someone's spreadsheet says.

vs. Continuous spot market

Mark-to-Truth Auctions	Spot Market Only
Infrequent (only when questioned)	Continuous
Forces price discovery through capital	Can remain mispriced if no arbitrage
Statistical confidence from sample	Single marginal trade sets price
Expensive to trigger frivolously	Can be manipulated cheaply
Random sample (anti-cherry-picking)	Traders may avoid bad lots

The combination: Spot markets provide day-to-day pricing with minimal friction; mark-to-truth auctions are the backstop when spot price loses credibility. Together they form a complete oracle-free pricing system.

---

Implementation priorities

Building this mechanism is like building a bridge: you can't skip the foundation and add decorative railings later if the whole thing collapses under its own weight. Some features are non-negotiable—without them, the mechanism is trivially exploitable or economically meaningless. Others are valuable but can wait—they improve robustness or user experience without fundamentally changing whether the system works.

The key is knowing which is which. Ship too much in V1 and you'll never launch (analysis paralysis, testing complexity, edge cases multiply). Ship too little and you'll get exploited day one, burning reputation and capital. The staged approach below separates "must have for security" from "nice to have for optimization" from "maybe later if anyone cares." Start with the minimum viable defense against gaming, validate the model with real participants, then layer on sophistication as data proves what actually matters.

The mechanism can be deployed in stages, prioritizing non-negotiable features while deferring nice-to-haves:

V1 non-negotiables (must ship)

These are required to prevent gaming:

1. Bond-only trigger + cooldown - Anyone can trigger with flat pool-scaled bond; cooldown between auctions
2. Random PPS sampling - No cherry-picking; VRF-drawn lots within strata
3. Uniform-price sealed auction - Commit-reveal or frozen orders
4. Outcome rule with hard penalties - CONFIRM slashes caller convexly; RECENTER refunds; INCONCLUSIVE light penalty
5. Deterministic recenter hook - Mechanical AMM migration with timelock authorization

V1 strongly recommended (low-medium lift)

Easy wins that significantly improve robustness:

6. Minimum sample/matched size - Enforce $k \geq k_{\min}$ and matched $\geq 1\%$ of pool
7. Min distinct counterparties - Require $M \geq 3$ filled entities
8. Rebates only on RECENTER - No rebate farming in healthy states
9. Simple concentration cap - Single counterparty $\leq 40-50\%$ of fills

Advanced features (nice-to-have)

Can be added in later versions:

10. Counterparty-aggregated SE + entropy check - Full Herfindahl concentration analysis
11. Stratified sampling by acquisition ratio - Improves representativeness for heterogeneous lots
12. Commit-reveal with time-decay - Clean sealed bidding and anti-snipe protection
13. Two-step wind-down - Requires confirmation before full liquidation

External-trust substitutions

If speed is critical, these reduce complexity at the cost of operational trust:

• Allowlist/KYC bidders - Treat each legal entity as one counterparty; simplifies anti-sybil
• Broker RFQ desk - Ensures delivery and best-execution attestations
• Custodian attestation - Confirms sampled lots are deliverable
• Backstop market makers - Contracted participants guarantee minimum liquidity

Important: If using trust substitutions, keep the penalty schedule unchanged (healthy calls still lose money).

---

Open risks and mitigations

No mechanism is bulletproof, and pretending otherwise just means you'll be blindsided when reality deviates from your model. Mark-to-truth auctions are robust under normal conditions—thin liquidity, moderate mispricings, honest but self-interested participants. But there are edge cases and attack vectors where things could break. Some of these are unlikely but catastrophic if they happen. Others are minor annoyances that limit effectiveness without destroying the system.

The responsible thing is to name them explicitly, explain why they matter, and document how the protocol mitigates each risk. None of these are showstoppers—they're manageable with proper parameter tuning, fail-safes, and progressive rollout. But ignoring them would be naive. Real-world mechanisms face real-world adversaries, and the only way to build robustly is to think like an attacker before attackers do it for you.

Homogeneity breaks

Risk: Sudden dispersion across lots makes sample unrepresentative.

