Credibly Neutral AI Oracles

A credibly neutral AI report layer allows dispute mechanisms to use a higher voting threshold without sacrificing accurate resolution. The result is a system that is harder to manipulate and easier to verify.

Credibly Neutral AI Oracles

In Ancient Greece, the Oracle of Delphi resided on Mount Parnassus and delivered prophecies regarded as ground truth from the gods. Blockchain borrowed the word "oracle" for an (arguably) smaller job: input real-world information onto a chain so a smart contract knows what action to take next. Did the flight get delayed? Did it rain? Did the S&P close above 5,000? An oracle answers, and the smart contract acts automatically and irreversibly on downstream dependencies: e.g. making insurance payouts, settling a prediction market, or pricing an option.

The main tension here is that a centralized, single data source reduces the blockchain to a single point of failure and removes the intended notion of decentralization. Thus many blockchains use a decentralized oracle that resolves disputes by a token-weighted vote. But now the people voting on the oracle's output may also have a stake in the downstream outcome, meaning the system is vulnerable to a different kind of manipulation. For example, someone could bet lots of money on the event of rain tomorrow on Polymarket and force the oracle to agree by bribing other voters or amassing enough tokens.

Centralize the oracle and you've reintroduced a single point of failure to the blockchain; decentralize the oracle and you've opened up the system to adversarial manipulation. Existing oracle mechanisms typically inherit at least one of these vulnerabilities, leading to a growing list of real-world failures. And as decision-making stake and monetary volume continues to grow in blockchain environments, the effects of these failures are beginning to make news.

Failures in practice

As prediction markets like Kalshi and Polymarket clear billions in volume, and DeFi applications involve high-value assets and collateral, the incentive to manipulate outcomes has also scaled up. We highlight several recent oracle failures across these applications:

  • A $114 million price manipulation. In October 2022, an attacker pumped the price of MANGO tokens on a thin spot market, then borrowed against the inflated collateral and walked away with roughly $114 million.
  • A governance takeover for $7 million in bets. A Polymarket contract asked whether Ukraine would sign a rare-earth minerals deal with the U.S. before April 2025. A single holder controlling more than 25% of UMA's governance token forced a "yes" resolution with zero evidence a deal existed. $7 million in bets settled on "yes".
  • A $240 million wardrobe dispute [2]. Polymarket asked whether Zelenskyy would wear a suit before July 2025. After news sources provided images of him in formal attire on July 24, the oracle initially resolved to "yes". Then a UMA token-holder vote overturned it to "no," arguing a similar outfit had once been ruled "not a suit." The market generated over $240 million in total trading volume.
  • A $21,000 sensor. In April 2026, a Paris-temperature market settled off a single airport sensor. That sensor reported numbers that contradicted every other weather source in the city, one trader won over $21,000, and authorities are now looking into whether it was physically tampered with using a tool like a hairdryer.
  • A centralized failure. In 2019, a Chainlink node supplying the KRW/USD exchange rate to the Synthetix protocol reported an incorrect value due to an upstream data-feed error. This enabled traders to exploit the discrepancy before the issue was detected and trades were reversed.

These examples illustrate three broad failure modes: semantic ambiguity in event specifications, mechanism manipulation where concentrated token holdings allow profitable misreporting, and data source manipulation or failure where the underlying signal itself is compromised. We argue that semantic ambiguity issues are best resolved by using more precise, objective language in smart contracts, rather than adjusting the oracle itself. Meanwhile, the other two failure types can be addressed with more careful mechanism design.

UMA: a case study

UMA's oracle is currently used to resolve markets on Polymarket. The oracle can be broken down in two parts, the report layer and the dispute layer:

  1. In the report layer, which is referred to as the "Optimistic Oracle," anyone can propose a resolution with a corresponding posted bond. For example, I can post a bond and claim it rained on Tuesday.
  2. In the dispute layer, anyone can then post a bond to initiate a dispute, e.g. propose an alternative outcome (it didn't rain). This dispute is settled by UMA token-holders: each voter submits both a token amount $w_i$ and their vote to either (1) uphold the initial proposal or (2) overturn it for the disputed outcome. Whichever outcome receives the majority of token-weighted votes wins; that is, writing $M = \sum_{i} w_i$ for the total weight, the report is overturned if and only if the overturning weight share reaches 0.5:

$$
\frac{1}{M} \sum_{i} w_i \, \mathbf{1}\{\text{$i$ votes to overturn}\} \;\geq\; 0.5.
$$

The motivation behind this design is that when the ground truth is obvious or easily observable, the report layer is a cheap, efficient, and decentralized way to settle the market. In settings where the outcome is less clear, or manipulation is suspected, human judgement can correct the report layer through a vote. And unless someone holds more than 50% of the total token share in the vote, they cannot force an outcome.

