Shutdown Module

Winding down system operations

Relevant smart contracts:

1. Overview

The Shutdown Module is in charge with winding down the system and returning all collateral back to users in case of a serious threat, such as long-term market irrationality, a hack, or a security breach.

Settlement can be triggered by the ESM (Emergency Shutdown Module) where governance needs to deposit (and burn) a specific amount of protocol tokens OR if governance has direct access to GlobalSettlement, they can bypass the ESM and settle the system.

2. Component Descriptions

  • GlobalSettlement - this contract shuts down GEB and ensures that both SAFE and system coin users receive the net value of assets they are entitled to. The value of collateral that coin holders can redeem will vary depending on the system surplus or deficit at the time of settlement. It is possible that coin holders will receive less or more than OracleRelayer.redemptionPrice worth of collateral for one coin.

  • ESM - this contract can trigger global settlement if enough tokens are deposited (and subsequently burned) in it.

3. Risks


The ESM may be unable to trigger shutdown (even if sufficient protocol tokens have been committed to the contract) if GlobalSettlement did not authorize it.

Settlement Edge Cases

Oracle Attack

Since GlobalSettlement reads collateral prices from FSMs it is susceptible to reading bad data in case the oracles get attacked. Governance is not advised to use settlement as a solution to oracle attacks because the prices get added in the system too quickly in order for shutdown to help.

Other Failure Modes

  • If GlobalSettlement.shutdownCooldown is set too high, it can result in the shutdown not being able to proceed.

  • If GlobalSettlement.shutdownCooldown is too low, it can result in setOutstandingCoinSupply being called before all auctions have finished, resulting in debt being calculated incorrectly and setting wrong collateral prices.

  • When GlobalSettlement.shutdownSystem is called all system coin holders may be left holding an unstable asset. This could result in a market price crash across all collateral types due to liquidations and sell-offs.

  • SAFEEngine / AccountingEngine / LiquidationEngine / OracleRelayer / StabilityFeeTreasury - if they are set to malicious contracts (inside GlobalSettlement) they may cause shutdown to fail.

4. Governance Minimization

GlobalSettlement is part of Level 2 Gov Minimization. ESM is part of Level 1 Gov Minimization.

The ESMThresholdSetter

Before removing control from the ESM, governance should deploy a contract called ESMThresholdSetter that automatically sets the ESM.triggerThreshold according to the current outstanding supply of protocol tokens.