Mitigation: $SE$ spikes → INCONCLUSIVE (no action). Stratified minimum: each stratum must appear in sample or increase $k$.

Whale collusion

Risk: Two whales coordinate to dominate auction and fake tight dispersion.

Mitigation: Enforce $M \geq 3$ counterparties and $H < H_{\max}$. For very large pools, consider allow-listed RFQ participants.

Governance capture at recenter

Risk: Malicious governance could abuse recenter hook.

Mitigation: Bind recenter hook strictly to auction contract with timelock. Hook can only execute immediately after RECENTER outcome within short window.

VRF manipulation

Risk: Miner/validator manipulates VRF to influence lot selection.

Mitigation: Use commit-eligible-set before VRF draw. Attackers can't cherry-pick without knowing which lots will be selected. For V1, use custodian-signed draw with public seed; upgrade to VRF later.

Sample size gaming

Risk: Caller triggers with tiny sample to get low $SE$ by chance.

Mitigation: Enforce $k \geq k_{\min}$ (3 lots) and minimum matched notional ($\geq 1\%$ of pool). Penalty schedule makes repeated attempts expensive.

---

Beyond the four outcomes: special cases

Most of the time, the four outcomes (CONFIRM, RECENTER, WIND-DOWN, INCONCLUSIVE) cover every scenario. Pool is healthy? CONFIRM. Moderately mispriced? RECENTER. Catastrophically broken? WIND-DOWN. Auction was noisy? INCONCLUSIVE. Clean, mechanical, comprehensive.

Except when they're not. There are edge cases that fall outside this taxonomy—not because the mechanism is incomplete, but because the real world occasionally presents situations where the standard playbook doesn't quite fit. These aren't common. But when they occur, having a plan matters. Ignoring them means either (a) forcing them into an inappropriate outcome bucket, creating weird incentives, or (b) requiring manual governance intervention every time, which breaks the mechanical purity.

The two special cases below are rare enough that they don't deserve equal billing with the core outcomes, but common enough that the protocol needs explicit rules for handling them.

The four main outcomes (CONFIRM, RECENTER, WIND-DOWN, INCONCLUSIVE) handle most scenarios. But two edge cases need special treatment:

Upside calibration: when undervaluation persists

The problem: Pool is proven undervalued (two strong RECENTER↑ events within 14 days, each with $t \geq 3$), but supply can't keep up. Issuer sourcing takes weeks. External onboarding takes time. Buy-side OI sits unfilled.

The solution: Run a tiny executional auction (1-3% of pool) to cash-prove the mark and rebuild ask-side depth. This is not WIND-DOWN (that's for overvaluation/crisis). This is surgical upside validation when supply response is too slow.

When it triggers: Mechanical thresholds only (two RECENTER↑ + OI sufficiency test fails + issuer ETA too long + ask-side depth thin). No caller discretion. No governance votes.

See Upside Calibration for complete mechanics and trigger conditions.

Why oracle-free pricing needs both directions

Traditional oracles update marks symmetrically (price goes up, mark goes up; price goes down, mark goes down). But oracles are opinions, not capital.

Mark-to-truth uses capital to prove marks in both directions:

• Downside: WIND-DOWN forces real sales when overvalued (progressive liquidation)
• Upside: Calibration forces real sales when undervalued (small one-time auction)

Result: Symmetric capital-based truth. Both moves get validated through actual transactions, not just auction bids.

---

Related reading

Core mechanism pages

• Trigger Conditions - Pre-flight checks and post-clearing validity rules
• Auction Mechanics - How auctions discover $P^*$ and $SE$
• Statistical Confidence - Deep dive on standard error calculation
• Kernel Rebates - Incentivizing tight price discovery

Outcome pages

• RECENTER - Soft reset for moderate mispricings
• WIND-DOWN - Progressive liquidation for severe cases
• Upside Calibration - Small executional sale for persistent undervaluation

Design rationale

• Settlement Models - Why hybrid informational/executional design was chosen

Integration with other systems

• Pricing - How mark-to-truth complements spot pricing
• Minting - How new supply creation respects pool marks
• External Asset Onboarding - How external owners provide responsive supply
• Spot Trading - Day-to-day price discovery mechanism