Comment on page
Winding down system operations
Relevant smart contracts:
The Shutdown Module is in charge with winding down the system and returning all collateral back to users in case of a serious threat, such as long-term market irrationality, a hack, or a security breach.
Settlement can be triggered by the
ESM(Emergency Shutdown Module) where governance needs to deposit (and burn) a specific amount of protocol tokens OR if governance has direct access to
GlobalSettlement, they can bypass the
ESMand settle the system.
GlobalSettlement- this contract shuts down GEB and ensures that both SAFE and system coin users receive the net value of assets they are entitled to. The value of collateral that coin holders can redeem will vary depending on the system surplus or deficit at the time of settlement. It is possible that coin holders will receive less or more than
OracleRelayer.redemptionPriceworth of collateral for one coin.
ESM- this contract can trigger global settlement if enough tokens are deposited (and subsequently burned) in it.
ESMmay be unable to trigger shutdown (even if sufficient protocol tokens have been committed to the contract) if
GlobalSettlementdid not authorize it.
GlobalSettlementreads collateral prices from
FSMs it is susceptible to reading bad data in case the oracles get attacked. Governance is not advised to use settlement as a solution to oracle attacks because the prices get added in the system too quickly in order for shutdown to help.
GlobalSettlement.shutdownCooldownis set too high, it can result in the shutdown not being able to proceed.
GlobalSettlement.shutdownCooldownis too low, it can result in
setOutstandingCoinSupplybeing called before all auctions have finished, resulting in debt being calculated incorrectly and setting wrong collateral prices.
GlobalSettlement.shutdownSystemis called all system coin holders may be left holding an unstable asset. This could result in a market price crash across all collateral types due to liquidations and sell-offs.
StabilityFeeTreasury- if they are set to malicious contracts (inside
GlobalSettlement) they may cause shutdown to fail.
GlobalSettlementis part of Level 2 Gov Minimization.
ESMis part of Level 1 Gov Minimization.
Before removing control from the
ESM, governance should deploy a contract called
ESMThresholdSetterthat automatically sets the
ESM.triggerThresholdaccording to the current outstanding supply of protocol tokens.