Shutdown Module
Winding down system operations
Relevant smart contracts:
1. Overview
The Shutdown Module is in charge with winding down the system and returning all collateral back to users in case of a serious threat, such as long-term market irrationality, a hack, or a security breach.
Settlement can be triggered by the ESM
(Emergency Shutdown Module) where governance needs to deposit (and burn) a specific amount of protocol tokens OR if governance has direct access to GlobalSettlement
, they can bypass the ESM
and settle the system.
2. Component Descriptions
GlobalSettlement
- this contract shuts down GEB and ensures that both SAFE and system coin users receive the net value of assets they are entitled to. The value of collateral that coin holders can redeem will vary depending on the system surplus or deficit at the time of settlement. It is possible that coin holders will receive less or more thanOracleRelayer.redemptionPrice
worth of collateral for one coin.ESM
- this contract can trigger global settlement if enough tokens are deposited (and subsequently burned) in it.
3. Risks
Misconfigurations
The ESM
may be unable to trigger shutdown (even if sufficient protocol tokens have been committed to the contract) if GlobalSettlement
did not authorize it.
Settlement Edge Cases
Oracle Attack
Since GlobalSettlement
reads collateral prices from FSM
s it is susceptible to reading bad data in case the oracles get attacked. Governance is not advised to use settlement as a solution to oracle attacks because the prices get added in the system too quickly in order for shutdown to help.
Other Failure Modes
If
GlobalSettlement.shutdownCooldown
is set too high, it can result in the shutdown not being able to proceed.If
GlobalSettlement.shutdownCooldown
is too low, it can result insetOutstandingCoinSupply
being called before all auctions have finished, resulting in debt being calculated incorrectly and setting wrong collateral prices.When
GlobalSettlement.shutdownSystem
is called all system coin holders may be left holding an unstable asset. This could result in a market price crash across all collateral types due to liquidations and sell-offs.SAFEEngine
/AccountingEngine
/LiquidationEngine
/OracleRelayer
/StabilityFeeTreasury
- if they are set to malicious contracts (insideGlobalSettlement
) they may cause shutdown to fail.
4. Governance Minimization
GlobalSettlement
is part of Level 2 Gov Minimization. ESM
is part of Level 1 Gov Minimization.
The ESMThresholdSetter
Before removing control from the ESM
, governance should deploy a contract called ESMThresholdSetter
that automatically sets the ESM.triggerThreshold
according to the current outstanding supply of protocol tokens.
Last updated