SIP-44: Synthetix & Synth Disabling

Author
StatusImplemented
TypeGovernance
NetworkEthereum
ImplementorTBD
ReleaseTBD
Created2020-02-28

Simple Summary

Add a new SystemStatus contract to allow both synth pausing and system upgrades, as well as other security measures.

Abstract

A SystemStatus contract can hold various types of state for system events. These include: system upgrades, issuance and exchange controls, and synths disabled due to security concerns, or in the short term, suspended during out-of-trading hours for the underlying asset.

Motivation

There are a number of conditions where the Synthetix system needs to be able to pause. These are as follows:

  1. During upgrades: Currently we have a workaround to disable the entire protocol by setting ExchangeRates.rateIsStale period to 1. This is fairly rudimentary and needs improvement. Moreover a better reject reason will go a ways towards helping users address concerns during these windows.
  2. Security meaures: There have been occasions where synths have needed to be disabled immediately, such as during the attack on sMKR and iMKR (see SIP-34). This gives the team and community time to investigate the situation and determine the next steps with minimal impact to the rest of the system. Moreover, we're continuing to build live monitoring software that can detect and disable synths whenever an attack is launched.

Specification

The following areas can be suspended:

  1. System: All synth and SNX transfers disabled. All exchange, issue, burn, claim, loan and mint functionality disabled. This is both for system upgrades and under possible emergency situations.
  2. Issuance: All sUSD issuance, burning and claiming disabled, along with any loan actions.
  3. Exchange: All synth exchanges.
  4. Synth: For the synth in question, all transfers of, settlement of, and exchanges into or out of disabled.

Access to the above controls will be restricted to an accessControlList, a whitelist of addresses that for each section above, can suspend and/or resume. This whitelist will be managed by the owner.

Furthermore, each suspension must include a uint reason. Apart from the single reason 1 for SYSTEM_UPGRADE, these reasons are purely for dApps and scripts to indicate to users why certain parts of the system are unavailable.

Note: Exchange suspension will remove Exchange.exchangeEnabled functionality and this SIP will remove it.

Rationale

The Access Control allows the owner to configure the right kind of emergency system pause access to a range of manual and automated protection mechanism if anomalies or exploits are detected.

Test Cases

https://github.com/Synthetixio/synthetix/pull/476

Implementation

https://github.com/Synthetixio/synthetix/pull/476

Copyright and related rights waived via CC0.