BlackHartBlackHart
Scores/Circle CCTP/Provenance/Oracle Integrity
D3

Oracle Integrity

Oracle architecture, manipulation resistance, staleness protection, fallback mechanisms, and feed redundancy.

Weight 13%78% confidence
55
Moderate
info

How This Score Is Built

Oracle architecture, manipulation resistance, staleness protection, fallback mechanisms, and feed redundancy.

+23Strong positive
+12Positive
+5Slight positive
−15Strong negative
−8Negative
−3Slight negative

Scoring Tree

BRI Formula
300 + 700 × ∏(Dᵢ/100)^wᵢ
680
Current BRI
D3Oracle Integrity
Weight 13%
55
(55/100)^0.13 = 0.9252
Contributing Factors
+14CCTP's effective 'oracle' is Circle's OFF-CHAIN attestation service: MessageTransmitterV2.receiveMessage() mints native USDC only if it verifies attester signatures — the attester key set is a de facto mint authority
+14Live signatureThreshold=2 (TWO attesters must sign) — confirmed on-chain for both V1 and V2; this is the strongest mitigation and is why D3 is scored above the prior combined-baseline assumption of threshold=1
+14_verifyAttestationSignatures enforces attestation length == signatureLength * threshold, strictly-increasing attester-address ordering (no duplicate-signer replay), and enabled-attester membership
+14RAISED from combined baseline 60 (single-sig assumption) is now scored separately as a bridge property at 55 with HIGHER confidence (78) because the 2-of-2 live config was read directly from chain
-45Centralized attestor remains a TRUST assumption, not a cryptographic safety guarantee: if 2 attester keys are compromised or the service signs a malicious message, unbacked USDC is minted on the destination chain
Evidence Sources
blackhart_analysisMay 30sha256:d4bb2388b5e3....

Score Composition

-45

Centralized attestor remains a TRUST assumption, not a cryptographic safety guarantee: if 2 attester keys are compromised or the service signs a malicious message, unbacked USDC is minted on the destination chain

Strong negativecodeView in source
+14

CCTP's effective 'oracle' is Circle's OFF-CHAIN attestation service: MessageTransmitterV2.receiveMessage() mints native USDC only if it verifies attester signatures — the attester key set is a de facto mint authority

Strong positivecodeView in source
+14

Live signatureThreshold=2 (TWO attesters must sign) — confirmed on-chain for both V1 and V2; this is the strongest mitigation and is why D3 is scored above the prior combined-baseline assumption of threshold=1

Strong positive
+14

_verifyAttestationSignatures enforces attestation length == signatureLength * threshold, strictly-increasing attester-address ordering (no duplicate-signer replay), and enabled-attester membership

Strong positivecodeView in source
+14

RAISED from combined baseline 60 (single-sig assumption) is now scored separately as a bridge property at 55 with HIGHER confidence (78) because the 2-of-2 live config was read directly from chain

Strong positive

Evidence Chain (1 files)

BlackHart AnalysisMay 30, 2026, 05:10 AM
sha256:d4bb2388b5e3...

Score History

No dimension-level score changes recorded yet.

Methodology: 2.1Formula: 1.1Weights: 1.1
How is Oracle Integrity scored?← Back to Provenance Ledger