Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add emergency section in the README #380

Merged
merged 9 commits into from
Jan 16, 2024
44 changes: 43 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,6 @@ It is advised to use these canonical configurations for "idle" markets:
- `oracle`: `address(0)` (not necessary since no funds will be borrowed on this market)
- `lltv`: `0` (not necessary since no funds will be borrowed on this market)


Note that to allocate funds to this idle market, it is first required to enable its cap on MetaMorpho.
Enabling an infinite cap (`type(uint184).max`) will always allow users to deposit on the vault.

Expand Down Expand Up @@ -138,6 +137,49 @@ Below is a typical example of how this use case would take place:

- Compute the new root for the vault’s rewards distributor, submit it, wait for the timelock (if any), accept the root, and let vault depositors claim their rewards according to the vault manager’s rewards re-distribution strategy.

## Emergency

### An enabled market is now considered unsafe

If an enabled market is considered unsafe (e.g., risk too high), the curator/owner may want to disable this market in the following way:

- Revoke the pending cap of the market with the `revokePendingCap` function (this can also be done by the guardian).
Jean-Grimal marked this conversation as resolved.
Show resolved Hide resolved
- Set the cap of the market to 0 with the `submitCap` function.
To ensure that submit cap does not revert because of a pending cap, it is recommended to batch the two previous transactions, for example using the multicall function of MetaMorpho.
- Withdraw all the supply of this market with the `reallocate` function.
If there is not enough liquidity on the market, remove the maximum available liquidity with the `reallocate` function, then put the market at the beginning of the withdraw queue (with the `updateWithdrawQueue` function).
- Once all the supply has been removed from the market, the market can be removed from the withdraw queue with the `updateWithdrawQueue` function.

### An enabled market reverts
Jean-Grimal marked this conversation as resolved.
Show resolved Hide resolved

If an enabled market starts reverting, many of the vault functions would revert as well (because of the call to `totalAssets`). To turn the vault back to an operating state, the market must be forced removed by the owner/curator, who should follow these steps:

- Revoke the pending cap of the market with the `revokePendingCap` function (this can also be done by the guardian).
- Set the cap of the market to 0 with the `submitCap` function.
To ensure that submit cap does not revert because of a pending cap, it is recommended to batch the two previous transactions, for example using the multicall function of MetaMorpho.
- Submit a removal of the market with the `submitMarketRemoval` function.
- Wait for the timelock to elapse
- Once the timelock has elapsed, the market can be removed from the withdraw queue with the `updateWithdrawQueue` function.
Jean-Grimal marked this conversation as resolved.
Show resolved Hide resolved

Warning : Funds supplied in forced removed markets will be lost, this why only reverting market should be disabled this way (because funds supplied in such markets can be considered lost anyway).
Jean-Grimal marked this conversation as resolved.
Show resolved Hide resolved

### Curator takeover
Rubilmax marked this conversation as resolved.
Show resolved Hide resolved

If the curator starts to submit positive caps for unsafe markets that are not in line with the vault risk strategy, the owner of the vault can:

- Set a new curator with the `setCurator` function.
- Revoke the pending caps submitted by the curator (this can also be done by the guardian or the new curator).
- If the curator had the time to accept a cap (because `timelock` has elapsed before the guardian or the owner had time to act), the owner (or the new curator) must disable the unsafe market (see [above](#an-enabled-market-is-now-considered-unsafe)).

### Allocator takeover

If one of the allocators starts setting withdraw queue and/or supply queue that are not in line with the vault risk strategy, or incoherently reallocating the funds, the owner of the vault should:
Jean-Grimal marked this conversation as resolved.
Show resolved Hide resolved

- Deprive the faulty allocator from his privileges with the `setIsAllocator` function.
- Reallocate the funds in a way consistent with the vault risk strategy with the `reallocate` function (this can also be done by the curator or the other allocators).
- Set a new withdraw queue that is in line with the vault risk strategy with the `updateWithdrawQueue` function (this can also be done by the curator or the other allocators).
- Set a new supply queue that is in line with the vault risk strategy with the `setSupplyQueue` function (this can also be done by the curator or the other allocators).

## Getting Started

Install dependencies: `yarn`
Expand Down
Loading