Introduction to Emergency Shutdown in Multi-Collateral Dai

August 12, 2019

In June, the Maker Foundation published Multi-Collateral Dai (MCD): Milestones Roadmap, in which we not only listed the milestones that must be achieved before MCD goes live, but also promised to provide materials that will help everyone in the Maker community better understand MCD system operations. Today, we provide users of the Maker Protocol with an overview of the Emergency Shutdown process, including what Emergency Shutdown is, how it is initiated, and when. We also provide information regarding how CDP owners and Dai holders can withdraw collateral from the system after shutdown.

What is Emergency Shutdown?

The Maker Protocol, which powers MCD, is a smart-contract system that backs and stabilizes the value of Dai through a dynamic combination of Collateralized Debt Positions (CDPs), autonomous system of smart contracts, and appropriately incentivized external actors. The Dai Target Price is 1 US Dollar, translating to a 1:1 US Dollar soft peg. 

Emergency Shutdown is a process that can be used as a last resort to directly enforce the Target Price to holders of Dai and CDPs, and protect the Maker Protocol against attacks on its infrastructure.


'

Emergency Shutdown stops and gracefully settles the Maker Protocol while ensuring that all users, both Dai holders and CDP holders, receive the net value of assets they are entitled to.


Effectively, it allows Dai holders to directly redeem Dai for collateral after an Emergency Shutdown processing period. 

What Can Cause Emergency Shutdown?

Emergency Shutdown is the last resort to protect the system against a serious threat, such as long-term market irrationality, hacks, and security breaches.  

Security is the first priority for the Maker Foundation, and the robustness of the CDP liquidation mechanism to keep the system solvent has been battle-tested with Single-Collateral Dai. We anticipate that the likelihood of a serious threat is low; nonetheless, should an emergency occur, the system is designed to handle it. The Foundation plans to build on current processes and develop tools to not only facilitate the shutdown of the system, but also to quickly relaunch Multi-Collateral Dai with a new set of smart contracts after an Emergency Shutdown event.

An Emergency Shutdown can also occur when the core smart contracts underpinning the Maker Protocol need to be upgraded. In such instances, it’s necessary to migrate the assets from the old system to a new system before the shutdown. Because a system upgrade isn’t an emergency event, it can be planned and users of the Maker Protocol notified in advance.

Who Can Initiate Emergency Shutdown?

In Multi-Collateral Dai, the process of initiating Emergency Shutdown is decentralized and MKR holders (voters) can trigger it by depositing MKR in the Emergency Shutdown Module (ESM.) Emergency Shutdown is triggered when a quorum of the deposited MKR has been reached. The quorum is not meant to be a majority of the MKR in circulation, but it shall still be significant. MKR voters determine the quorum, which is initially proposed to be 50,000 MKR. 

For additional security, MKR voters will be able to select Emergency Oracles with the power to unilaterally trigger an Emergency Shutdown. These Oracles can, for example, monitor the system for security breaches via smart-contract vulnerabilities and for governance attacks. In MCD, the delay period between a system change proposal and execution of the change provides time to detect a governance attack and subsequently initiate Emergency Shutdown. Likewise, the delay period before collateral prices are applied in the system allows for the detection of a Price-Oracles attack.

What Happens When Emergency Shutdown Is Initiated?

When Emergency Shutdown is initiated, the normal function of the Maker Protocol ceases. Users will no longer be able to deposit collateral and draw Dai from CDPs.

Additionally, the settlement of the system assures that any Dai holder receives the same relative amount of collateral from the system, whether a holder is the first or last to process a claim. To make sure the settlement can run its course, there is a waiting period before Dai holders can swap their Dai for collateral. MKR voters will determine this waiting period, but it is fair to expect it to be closer to 48 hours rather than many days or weeks.

Meanwhile, once Emergency Shutdown is initiated, the prices for all collateral types in the system are immediately “frozen” (registered). This allows for calculation of how much collateral must stay in each CDP to cover the outstanding Dai generated for each. Outstanding Dai is valued at par ( i.e., $1 US per Dai.) Subsequently, CDP owners are allowed to withdraw all excess collateral from the CDP. They can do this immediately via CDP frontends, such as the CDP Portal, as well as via command-line tools.

During this period, the system is checked to determine if there are any under-collateralized CDPs that haven't been liquidated due to an edge-case situation. Initially, the Maker Foundation will ensure that this check is performed. In the longer term, it will be up to MKR voters to ensure that actors are prepared to perform the check. Any unaccounted debt from such CDPs must be transferred to the overall system balance, and existing collateral auctions must have time to complete or be canceled. This waiting period can equal the time of the longest-running collateral auction or it can be shorter, provided auctions that are set to run beyond the defined waiting period are canceled by an external actor. 

