Lesson 26 · Oracle / NAV Discovery · Discovery Internals

How a token learns its price feed

The upstream L20 left open: where value_defining_oracle comes from. ~13 min.

Builds on: L20 · L25 · L24 Anchor: Chainlink feeds, RWA treasuries New: registry symbol-binding New: cross-source safety net

L20 hinged on a node attribute: T.attrs.value_defining_oracle. "If this marker is set," we said, "a bad NAV drains the whole supply." But we never asked the obvious question: how does the system know USTBL's price is set by a particular Chainlink feed in the first place? Nothing on-chain says "this token trusts that oracle." This lesson is the subsystem that figures it out — binds the token to its feed, prices it, and stamps the marker L20 depends on.

Your anchor: tokenized treasuries & Chainlink NAV feeds

RWA tokens — BUIDL, USTBL, WTGXX, ACRED, mTBILL — aren't priced by a market. Their price is a net asset value published by an off-chain administrator to a Chainlink feed (a "NAVLink" feed). The token contract reads that feed to value itself. You already know the Chainlink shape: a stable proxy in front of a swappable aggregator, exposing latestRoundData(). Discovery's job is to connect "this token" ↔ "that feed" with zero on-chain link to follow.

1 · The binding problem

There's no oracle() getter on these tokens pointing at the feed. So the NAVLinkRefresher (navlink_refresher.go) bridges the gap the same way a human would — by symbol:

Chainlink registryCDN feed list, symbol-keyed

∩

focus tokensby symbol (Memgraph)

→

candidate binding(token, feed)

→

read + validatelatestRoundData()

→

stampprice + oracle + edge

It fetches Chainlink's published feed registry, loads focus tokens keyed by symbol from the graph, and intersects them (matchBindings — a pure function). A feed whose Symbol matches a focus token's symbol becomes a candidate binding. If a symbol matches several feeds (or vice versa), all combinations are produced — the binding isn't trusted yet.

2 · From whitelist to cross-source — a design evolution worth studying

Symbol-matching is fuzzy: a registry update adding a wrong-symbol feed could auto-bind and stamp a wrong price. How do you trust a binding? The answer changed, and the why is instructive:

	Old: Redis whitelist gate	New: cross-source check (`validateCrossSource`)
How	An operator manually confirms each (token, feed) binding in Redis before it stamps.	If an independent price (`defillama` / `known_peg`) exists and diverges past tolerance, reject the stamp. Else accept.
Cost	Manual curation per binding — onboarding an RWA needs a human.	Zero curation — onboarding is just registering the focus token.
Failure	—	Fail-open on read error or no independent signal (the steady state for most RWAs) — trust NAVLink.

The trade-off, named explicitly

Dropping the whitelist trades guaranteed correctness for zero-touch onboarding. The residual risk — a plausible-but-wrong binding with no independent price to catch it — isn't ignored; it's pushed to a separate verifier (NavlinkFreshnessVerifier, part of the chainref quality harness from L23) that alarms when an ORACLE_DEP edge exists but the bound token's price is missing/stale. This is the system's recurring shape: move the check out of the hot path and into an independent monitor. Every discovered binding is also SADD'd to navlink-bindings:{chain} as a durable operator audit trail.

3 · Reading the feed (the EVM details that matter)

For each confirmed binding, three RPCs read the feed (navlink_chain.go): aggregator(), latestRoundData(), decimals(). Three decisions are worth your attention:

Bind to the PROXY, not the aggregator. Chainlink admin can repoint the aggregator behind the proxy; the proxy is the stable identity, so the oracle node and ORACLE_DEP reference it.
Staleness gate. If updatedAt is older than the threshold, skip the stamp and count it (navlink.feeds.stale) — a stale NAV is worse than no NAV. Defensive decoding even handles a (hypothetical) negative answer rather than silently mangling it.
decimals() is 8 for NAVLink feeds; NavlinkPriceUSD(answer, decimals) scales the raw int256 to USD.

The admin angle — closing the loop with L25

// ReadNavlinkProxyOwner — the on-chain admin who can publish arbitrary NAV
owner := callOwner(proxy)   // owner(), NOT accessController()

Why owner() and not accessController()

An empirical investigation (the pre-deploy verification step) found the Chainlink accessController gates reads — and NAVLink feeds are designed to be publicly readable, so that gate is wide open and useless as an admin signal. The real power — publishing the NAV — lives at owner() on the proxy (often a Chainlink ops multisig). That one key is the admin that L20's value-defining oracle cells attribute the whole supply to, and (per L25) if it's a Safe, L22 fans it out to signers. Discovery here feeds admin discovery there.

