SIP-230: Universal Circuit Breaker

Simple Summary

Update the ExchangeCircuitBreaker contract to support oracles outside the regular price system.

Abstract

Implementation of SIP-165, and to some extent, futures, have revealed that we need a more generic system for chainlink oracle validation is required. To solve this problem, an update to the existing circuit breaker contract will allow tracking for any oracle. In addition, the circuit breaker system is designed to be more self contained to allow for arbitrary oracles to be supported without needing to integrate with SystemStatus directly.

Motivation

This is a technical debt item which will improve the maintainability and security of the protocol.

Additionally, this will make it significantly easier to have full coverage of all oracles in use in our system. Currently, the SNX price oracle and the IssuedSynths oracle are not covered by any validation. We can now close the holes for those oracles with this.

Technical Specification

CircuitBreaker

A new copy of ExchangeCircuitBreaker which is specifically designed to handle any type of oracle value--not just the ones used by exchange rate. Broadly speaking, the contrat will be changed to 1) store internal values for broken circuit status rather than updating SystemStatus and, 2) accept address oracleAddress rather than bytes32 currencyKey in order to allow for any oracle to be submitted, and 3) integrate these checks into ExchangeRates rather than the othre way around (ExchangeCircuitBreaker calls ExchangeRates).

The rest of the functioality will remain largely the same, including calculation of circuit breakers threshold and general reporting pattern for values.

The circuit breaker will be created as a copy in order to manage the dependency on ExchangeCircuitBreaker by FuturesMarkets which are not upgradable for the time being, and to change the name to better reflect the actual function of the contract.

Circuit Breaker Functionality

Our goal with this system is to prevent large, impossible swings in chainlink price from causing widespread damage to the system, while still not triggering unnecessarily when buisness is as usual.

To accomplish this, a simple threshold comparison function is proposed

Migration

It will be necessary to migrate the aggregators from the current ExchangeRates contract to the new OracleManager. Some portions of the deployment process will need to be updated to add aggregators to the new manager as well.

Aggregators for DebtRatio and IssuedSynths will need to be updated to be provisioned to the new OracleManager as well

Simplified Example Workflows

Exchanger.getAmountsForExchange

• Exchanger.getAmountsForExchange
  • ExchangeRates.rateAndInvalid
    • CircuitBreaker.isInvalid -- returns whether the circuit would be broken in the case of this being executed

Exchanger.exchange

• Exchanger.exchange
  • ExchangeRates.effectiveValueAndRatesAtRound
    • CircuitBreaker.probeCircuitBreaker -- get range of rates for advanced exchange rate calculations
  • ExchangeRates.effectiveValueAndRatesAtRound
    • CircuitBreaker.probeCircuitBreaker

Issuer.issueMaxSynths

• Issuer.issueMaxSynths
  • Issuer._debtBalanceOfAndTotalDebt
    • Issuer.allNetworksDebtInfo
      • CircuitBreaker.probeCircuitBreaker -- get issued synths oracle
      • CircuitBreaker.probeCircuitBreaker -- get issued synth
    • ExchangeRates.rateAndInvalid -- SNX price request
      • CircuitBreaker.probeCircuitBreaker -- get SNX price (previously was not under the protection of a circuit breaker btw)
  • ...

Similar for Issuer. By doing this, we can mostly remove code for circuit breaking from Issuer and take appropropriate actions to protect from oracle accidents by default.

Configurable Values (Via SCCP)

• breakerThreshold(bytes32 id): defined the factor of change required for the breaker to trip for a given aggregator. If unset, this defaults to 2

Copyright

Copyright and related rights waived via CC0.