GEB Docs
  • Introduction to GEB
  • Community Resources
  • FLX Mechanics
  • FAQ
  • RAI
    • RAI Use-Cases
    • Multi-chain RAI
    • RAI Integrations
  • The Money God League
    • Intro to The League
  • Ungovernance
    • Governance Minimization Guide
  • Risk
    • GEB Risks
    • PID Failure Modes & Responses
  • Incentives
    • RAI Uniswap V2 Mint + LP Incentives Program
    • RAI Uniswap V3 Mint + LP Incentives Program (Inactive)
    • FLX Staking
    • RAI / ETH Uniswap V3 Oracle LP Incentives Program
  • Contract Variables Translation
    • Core Contracts Naming Transition
    • Governance Contracts Naming Transition
    • SAFE Management Contract Naming Transition
  • System Contracts
    • Core Module
      • SAFE Engine
      • Liquidation Engine
      • Accounting Engine
    • Auction Module
      • English Collateral Auction House
      • Fixed Discount Collateral Auction House
      • Increasing Discount Collateral Auction House
      • Debt Auction House
      • Surplus Auction House
    • Oracle Module
      • Oracle Relayer
      • Medianizer
        • DSValue
        • Governance Led Median
        • Chainlink Median
        • Uniswap V2 Median
      • FSM
        • Oracle Security Module
        • Dampened Security Module
        • FSM Governance Interface
    • Token Module
      • Token Adapters
      • System Coin
      • Protocol Token
      • Protocol Token Authority
      • Protocol Token Printing Permissions
    • Money Market Module
      • Tax Collector
    • Sustainability Module
      • Stability Fee Treasury
      • FSM Wrapper
      • Increasing Treasury Reimbursement
      • Mandatory Fixed Treasury Reimbursement
      • Increasing Reward Relayer
    • Automation Module
      • Collateral Auction Throttler
      • Single Spot Debt Ceiling Setter
      • ESM Threshold Setter
    • Governance Module
      • DSPause
    • Shutdown Module
      • Global Settlement
      • ESM
  • Proxy Infrastructure
    • DSProxy
    • Proxy Registry
  • Helper Contracts
    • SAFE Manager
  • GEB.js
    • Getting Started
    • Global Settlement Guide
    • API Reference
      • Geb
      • Safe
      • Proxy Actions
      • Geb Admin
  • APIs
    • API Endpoints
  • Pyflex
    • Getting Started
      • Configuration
      • GEB Basics
    • SAFE Management
      • Opening a SAFE
      • Closing a SAFE
    • Numerics
  • Keepers
    • Keeper Overview
    • Collateral Auction Keeper
      • Running in Docker
      • Running on a Host
      • Liquidations & Collateral Auctions
      • Collateral Auction Flash Swaps
    • Debt Auction Keeper
      • Running in Docker
      • Running on a Host
    • Staked Token Auction Keeper
      • Running in Docker
      • Running on a Host
    • Surplus Auction Keeper
      • Running in Docker
      • Running on a Host
    • Bidding Models
  • Liquidation Protection
    • SAFE Protection
    • Liquidation Protection Guide
    • Uni-V2 RAI/ETH Savior Details
    • Curve V1 Savior Details
Powered by GitBook
On this page
  • 1. Overview
  • 2. Component Descriptions
  • 3. Risks
  • Misconfigurations
  • Settlement Edge Cases
  • 4. Governance Minimization

Was this helpful?

  1. System Contracts

Shutdown Module

Winding down system operations

PreviousDSPauseNextGlobal Settlement

Last updated 3 years ago

Was this helpful?

Relevant smart contracts:

1. Overview

The Shutdown Module is in charge with winding down the system and returning all collateral back to users in case of a serious threat, such as long-term market irrationality, a hack, or a security breach.

Settlement can be triggered by the ESM (Emergency Shutdown Module) where governance needs to deposit (and burn) a specific amount of protocol tokens OR if governance has direct access to GlobalSettlement, they can bypass the ESM and settle the system.

2. Component Descriptions

  • GlobalSettlement - this contract shuts down GEB and ensures that both SAFE and system coin users receive the net value of assets they are entitled to. The value of collateral that coin holders can redeem will vary depending on the system surplus or deficit at the time of settlement. It is possible that coin holders will receive less or more than worth of collateral for one coin.

  • ESM - this contract can trigger global settlement if enough tokens are deposited (and subsequently burned) in it.

3. Risks

Misconfigurations

The ESM may be unable to trigger shutdown (even if sufficient protocol tokens have been committed to the contract) if GlobalSettlement did not authorize it.

Settlement Edge Cases

Oracle Attack

Since GlobalSettlement reads collateral prices from FSMs it is susceptible to reading bad data in case the oracles get attacked. Governance is not advised to use settlement as a solution to oracle attacks because the prices get added in the system too quickly in order for shutdown to help.

Other Failure Modes

  • If GlobalSettlement.shutdownCooldown is set too high, it can result in the shutdown not being able to proceed.

  • If GlobalSettlement.shutdownCooldown is too low, it can result in setOutstandingCoinSupply being called before all auctions have finished, resulting in debt being calculated incorrectly and setting wrong collateral prices.

  • When GlobalSettlement.shutdownSystem is called all system coin holders may be left holding an unstable asset. This could result in a market price crash across all collateral types due to liquidations and sell-offs.

  • SAFEEngine / AccountingEngine / LiquidationEngine / OracleRelayer / StabilityFeeTreasury - if they are set to malicious contracts (inside GlobalSettlement) they may cause shutdown to fail.

4. Governance Minimization

GlobalSettlement is part of Level 2 Gov Minimization. ESM is part of Level 1 Gov Minimization.

The ESMThresholdSetter

Before removing control from the ESM, governance should deploy a contract called ESMThresholdSetter that automatically sets the ESM.triggerThreshold according to the current outstanding supply of protocol tokens.

GlobalSettlement
ESM
OracleRelayer.redemptionPrice