… But unfortunately, as we saw in the Ukraine minerals-deal above, it appears that as volume continues to increase in markets and other applications, whales are increasingly willing to clear the majority threshold of vote shares to manipulate the outcome and make money.

In fact, a Wall Street Journal investigation published in May 2026 found that just nine wallets control nearly half of all UMA voting power on Polymarket disputes. Moreover, these same wallets have landed on the winning side of nearly every dispute they've weighed in on. At least 60% of active UMA voters could be linked to Polymarket trading accounts, and in more than 300 disputes over the past year a voter held an open position in the same market they were adjudicating. In April 2026 alone, roughly $1 billion in Polymarket contracts were settled by UMA votes. A 50% threshold was meant to require broad consensus to override a proposal; in practice, it requires convincing, or being part of, an identifiable and concentrated group.

As a thought experiment, one could instead consider a potato as our report layer. The potato is far from accurate; it has no ability to predict whether it will rain. But the potato’s output is completely independent of the prediction market’s strategic state, e.g. participant stakes, the volume, or the current prices. Already, then, the potato achieves a robustness to manipulation that UMA’s report layer lacks, as we never have to worry about guarding against a malicious initial output. Of course, it’s missing other crucial properties captured by more intelligent systems, leading to our next section.

Our proposal

In response to UMA's failures, we introduce several desirable properties of the report layer in a two-layer dispute oracle, give theoretical results showing that they are less vulnerable to manipulation, and conclude that these properties are approximated well by the use of an LLM.

The design itself follows the same two-layer structure: the report layer produces an initial answer, and a dispute layer lets token holders overturn it. But in our proposal, overturning requires a supermajority $\alpha > 0.5$, not a simple majority. Everything below is about what has to be true of the report layer for that supermajority requirement to actually buy us anything.

Figure 1: a schematic of the two-layer oracle. The report layer outputs \hat Y; anyone can then escalate to a staked \alpha-majority vote.

Notation

To illustrate these properties and our results, we start with some notation. Call the true answer to the question $Y$, in some finite space $\mathcal{Y}$, and call the report layer's answer $\hat Y$. Two states can shape the report layer's answer: $\theta$, the mechanism state, i.e. who's holding which position, how much money is riding on which side; and $W$, the world state, i.e. the news, the weather, everything happening outside the contract entirely. $X$ is the specific slice of the world the report is actually allowed to look at: e.g. a prompt, a website, or a retrieval corpus. $P$ is shorthand for the report's full probability distribution over possible answers given the truth and world state, and $\epsilon = \Pr[ \hat Y \neq y \mid Y = y, W = w]$ represents how often $\hat Y$ misses the realization of $Y$ (conditioned on the ground truth and world state realizations). Throughout we condition on $Y$ and $W=w$.

Concretely, for the rain market above: $\mathcal{Y} = \{ \text{rain, no rain} \}$ with $Y$ the true outcome; $\theta$ is who bet how much on rain versus no rain; $W$ is the actual atmospheric conditions plus every trace of evidence about them out in the world; and $X$ is whichever slice of that evidence the report layer is actually built to consult, e.g. a prompt instructing it to check three named weather services, rather than the full, unbounded space of everything anyone could possibly know about Tuesday's weather.

Vulnerability

Suppose an adversary controls a vote share q of the dispute layer, and every other voter votes honestly: upholding $\hat Y$ when it's correct, overturning it to the truth when it isn't. Two branches follow, depending on whether the report layer happened to get it right:

  • If $\hat Y = y$ (probability $1 - \epsilon$), the adversary's only path to a wrong outcome is overturning a correct report, which costs at least $\alpha$ of the vote.
  • If $\hat Y \neq y$ (probability $\epsilon$), the adversary's path is instead to block the correction of an already-wrong report, which only costs $1 - \alpha$, since honest voters alone can only supply an overturning share of 1−q.
Figure 2: two branches of required adversarial stake, depending on if the report layer is correct or not.

So the "price" of forcing a wrong resolution is $\alpha$ when the report layer happens to be right, and only $1 - \alpha$ when it happens to be wrong. We define the vulnerability $\delta(P, \alpha)$ as the worst-case, probability-weighted ease of mounting either attack:

$$
\delta(P, \alpha) = \max \{ (1 - \epsilon)(1 - \alpha), \epsilon \alpha\}.
$$

So setting the threshold $\alpha$ is really just choosing how to trade one branch's exposure against the other's.

Desirable properties

Now we define the properties of the report layer which allow for a better oracle stack.