4 · The write-back — and what it sets in motion

writeStamps emits one idempotent graphwrite per cycle:

MATCH (t:Entity {id:$tok, graph_id:$g})        // MATCH not MERGE — never stub a delisted token
MERGE (o:Entity {id:$proxy, graph_id:$g})       // the oracle node = the feed PROXY
SET t.usd_price=$p, t.usd_price_source='navlink', t.price_updated_at=$ts
MERGE (t)-[:ORACLE_DEP]->(o)                    // the dependency edge L20's eligibility reads

Two things follow, and both connect to lessons you've done:

The marker L20 needs. This binding + the ORACLE_DEP edge + the stamped price are exactly what make a token a value-defining-oracle target — the trigger emitValueDefiningOracleCells fires on.
A price-dirty ripple (L24). After publishing, it SADDs the token to price-dirty:{chain}, so the PriceDirtyDrainer recomputes every HOLDS edge's USD value at the new price — the refresher pattern from L24, feeding the dollars L19–L21 consume.

L20's one unexplained input is now explained

The chain is whole: registry symbol-match → cross-source-validated binding → read the NAV off the proxy → stamp usd_price + ORACLE_DEP + discover the proxy owner() as admin → that's the value_defining_oracle L20 attacks, priced by a feed whose owner L25 attributes, refreshing USD values per L24. Idempotent MERGE+SET write-back, replay-safe — the L9 discipline again.

Check yourself

1. How does the NAVLinkRefresher connect a focus token to its Chainlink NAV feed, given no on-chain link exists?

2. Why was the Redis whitelist gate replaced by the cross-source check?

3. validateCrossSource finds NO independent price (defillama/known_peg) for a token. It…

4. Why does the oracle node reference the feed PROXY rather than the underlying aggregator?

5. A feed's updatedAt is older than the staleness threshold. The refresher…

6. The on-chain admin of a NAVLink feed is read via owner(), not accessController(). Why?

7. The discovered proxy owner() matters downstream because…

8. After stamping the price, the refresher SADDs the token to price-dirty:{chain}. What does that trigger?

↳ Ask your teacher

Try: "Show me NavlinkPriceUSD and how int256 + 8 decimals becomes USD." · "What exactly does the NavlinkFreshnessVerifier alarm on?" · "How does the Oracle Bridger turn this ORACLE_DEP into per-market eligibility (L20)?" · "Walk the source-priority race between navlink and defillama stamps." · "What's the registry CDN, and what happens when it's down?"

What you can now do

Explain the binding problem: no on-chain link from RWA token to NAV feed, solved by registry symbol-matching.
Contrast the old whitelist gate with the cross-source check, and articulate the curation-vs-correctness trade-off + the verifier safety net.
State why discovery binds the proxy (not the aggregator), how the staleness gate works, and why owner() (not accessController()) is the admin selector.
Describe the idempotent write-back (MATCH token, MERGE oracle + ORACLE_DEP, SET price) and the price-dirty ripple.
Connect this to L20 (it stamps value_defining_oracle), L25 (the owner becomes the attributed admin), L24 (price refresh), and L23 (the verifier).

Discovery subsystem — three lessons deep, and it now wraps around the risk engine

L24 (flywheel) → L25 (who controls a token) → L26 (how a token is priced & bound to its oracle). Between them, you can trace every input the at_risk engine consumes — addresses, admins, severities, prices, oracle edges — back to the on-chain probe that produced it.

← PreviousLesson 25 · Admin-Role Discovery · Discovery Internals Next →Lesson 27 · The Oracle Bridger · Discovery Internals

Grounded in: pkg/enrichment/navlink_refresher.go (NAVLinkRefresher registry symbol-binding, matchBindings, validateCrossSource + the whitelist→cross-source pivot, readAllFeeds staleness gate, writeStamps MATCH-token/MERGE-oracle/ORACLE_DEP/price + price-dirty SADD, recordDiscoveredBindings audit trail), pkg/enrichment/navlink_chain.go (ReadNavlinkLatestRound/ReadNavlinkDecimals/ReadNavlinkProxyOwner = owner() not accessController, proxy-not-aggregator). Verify against source — the code is the truth.