Skip to main content
Intention does not use an external oracle committee. The validator set is the oracle. Every validator that participates in consensus also runs a price observation pipeline, and prices are certified in the same consensus round that commits the transactions that consume them. This is the mechanism behind Price-Transaction Atomicity.

Observation

Each validator subscribes to a set of external venues for each tracked instrument, drawn from a governance-maintained allowlist. A venue on the list may produce prices that count toward validator observations; a venue off the list may not. A venue-diversity requirement at the protocol level obliges each validator to draw observations for a given instrument from multiple independent venues. No single upstream failure can corrupt a validator’s local observation. When preparing to vote on or propose a block, a validator produces a signed observation record carrying its identity, the current round, its observed prices, and its signature.

Stake-weighted median with MAD outlier rejection

Intention aggregates validator price observations using a stake-weighted median with median-absolute-deviation (MAD) outlier rejection. The aggregation is deterministic, verifiable, and produces a single canonical value per instrument per round. The procedure:
  1. Collect observations from at least 2f+12f+1 stake-weighted validators.
  2. Compute the stake-weighted median to obtain an initial estimate.
  3. Compute the median absolute deviation from that estimate as a robust scale measure.
  4. Reject observations whose deviation exceeds a protocol-fixed multiple of the MAD.
  5. Recompute the stake-weighted median on the retained observations.
The result is the canonical price for that instrument in that block.
MAD is a robust statistic: it tolerates a large fraction of outliers without being pulled by them. Combined with the stake-weighted median — which tolerates up to ff of the total stake being Byzantine — this gives the aggregation a well-understood robustness profile.

The error bound

Under the 3f<S3f < S fault threshold, honest stake strictly exceeds 2S/32S/3 and therefore dominates any stake-weighted median. A Byzantine coalition holding up to ff stake cannot move the stake-weighted median outside the range of honest validator observations. The MAD filter cannot be manipulated to eject honest minorities while the honest majority holds more than 2S/32S/3. The precise statement: assuming honest observations lie within a band of half-width ε\varepsilon around the true price, the adversarial post-MAD aggregate lies within a band of half-width εcε\varepsilon' \leq c \cdot \varepsilon for a protocol-bounded constant cc that depends on the MAD multiplier. The error is bounded by construction, not by good-faith operator behavior.
The bound is conditional on uncorrelated adversarial behavior. The common-mode failure case — in which many validators independently produce the same wrong answer because they all observe the same upstream venue that published a bad tick — is not covered by the analysis, because MAD filters variance and common-mode error has no variance to filter. The venue-diversity requirement above is the mechanism that defends against this case at the observation layer, upstream of aggregation. The two mechanisms are complementary, not redundant.

In-consensus certification

After computing the aggregate, the block leader combines it with an aggregate signature over the contributing validators’ observations to form a price quorum certificate, identifying which validators contributed via a stake bitmap. The price quorum is embedded in the block proposal so that it is covered by the block hash and, therefore, by the 2f+12f+1 signatures that commit the block. When validators verify a block proposal in the prepare phase, they check:
  • The aggregate signature is valid for the claimed contributors.
  • The combined stake of contributors strictly exceeds 2S/32S/3.
  • The aggregate is the correct output of the aggregation rule applied to the contained observations.
  • The observations are recent within a protocol-defined staleness bound.
  • The leader’s own observations are consistent (within MAD bounds) with the aggregate — a sanity check that prevents a faulty leader from fabricating contributions.
If any check fails, the validator withholds its vote, and the pacemaker eventually triggers a round change. The price quorum is therefore a precondition for block commitment, not an optional attachment.

Price-aware leader eligibility

A validator is eligible to propose a block only if it can demonstrate valid price observations for the current round. PTA is therefore not merely an execution-layer property — it is a precondition of block production. Over time this could concentrate leadership toward validators with premium market-data feeds. Intention mitigates that concentration through three mechanisms: robust aggregation bounds the influence of any single venue on the certified price, venue diversity at the protocol level closes the concentration path, and graceful-degradation mode — with staleness bounds surfaced on the Verifiable Execution Stream — lets the chain continue producing blocks when fresh observations from enough validators are unavailable, while risk operations widen their thresholds in proportion.

Index vs mark price

The certified aggregate from this pipeline is the index price — the canonical external observation. The mark price used by the risk engine is derived from the index via a median-based combination of the index, EMA-smoothed candidates, and the on-chain book mid. See Risk-Native Semantics for the construction. Both prices are protocol state; neither is an external oracle read.