SIP-316: Core System Precautionary Security Features

Simple Summary

Protect the protocol from loss by adding a "interaction timeout" to Accounts which prevents withdrawals.

Additionally, add checks which allow for disabling of most system functions in emergency situations similar to SystemStatus in v2x.

Motivation

Synthetix v3 introduces revolutionary mechanisms which will change the way that DeFi looks at composable protocol design. However, perhaps the biggest threat to Synthetix is a cataclysmic protocol failure or smart contract hack which leads to loss of user funds (think about just about any bridge hack over 2022). New systems come with inherent risks, and certain functions, such as withdraw or delegateCollateral, will likely be a massive target for potential attackers. Adding certain restrictions to deter these attackers, such as interaction timeout and easy CC disabling paths, will both reduce the risk of these endpoints, as well as limit the potential damages if such an attack were to occur.

Rationale

These solutions were chosen because they closely align with the successful SystemStatus which has been used in v2x to great effect.

Technical Specification

Interaction Timeout

A field, lastInteraction will be added the Account storage object which stores the unix timestamp of the last time a user interacted with their account. This timestamp will be updated every time a user performs a write-action on their account, such as delegation, mintUsd, or deposit.

The withdraw function, which allows for removal of collateral from the system, is an endpoint of perhaps catastrophic concern if it were to be exploited during an attack. Therefore, an interaction timeout is added (ex. 8 hours) which completely disables an attacker's ability to withdraw collateral from the system through means of a flash loan attack, and gives ample time for internet sleuths or other interested parties to identify the issue before it can result in loss of protocol collateral.

The withdrawal function is primarily target for protection because every other function in v3 more or less just alters the internal accounting of the system, so in the case of an attack, we could hypothetically recover through a system update without loss of funds.

A SCCP configurable parameter, withdrawTimeout, will be added to the system to configure the wait time between account interaction and first allowed withdrawal.

Feature Flags

A function is added to FeatureFlagsModule, setDeniers, which permits specification of a list of ethereum addresses which may issue a call to disable each function on the system. The list of deniers will be coded in the synthetix-deployments repo and approved by SC, and most likely be a set of trusted CC members. deniers are not permitted to re-allow any features without owner approval.

The list of deniers is an SCCP configurable value. If the owner of the system is the pdao or another address outside the SC, an SC vote is required to re-allow any disabled feature.

New feature flags will be introduced to protect the following functions:

• createAccount
• deposit
• withdraw
• mintUsd
• burnUsd
• liquidate
• liquidateVault
• depositMarketCollateral
• withdrawMarketCollateral
• depositMarketUsd
• withdrawMarketUsd
• claimRewards
• delegateCollateral

All these flags will be set to allowAll automatically by cannonfile step to allow for the usual system operation on initial deployment.

Test Cases

Relevant tests will be developed during implementation.

Configurable Values (Via SCCP)

For each CollateralConfiguration, the following parameters are added:

• withdrawalTimeout the minimum number of seconds which should have elapsed since last account interaction before withdrawal of collateral from an account is allowed. Can be set to 0 to completely disable the timeout.
• deniers. for each feature listed above. the list of deniers who have permission to disable the given feature.

Copyright

Copyright and related rights waived via CC0.