Relevant smart contracts:
​StabilityFeeTreasury​
The Sustainability Module provides funds to critical system components such as the Oracle Network Medianizer in order to function properly, even in the absence of governance power over the protocol.
StabilityFeeTreasury
- this contract tries to keep an "optimum" amount of stability fees for itself in order to make sure it can provide funds to other contracts (or in some cases, people) that maintain the protocol's well-being. Anyone can periodically call a function to recalculate the optimum amount of funds to keep in the treasury. Any surplus above optimum values is transferred to the AccountingEngine
.
A bug in the StabilityFeeTreasury
would potentially block other contracts from pulling funds or would incorrectly calculate the optimum amount of funds to keep in the contract (CDPEngine.coinBalance[stabilityFeeTreasury]
).
A bug could also prevent the treasury from sending extra unused resources to another address using transferSurplusFunds()
Governance might set an incorrect address as the AccountingEngine
or could maliciously withdraw the permission of core contracts to pull funds. Governance could also allow malicious contracts to drain the treasury.
Governance can withdraw their power over this module if two conditions are satisfied:
All treasury dependent contracts were set up correctly (can withdraw enough funds to function properly).
All external actors (if any) have the necessary permissions to pull funds from the treasury.
The StabilityFeeTreasury
is part of the Level 2 Gov Minimization. That being said, governance should maintain control only over setting total
allowances to their initial values for every address that's currently authorized to pullFunds
from the treasury.
Keeping Governance over takeFunds
Given that takeFunds
has very simple and clearly defined behavior where governance cannot harm the treasury, it can be governed in the long run.