SIP-316: Core System Precautionary Security Features
|Network||Ethereum & Optimism|
|Implementor||Daniel Beal (@dbeal-eth)|
Protect the protocol from loss by adding a "interaction timeout" to Accounts which prevents withdrawals.
Additionally, add checks which allow for disabling of most system functions in emergency situations similar to
SystemStatus in v2x.
Synthetix v3 introduces revolutionary mechanisms which will change the way that DeFi looks at composable protocol design. However, perhaps the biggest threat to Synthetix
is a cataclysmic protocol failure or smart contract hack which leads to loss of user funds (think about just about any bridge hack over 2022). New systems come with
inherent risks, and
certain functions, such as
delegateCollateral, will likely be a massive target for potential attackers. Adding certain restrictions to deter
these attackers, such as interaction timeout and easy CC disabling paths, will both reduce the risk of these endpoints, as well as limit the potential damages
if such an attack were to occur.
These solutions were chosen because they closely align with the successful
SystemStatus which has been used in v2x to great effect.
lastInteraction will be added the
Account storage object which stores the unix timestamp of the last time a user interacted with their account. This timestamp will be updated every time a user performs a write-action on their
account, such as delegation, mintUsd, or deposit.
withdraw function, which allows for removal of collateral from the system, is an endpoint of perhaps catastrophic concern if it were to be
exploited during an attack. Therefore, an interaction timeout is added (ex. 8 hours) which completely disables an attacker's ability to withdraw collateral
from the system through means of a flash loan attack, and gives ample time for internet sleuths or other interested parties to identify the issue
before it can result in loss of protocol collateral.
The withdrawal function is primarily target for protection because every other function in v3 more or less just alters the internal accounting of the system, so in the case of an attack, we could hypothetically recover through a system update without loss of funds.
A SCCP configurable parameter,
withdrawTimeout, will be added to the system to configure the wait time between account interaction and first allowed
A function is added to
setDeniers, which permits specification of a list of ethereum addresses which may issue a call to disable
each function on the system. The list of deniers will be coded in the
synthetix-deployments repo and approved by SC, and most likely be a set of trusted
deniers are not permitted to re-allow any features without owner approval.
The list of deniers is an SCCP configurable value. If the owner of the system is the pdao or another address outside the SC, an SC vote is required to re-allow any disabled feature.
New feature flags will be introduced to protect the following functions:
All these flags will be set to
allowAll automatically by cannonfile step to allow for the usual system operation on initial deployment.
Relevant tests will be developed during implementation.
Configurable Values (Via SCCP)
CollateralConfiguration, the following parameters are added:
withdrawalTimeoutthe minimum number of seconds which should have elapsed since last account interaction before withdrawal of collateral from an account is allowed. Can be set to
0to completely disable the timeout.
deniers. for each feature listed above. the list of deniers who have permission to disable the given feature.
Copyright and related rights waived via CC0.