By design, Solidity smart contracts have no access to the outside world. No file uploads, no API calls, no database queries. A huge limitation, known to every Solidity developer.
Fortunately, the web3 space has come up with a remedy. Oracles allow smart contracts to access external data. Recently, there has been a lot of hype around the new kid on the block - Web Proofs (also known as zkTLS). How do the two solutions differ? Could Web Proofs replace Oracles?
The two approaches are quite different, so let's first explore how each works before comparing them in detail.
Most Oracles, like those from Chainlink or Redstone, provide price feeds for DeFi protocols. Decentralized lending platforms like Aave wouldn't be possible without them. While pricing feeds are their main use case, it's not the only one. Other popular uses include verifiable random number generators and APIs for proving reserves, ETF prices, and even meteorological data. The common thread across all Oracles is their ability to access public data.
A sample flow for getting access to public data from a smart contract looks something like this:
The steps above seem simple, but there is more to it than meets the eye. Developers must ask themselves what would happen if a single Oracle or its data source were compromised? Such attacks are inevitable - when real money is involved, bad actors will always try to break the bank. Imagine the damage that can be done if an oracle provides false or manipulated data to smart contracts that cannot be stopped or easily replaced.
Any failure or fraudulent behavior by the oracle can result in significant financial loss to the DeFi protocols and the customers who use them. That's why Oracle operators run a network of nodes that retrieve redundant data. The final feed is based on a consensus of multiple inputs. Statistical methods, such as finding the median or average, can be used to ensure that no single data provider can manipulate the data feed.
In addition, operators can be required to deposit tokens as collateral. If an oracle provides incorrect data, it can be penalized by slashing its stake, providing a strong incentive to act with honesty.
Web Proofs are a lot like oracles, but they enable access to private data, while preserving privacy of security sensitive parts of data.
For example, we can make a call to GitHub.com and retrieve the list of starred repositories for a specific user. This information is private and only accessible to the account owner. With Web Proofs, the account owner can generate a cryptographic proof of the HTTP request that lists the starred repositories.
Once the proof is generated, the client can call a Solidity contract, which can verify the proof's correctness without exposing any personal or session-related secrets.
In a nutshell, here's what a simplified Web Proof scenario looks like:
Note that the Notary blindly attests to the data, ensuring that sensitive information like credentials and session keys are redacted. Similar to Oracles, the Notary must be a trusted party. A malicious Notary could generate a fake proof, which is why, as with Oracles, we expect notaries’ commissions to emerge.
Generating the proof in this scenario is time-consuming for two main reasons. Firstly, a trusted party must notarize the contents of the secure session between the client and server, and this communication adds significant overhead. Secondly, the web page needs to be reduced to a claim, which must also be proven. This step is computationally intensive and adds to the time required.
Long story short, oracles are great for publicly available data, such as price feeds. This is the main use case and revenue stream for oracles right now. It’s hard to imagine this changing in the near future.
But how do oracles get your recent Github activity, Uber rides, bank account balance, or Twitter earnings? Even if we assume there is an API for all of this, oracles would have to authenticate the calls with your credentials to make them on your behalf - obviously not a good idea. Sharing session IDs or API keys with unknown oracle operators is unacceptable from the security perspective.
That's where Web Proofs come in.
Web Proofs allow you to access private data without sharing secrets with third parties. Developers can use them to build decentralized applications that leverage Web2 data, even if public APIs aren’t officially available. This opens up a whole range of new applications that can be built on top of this concept.
Neither is better as Oracles and Web Proofs serve different purposes.
Oracles will continue to lead in providing price feeds to the DeFi protocols as this solution is optimized for security and reliability.
Web Proofs, on the other hand, will be essential for building new digital services and bringing private Web2 data on-chain. They are the missing piece that makes possible the creation of fair airdrops and peer-to-peer marketplaces that were previously impossible to build.
Examples of dApps that can be built with Web Proofs:
The full potential of Web Proofs is yet to be realized. Just as Oracles sparked the DeFi Summer in 2020, it will be exciting to see what practical use cases emerge from the Web Proof concept.
Do you have some thoughts to share on the Oracles vs Web Proofs debate? Get in touch with Artur on X - we would love to hear from you.
For those interested in diving deeper into this topic, check out Verifiable Data Report: Web Proofs here.