  1. Credible neutrality. A report is credibly neutral if $\hat Y$ depends only on $Y$ and $W$ and never on $\theta$. E.g., the answer can't move just because someone bet on it. Formally, $\hat Y$ is credibly neutral if there is a kernel $\kappa$ with $\Pr[\hat Y \in \cdot \mid Y, W, \theta] = \kappa(\cdot \mid Y, W)$ for every $\theta$; equivalently, $\hat Y \perp \theta \mid (Y, W)$. An UMA report-layer proposer fails this outright, since they see $\theta$ (the market positions) before answering.
  2. Accuracy. Neutrality alone isn't enough. For example, a fair coin flip (or a potato) is credibly neutral, but it has no meaningful connection to the actual ground truth $Y$. Low $\epsilon$ is what lets you push the threshold up in the first place: the more often $\hat Y$ agrees with $Y$, the higher a supermajority you can demand without making an already-correct report too easy to overturn by accident. We discuss two refinements of this point, diffusion and calibration, below.
  3. Data source robustness. (We're saving the full treatment of this one for a future blog post.) $X$ represents a set of sensors feeding into the report layer. If the report leans hard on one of them, corrupting that one source (like the Paris temperature sensor) corrupts the report. Thus there is a tradeoff between the cost of ingesting multiple sources and remaining manipulation-robust. The report layer should also be adaptable to last-minute failures or changes in the sensors.

Main result

We can prove that without credible neutrality, no matter where you set the overturn threshold, an adversary can always engineer a $P$ that makes your worst case vulnerability at least a coin flip. Meanwhile, with credible neutrality, the optimal threshold is exactly $1 - \epsilon$, and the worst-case vulnerability collapses to $\epsilon(1 - \epsilon)$. At $\epsilon = 5\%$, that's a required 95% supermajority to overturn a correct call, and under 5% worst-case exposure.

Formally: without credible neutrality, the report layer's distribution can be shaped by $\theta$, so the designer must guard against every feasible $P$. For any threshold $\alpha$, the worst case over all such $P$ is

$$
\sup_P \delta(P, \alpha) = \max \{ \alpha, 1 - \alpha \},
$$

and therefore the best any threshold can do against that worst case is

$$
\inf_{\alpha} \sup_P \delta(P, \alpha) = 1/2,
$$

attained only at $\alpha = 1/2$. This vulnerability is equivalent to that of a coin flip, and it is provably the best achievable value if the report layer can be shifted adversarially.

With credible neutrality, $P$ (and hence $\epsilon$) no longer responds to $\theta$, so it can be treated as fixed while we optimize $\alpha$ directly. The two terms of $\delta(P, \alpha) = \max \{ (1 - \epsilon)(1 - \alpha), \epsilon \alpha\}$ cross exactly once, at

$$
\alpha^* = 1 - \epsilon, \; \delta(P, \alpha^*) = \epsilon(1 - \epsilon).
$$

Refining the threshold: diffusion and calibration

The result above treats the report layer's error profile as a single number, $\epsilon$. Two refinements sharpen that, and both fall out of the same vulnerability formula.

Error diffusion, and ex-ante vs. ex-post attacks. Let us remove the assumption that every wrong answer is equally useful to an adversary. Define $\epsilon^{\ast}$ as the largest probability mass the report can put on any single adversary-relevant set of wrong answers: $\epsilon^{\ast} = \max_A \Pr[\hat Y \in A \mid Y = y]$, where A ranges over the wrong outcomes some adversary could profit from. The general vulnerability is $\delta(P, \alpha) = \max { (1 - \epsilon)(1 - \alpha), \epsilon^{\ast} \alpha}$, and optimizing over $\alpha$ gives

$$
\alpha^{\ast} = \frac{1 - \epsilon}{1 - \epsilon + \epsilon^{\ast}}, \qquad \delta(P, \alpha^{\ast}) = \frac{\epsilon^{\ast}(1 - \epsilon)}{1 - \epsilon + \epsilon^{\ast}}.
$$

The gap between $\epsilon$ and $\epsilon^{\ast}$ is exactly the gap between two threat models. An ex-post-aligned adversary is someone who only discovers which side they're defending after seeing the report, because they already hold a position that happens to pay off under whatever $\hat Y$ turns out to be. For example, I put good-faith money on the event of rain on Tuesday, and $\hat Y$ happens to be incorrect and agrees with me. Then every wrong outcome is equally exploitable, so $\epsilon^{\ast} = \epsilon$ and we're back to $\alpha^{\ast} = 1 - \epsilon$. Meanwhile, an ex-ante-targeted adversary is someone who plans to commit to a specific wrong outcome (or a narrow set of them) before seeing the report. Then only the probability mass on that specific target counts, and $\epsilon^{\ast}$ can be far smaller than $\epsilon$, which lowers the vulnerability. In the best case, the report layer spreads errors evenly across the m-1 outcomes, leading to $\epsilon^{\ast} = \epsilon / (m-1)$.

