Introduction to Oracles
Blockchains are based on virtual machines - closed environments where smart contracts are securely and deterministically executed. While great for security, virtual machines introduce huge limitations to how blockchain programs operate - they can only consume information created, or passed within, the virtual machine.
This fundamentally puts constraints on what use-cases can or cannot be put onchain. Since the majority of financial operations require some kind of input from the outside world (for example, the price of an asset aggregated across all chains and markets), DeFi developers came up with the concept of oracles.
Oracles are simple 'bridges' that allow authorized entities to stream state updates from the outside world onto a blockchain. Funny enough, oracles are the same smart contracts executed in the virtual machine - updates are simply passed as inputs to the smart contract execution, which saves them in an on-chain account for other smart contracts to consume.
Most oracles operate on trust and/or verifiability. First, maintainers of the oracle (data feed) must find a trusted data provider. The assumption is that providers will not provide malformed data. Secondly, consumers of the oracle are assuming the maintainer of the data feed is honest (and hierarchically, they also have to trust the data provider). The assumption is that the maintainer is not performing any changes to the data received from the data provider.
The trust assumptions between consumers and data feed can be avoided by using simple digital signatures. Data providers holding a private key can sign the state update and publish it. Then, consumers, knowing the provider's public key, can easily verify the signature. In case of the signature being invalid, they can simply reject such state and halt the execution.
The trust assumption between data provider and data feed can also be avoided by decentralizing the set of data providers and enforcing some kind of consensus (adding latency) or by using more sophisticated algorithms to determine the fair price (like TWAP, preventing single state updates from influencing the fair price). Most data providers use these two features simultaneously, and it seemingly works.
The model of data feeds I just described works great for simple, hard-schemed data - like prices which are always decimal-point numerical values. However, the problems start to grow when a smart contract needs to consume more sophisticated data. A known use case for this is prediction markets. Prediction markets are smart contracts that enable participants to bet on a future statement being true or false.
There are at least two problems associated with settlement of prediction markets:
Unstructured data - most prediction markets are simply bets on a statement being true or false. Sentences are unstructured data, so it's hard to build an effective data pipeline for their settlement.
Lack of trusted data providers - in most cases, there's no objective source of truth for arbitrary statements. One would argue media is a trusted data provider, but it's prone to political and economic manipulation.
Introduction to Totem
Totem is a decentralized protocol designed to fix these issues. By taking a governance-driven approach, Totem is building a system allowing for determining the validity of arbitrary statements and providing a simple data pipeline that allows for consumption of the result.
Design
Totem is made of two components - the protocol, in the form of smart contracts deployed on the Solana mainnet, and the DAO - a decentralized organization governed by futarchy, providing security to the system and acting as the objective arbiter of truth.
Totem protocol is a smart contract allowing any party to submit a data request. The data requested must be a statement with a binary outcome - it has to turn either true or false in the future. Again, examples of such statements could be prediction markets, like 'Kamala Harris won the 2024 presidential elections in the USA'. The request for such statement would be 'Who won the 2024 presidential elections in the USA?'
The data request is publicly visible. To the request, the requesting party must attach a fee. The only requirement for the fee is that it's nonzero, but no exact value is enforced. Totem protocol is market-driven, and the assumption is the market will determine a fair price for truth.
The fee acts like an incentive for the DAO to provide a valid response to the request as fast, and as honestly as possible. The full mechanism behind the incentive will be explained later in this paper, but for now assume it to be true.
Since the data request is publicly visible, anyone is allowed to submit a statement as a response to that request. Due to that, multiple statements can be submitted for one request.
After a statement is submitted, it is publicly visible on-chain & announced in the DAO's communication channels, for all members to acknowledge. By design, the protocol optimistically assumes all submitted statements to be true. This is a design choice derived from the game theory assumption that most submitted statements will be true, since it's not economically viable to submit false statements.
While the protocol assumes a statement to be true, it is undergoing a 24-hour long challenge period. During this time, any DAO participant is allowed to submit a dispute to a submitted statement. Similarly to data request and statements, disputes are public. Unlike the many-to-one statements to request relationship, only one dispute per statement is allowed. This design is a logical result of the fact that all statements submitted to the protocol must have binary outcomes. Only one dispute is necessary to flag a true statement as false and vice-versa. Even though a statement could theoretically contain multiple sub-statements, only some of which are false, the protocol only focuses on the total outcome.
Totem protocol takes a governance-driven approach to dispute settlement. Whenever a statement is disputed, the protocol initializes a new futarchic market using the MetaDAO smart contract. The market is live for 24 hours, and all TotemDAO members are allowed to trade their conditional $TTM tokens on the platform. If the dispute market passes, the dispute is settled as true (statement is settled as false). If the dispute market fails, the dispute is settled as false, settling the statement as true. In total, the challenge period and the dispute market (if live) should settle any arbitrary statement under 24 hours.
Security
The security of the system is driven by game theory. Totem DAO allows markets to determine the fair fee that data requesters are willing to pay to the DAO. It's important to acknowledge that the payment they make is not just for the statement, but primarily for the guarantees of the statement being settled honestly. DAO members voting in the futarchic markets have an incentive to dispute and vote on disputes truthfully, since it builds trust for the DAO and increases future DAO cashflows.
Security of the TotemDAO works in a closed loop. Statements being settled honestly build the trust in the DAO, which drives more requests and more fees to the system. More fees to the system increases the DAO's cashflow, driving the growth of DAO valuation. Growth of the DAO valuation (simply: governance token price) makes the cost of a governance attack higher.
The cost of a governance attack increases for two reasons:
It becomes gradually more expensive to purchase enough of a governance attack to imbalance the dispute market over a set threshold.
Participants of the TotemDAO are financially incentivized to be active and honest in the DAO, since the system is now worth more.
It is important to mention that oracles are infrastructure of critical impact on the systems they secure. If TotemDAO allowed a false statement to be settled as false, it would likely break the trust and bring future protocol cashflows to zero, and the governance token valuation would follow. One could say, TotemDAO is always one bad statement away from collapse.
The biggest vulnerability, not only in Totem but oracles in general, is the fact that they secure more value than they are worth themselves. For example, the Pyth Network - one of the biggest oracle infrastructures in all of crypto - is only worth $1.36 billion as of the day of writing this piece, while it secures $4.740 billion of value according to VanEck. If Pyth was decentralized, this 3.5x gap in valuation would create a space for relatively easy economic attacks on Pyth systems.
This begs a question - how much value can TotemDAO secure for it not to be an easy target for economic attacks? This is very hard to estimate and heavily depends on the DAO participants. We could copy the model from traditional stock markets and assume that TotemDAO valuation is 10 years worth of its current cashflows. Since DAO cashflows are dependent on the fees paid by requesters of the data, this acts like an incentive for requesters to pay higher fees, as it increases the valuation of Totem and therefore increases security of the settlement of the requested statement.
Conclusion
Totem is exploring a market governance-driven approach to building an objective source of truth on-chain. While still in development, we are actively looking for feedback and contributions. If you're interested in exploring Totem, feel free to reach out.
We are building in public and Totem code is fully open source. You can explore the repository at GitHub. The web app is currently a development. You can see the draft on totem.wtf
We're planning to launch on Solana Mainnet in Q2, 2025. Stay tuned for more announcements.