GEB Docs
  • Introduction to GEB
  • Community Resources
  • FLX Mechanics
  • FAQ
  • RAI
    • RAI Use-Cases
    • Multi-chain RAI
    • RAI Integrations
  • The Money God League
    • Intro to The League
  • Ungovernance
    • Governance Minimization Guide
  • Risk
    • GEB Risks
    • PID Failure Modes & Responses
  • Incentives
    • RAI Uniswap V2 Mint + LP Incentives Program
    • RAI Uniswap V3 Mint + LP Incentives Program (Inactive)
    • FLX Staking
    • RAI / ETH Uniswap V3 Oracle LP Incentives Program
  • Contract Variables Translation
    • Core Contracts Naming Transition
    • Governance Contracts Naming Transition
    • SAFE Management Contract Naming Transition
  • System Contracts
    • Core Module
      • SAFE Engine
      • Liquidation Engine
      • Accounting Engine
    • Auction Module
      • English Collateral Auction House
      • Fixed Discount Collateral Auction House
      • Increasing Discount Collateral Auction House
      • Debt Auction House
      • Surplus Auction House
    • Oracle Module
      • Oracle Relayer
      • Medianizer
        • DSValue
        • Governance Led Median
        • Chainlink Median
        • Uniswap V2 Median
      • FSM
        • Oracle Security Module
        • Dampened Security Module
        • FSM Governance Interface
    • Token Module
      • Token Adapters
      • System Coin
      • Protocol Token
      • Protocol Token Authority
      • Protocol Token Printing Permissions
    • Money Market Module
      • Tax Collector
    • Sustainability Module
      • Stability Fee Treasury
      • FSM Wrapper
      • Increasing Treasury Reimbursement
      • Mandatory Fixed Treasury Reimbursement
      • Increasing Reward Relayer
    • Automation Module
      • Collateral Auction Throttler
      • Single Spot Debt Ceiling Setter
      • ESM Threshold Setter
    • Governance Module
      • DSPause
    • Shutdown Module
      • Global Settlement
      • ESM
  • Proxy Infrastructure
    • DSProxy
    • Proxy Registry
  • Helper Contracts
    • SAFE Manager
  • GEB.js
    • Getting Started
    • Global Settlement Guide
    • API Reference
      • Geb
      • Safe
      • Proxy Actions
      • Geb Admin
  • APIs
    • API Endpoints
  • Pyflex
    • Getting Started
      • Configuration
      • GEB Basics
    • SAFE Management
      • Opening a SAFE
      • Closing a SAFE
    • Numerics
  • Keepers
    • Keeper Overview
    • Collateral Auction Keeper
      • Running in Docker
      • Running on a Host
      • Liquidations & Collateral Auctions
      • Collateral Auction Flash Swaps
    • Debt Auction Keeper
      • Running in Docker
      • Running on a Host
    • Staked Token Auction Keeper
      • Running in Docker
      • Running on a Host
    • Surplus Auction Keeper
      • Running in Docker
      • Running on a Host
    • Bidding Models
  • Liquidation Protection
    • SAFE Protection
    • Liquidation Protection Guide
    • Uni-V2 RAI/ETH Savior Details
    • Curve V1 Savior Details
Powered by GitBook
On this page
  • 1. Overview
  • 2. Component Descriptions
  • 3. Risks
  • Smart Contract Bugs
  • Price Feeds
  • All-Powerful Governance
  • 4. Governance Minimization

Was this helpful?

  1. System Contracts

Core Module

Handling SAFE state, liquidations and accounting (surplus & bad debt)

PreviousSAFE Management Contract Naming TransitionNextSAFE Engine

Last updated 3 years ago

Was this helpful?

Relevant smart contracts:

1. Overview

The Core Module stores all the SAFE data, allows external actors to trigger liquidations in case SAFEs are underwater and also handles debt and surplus auctions.

2. Component Descriptions

  • The SAFEEnginestores all SAFEs' states and system coin balances, as well as the amount of collateral and debt each address has. This contract is self-contained and has no external dependencies.

  • The LiquidationEngine is meant to check if a SAFE is unsafe (the value of the issued debt is too high compared to the collateral value) and start a collateral auction that sells a portion of the SAFE's collateral in order to cover a share of its debt.

  • The AccountingEngine stores the overall system surplus and debt data. It is meant to settle deficit via debt auctions and dispose off surplus via surplus auctions or basic transfers.

3. Risks

Smart Contract Bugs

  • SAFEEngine - A bug in the SAFEEngine could be fatal and would lead to collateral or debt being stuck in the system

  • LiquidationEngine - A bug in the LiquidationEngine could lead debt or collateral being assigned to addresses from where they cannot be recovered. Compared to MCD, the LiquidationEngine can call external contracts that are meant to save SAFEs by adding more collateral in the system. These "insurance" contracts, if coded incorrectly, can change system state without actually adding any collateral and thus block the engine from starting new auctions. The liquidateSAFE(bytes32 collateralType, address cdp) function also uses mutexes to prevent re-entrancy. If a mutex is not unassigned at the end of the call, it can prevent the LiquidationEngine from liquidating a specific SAFE in the future.

  • AccountingEngine - A bug in the AccountingEngine would prevent the system from reaching equilibrium (by auctioning debt or disposing off surplus).

Price Feeds

Both the SAFEEngine and the LiquidationEngine rely (directly or indirectly) on the OracleRelayer which in turn receives price data from multiple trusted sources. If the price feed oracles fail, it's possible that SAFEs will be unfairly liquidated or that users will generate unbacked debt.

All-Powerful Governance

  • SAFEEngine - Malicious governance can steal collateral (modifyCollateralBalance) or mint unbacked debt for no apparent reason (createUnbackedDebt/addition of worthless collateral types).

  • LiquidationEngine - Governance could misconfigure liquidation parameters (e.g an extremely low or high liquidationPenalty).

  • AccountingEngine - Malicious governance can set null addresses as the debtAuctionHouse or the surplusAuctionHouse and thus not allow the system to reach equilibrium or even trigger settlement. The can also set a faulty AccountingEngine.systemStakingPool which can prevent the engine from starting new debt auctions and thus leave deficit in the system

4. Governance Minimization

  • SAFEEngine (Level 2 Gov Minimization) - the SAFEEngine will need an external contract to automatically set the globalDebtCeiling and each collateral's individual debtCeilings. Apart from this, governance can remove control from the SAFEEngine.

  • LiquidationEngine (Level 1 Gov Minimization) - the LiquidationEngine may have an external contract authorized to periodically set onAuctionSystemCoinLimit depending on the current outstanding amount of system coins generated. Governance will also need to have control over connecting and disconnecting saviour contracts because they are external dependencies connected to other protocols/3rd parties. Apart from these, governance can remove control over this contract.

  • AccountingEngine (Level 2 Gov Minimization) - the AccountingEngine must authorize an external contract to automatically set initialDebtAuctionMintedTokens and debtAuctionBidSize according to the protocol token and system coin market prices. Governance may also keep control over setting systemStakingPool in case the staking pool still needs to be upgraded and may cause problems in the engine.

SAFEEngine
LiquidationEngine
AccountingEngine