Relevant smart contracts:
The Shutdown Module is in charge with winding down the system and returning all collateral back to users in case of a serious threat, such as long-term market irrationality, a hack, or a security breach.
Settlement can be triggered by the
ESM (Emergency Shutdown Module) where governance needs to deposit (and burn) a specific amount of protocol tokens OR if governance has direct access to
GlobalSettlement, they can bypass the
ESM and settle the system.
GlobalSettlement - this contract shuts down GEB and ensures that both SAFE and system coin users receive the net value of assets they are entitled to. The value of collateral that coin holders can redeem will vary depending on the system surplus or deficit at the time of settlement. It is possible that coin holders will receive less or more than
OracleRelayer.redemptionPrice worth of collateral for one coin.
ESM - this contract can trigger global settlement if enough tokens are deposited (and subsequently burned) in it.
ESM may be unable to trigger shutdown (even if sufficient protocol tokens have been committed to the contract) if
GlobalSettlement did not authorize it.
GlobalSettlement reads collateral prices from
FSMs it is susceptible to reading bad data in case the oracles get attacked. Governance is not advised to use settlement as a solution to oracle attacks because the prices get added in the system too quickly in order for shutdown to help.
GlobalSettlement.shutdownCooldown is set too high, it can result in the shutdown not being able to proceed.
GlobalSettlement.shutdownCooldown is too low, it can result in
setOutstandingCoinSupply being called before all auctions have finished, resulting in debt being calculated incorrectly and setting wrong collateral prices.
GlobalSettlement.shutdownSystem is called all system coin holders may be left holding an unstable asset. This could result in a market price crash across all collateral types due to liquidations and sell-offs.
StabilityFeeTreasury - if they are set to malicious contracts (inside
GlobalSettlement) they may cause shutdown to fail.
In the long run, governance can completely remove control over the shutdown module.