SIP-44: Synthetix & Synth Disabling
Author | |
---|---|
Status | Implemented |
Type | Governance |
Network | Ethereum |
Implementor | TBD |
Release | TBD |
Created | 2020-02-28 |
Simple Summary
Add a new SystemStatus
contract to allow both synth pausing and system upgrades, as well as other security measures.
Abstract
A SystemStatus
contract can hold various types of state for system events. These include: system upgrades, issuance and exchange controls, and synths disabled due to security concerns, or in the short term, suspended during out-of-trading hours for the underlying asset.
Motivation
There are a number of conditions where the Synthetix system needs to be able to pause. These are as follows:
- During upgrades: Currently we have a workaround to disable the entire protocol by setting
ExchangeRates.rateIsStale
period to1
. This is fairly rudimentary and needs improvement. Moreover a better reject reason will go a ways towards helping users address concerns during these windows. - Security meaures: There have been occasions where synths have needed to be disabled immediately, such as during the attack on sMKR and iMKR (see SIP-34). This gives the team and community time to investigate the situation and determine the next steps with minimal impact to the rest of the system. Moreover, we're continuing to build live monitoring software that can detect and disable synths whenever an attack is launched.
Specification
The following areas can be suspended:
- System: All synth and SNX transfers disabled. All exchange, issue, burn, claim, loan and mint functionality disabled. This is both for system upgrades and under possible emergency situations.
- Issuance: All sUSD issuance, burning and claiming disabled, along with any loan actions.
- Exchange: All synth exchanges.
- Synth: For the synth in question, all transfers of, settlement of, and exchanges into or out of disabled.
Access to the above controls will be restricted to an accessControlList
, a whitelist of addresses that for each section above, can suspend
and/or resume
. This whitelist will be managed by the owner
.
Furthermore, each suspension must include a uint reason
. Apart from the single reason 1
for SYSTEM_UPGRADE
, these reasons are purely for dApps and scripts to indicate to users why certain parts of the system are unavailable.
Note: Exchange suspension will remove
Exchange.exchangeEnabled
functionality and this SIP will remove it.
Rationale
The Access Control allows the owner
to configure the right kind of emergency system pause access to a range of manual and automated protection mechanism if anomalies or exploits are detected.
Test Cases
https://github.com/Synthetixio/synthetix/pull/476
Implementation
https://github.com/Synthetixio/synthetix/pull/476
Copyright
Copyright and related rights waived via CC0.