Calibrated confidence. Now suppose the report layer also emits a signal $S$ alongside $\hat Y$ representing its own estimate of its error rate, $S = \epsilon_m$. Suppose the pair $(\hat Y, S)$ is jointly credibly neutral (the confidence can't be moved by $\theta$ any more than the answer can). Call $S$ calibrated if it's right on average: $Pr[Ŷ ≠ y \mid Y = y, S = \epsilon_m] = \epsilon_m$. That is, among all the times the model claims to be wrong 5% of the time, it actually is wrong 5% of the time.

Under those two conditions, the whole analysis above applies conditionally, signal by signal. Fixing $S = s$, the optimal threshold is simply $α^*(s) = 1 − \epsilon(s) = 1 − s$, the model's own calibrated confidence. The catch here is that both conditions have to actually hold. An uncalibrated or mechanism-dependent confidence score cannot be used to set the threshold for our previous vulnerability guarantees.

LLM report layers

None of these properties require AI. But an LLM serves as an efficient, reasonable starting point for approximating them. If we commit its weights and fix its prompt before the market opens, then we can approximate credible neutrality. An LLM is typically capable enough on well-specified questions to push $\epsilon$ to reasonable values. (And one could argue that obscure prediction markets with hard-to-answer questions also correspond to lower trading volume, and thus lower risk of mechanism manipulation.) Moreover, LLMs can provide well-calibrated estimations of their own accuracy which can allow dynamic adjustment of the dispute layer threshold.

Of course, given our discussion on diffusion, the shape of an oracle's errors often matters. That's a real concern for LLMs specifically, because their mistakes are rarely uniform. Models pick up bias from training and prompting. They have a tendency to side with whichever framing sounds more confident, or to be more reliable in some domains, languages, or time periods. Those are exactly the concentrated, learnable error patterns that make an oracle cheap to attack ex-ante. A practical solution is to treat a candidate report layer's error profile as something to be audited on real, resolved historical questions. Concrete tools like bias bounties and secondary markets over the oracle decision could be used in such an audit system.

Takeaways

Our analysis shows that the 50/50 dispute threshold under UMA, which is susceptible to whale attacks in practice, is in fact the best the mechanism can do: non-credible neutrality of the initial resolution report means UMA must guard against attacks in both layers. Our proposal, meanwhile, is to use a credibly neutral and sufficiently accurate report layer through an LLM. This allows a higher vote threshold to be set in the dispute layer because we only have to worry about report layer attacks when the LLM is wrong; and therefore whales must amass a larger amount of tokens in order to carry out the same attack.

We’ve shown that a credibly neutral AI report layer, paired with an asymmetric dispute threshold, provably surpasses the abilities of UMA to guard against manipulation while achieving accurate resolutions. But we believe there are many other considerations to make in building an even stronger mechanism. The Gensyn team aims to continue developing an oracle grounded in strong theoretical foundations — one built for robustness, efficiency, accuracy, and verifiability — rather than iterating by patchwork fixes the way much of the industry has to date. We discuss future directions below.

  • Data source manipulation. As mentioned in our desirable properties, robustness to data source manipulation is also crucial. While depending on a single source may lead to higher accuracy in good-faith cases, this again re-introduces a single point of failure. We would like to design our oracles to take in more data sources in an efficient way to expose itself to less manipulation, as well as adapt to last-minute failures or changes in sensor outputs at resolution time.
  • Applications beyond blockchain. Any automated judgment that sits between a question and a decision, e.g. an LLM-as-a-judge grading a benchmark, screening a resume, or ruling on a content-moderation appeal, faces the same two pressures: can it be fooled by bad inputs, and can it be manipulated by whoever benefits from a particular decision? We expect our investigation into oracle design to apply more generally to such automated systems.
  • Other mechanism structures. The dispute-layer threshold isn't the only design option in the oracle space. A dispute ladder which starts with a cheap model, lets any party pay to escalate to a pricier one, and reserves a token vote for genuine last resorts, could better handle the tradeoffs between decision costs, manipulation, and accuracy. One could also consider aggregating from a panel of LLMs within this ladder.
  • What is "ground truth"? Everything above assumes $Y$ is a fact waiting to be discovered, e.g. it rained, or it didn't. Plenty of real markets aren't like that: "was this a suit" depended on a stylistic judgment call, and many high-value applications we care about (was this X comment objective, was that business decision negligent) are subjective or ambiguous. In these cases, what does the oracle’s target mean, and whose judgement defines it? Moreover, once a target is picked, how do we get people to report their beliefs honestly? Peer prediction mechanisms are the classic answer here, but their guarantees hinge on fragile assumptions: the definition of $\hat Y$ is unclear, reports are submitted simultaneously without communication, and manipulation is not modeled.