In general terms, Dai holders receive collateral worth $1 US for 1 Dai according to what the collateral price was when Emergency Shutdown was initiated. Just like Dai under normal circumstances has a soft peg to the US Dollar, the value of the collateral Dai holders will receive for 1 Dai may not be exactly $1 US. Accordingly, Dai holders may receive more than $1 of collateral per Dai they hold if, at the time Emergency Shutdown is initiated, there is a net surplus in the system from stability fees collected. If, on the other hand, there are more under-collateralized CDPs at that time than a surplus from stability fees can cover, then the value of the collateral a Dai holder receives for 1 Dai will be less than $1 US. Under normal operation of the Maker Protocol, CDPs with a collateralization ratio below the liquidation ratio will be liquidated and their collateral auctioned off (as described in our Introduction to Auctions and Keepers in Multi-Collateral Dai) well before the CDP enters a state of under-collateralization. Based on our experience with Single-Collateral Dai and the generally historical over-collateralization of CDPs, the Maker Foundation believes there is a low probability that a material number of under-collateralized CDPs will be in the system at the time of an Emergency Shutdown scenario.

A High-Level Look at the Emergency Shutdown Process 

The illustration below offers a high-level look at the Emergency Shutdown process. To initiate Emergency Shutdown, the ESM emergency shutdown contract or an authorized Emergency Oracle sends the cage message to the contract named END in the Maker Protocol. 

If you look at the code in the END contract, you will find details as to what happens during the process. 

Going forward, the Maker Foundation will provide additional information to bridge the gap between this high-level view and what occurs in the contracts.

Facilitating Emergency Shutdown Processing for Dai holders

At the time of Emergency Shutdown, a Dai holder is entitled to receive a certain share of all collateral in the system relative to the amount of Dai being held, as explained above. For each type of collateral, the Dai holder must transact with the Maker Protocol to claim his/her share of that collateral type.

Dai holders will incur transaction expenses when claiming each collateral type. As the number of collateral types in the system grows, expenses can increase and become at least noticeable for holders of small amounts of Dai. Additionally, if a Dai holder wants to consolidate the broad portfolio of collateral types offered into a manageable few, fees will be associated with those consolidations. However, to keep transaction costs low for Dai holders, ecosystem actors called Keepers are expected to buy Dai and claim collateral in bulk on behalf of the holders. By buying Dai from individual Dai holders, Keepers can accumulate larger volumes, making it more economical to claim the different collateral types and subsequently benefit from economy of scale when trading these collateral types.

Given the Maker Protocol is decentralized, it is up to a Keeper to decide which business model to pursue. The model for Keepers could be that they buy Dai at a slight rebate from individual Dai holders or that they offer the service as a value-add with other services (for example from an exchange, a wallet provider, or a similar service provider).

Regardless of whether ecosystem actors will provide these services, the Maker Foundation will initially offer a web page from which Dai holders can swap their Dai for collateral in the case of Emergency Shutdown. In the longer term, it is expected that the ecosystem will provide a broad range of services, making the web page unnecessary.

Relaunching the System

Minimizing the disruption to service during Emergency Shutdown, and then relaunching MCD with the deployment of new smart contracts as soon as possible is critical. How quickly the relaunch happens will depend on how much time it takes to identify and remove or isolate the cause of the shutdown. 

For example, in the case of an Oracle attack on the system or an attack on the Oracles, the compromised Oracles must be removed and other Oracles may have to be deployed. The full set of smart contracts that comprise the Maker Protocol, and the scripts needed to deploy the system, will be available as open-source software. Therefore, it will be possible to deploy a new set of smart contracts at the same time the existing system is going through the Emergency Shutdown waiting period. Once Emergency Shutdown has completed, MKR voters can switch authority to the new set of smart contracts.

In general, those who owned CDPs in the old system of smart contracts must open new CDPs using collateral they claimed from the system that was shutdown. Dai holders can trade the collateral claimed from the old system on a marketplace for new Dai, or, if there are providers offering this service, Dai holders may swap old Dai for new Dai at a Keeper service. The Keepers noted above would claim collateral in the shut down system for the old Dai received, and open a CDP in the new system of smart contracts to generate new Dai. 

To reiterate, although the Maker Foundation anticipates that the likelihood for Emergency Shutdown is low, we clearly understand the need to minimize the risk of disruption of service for users of the Maker Protocol under all circumstances. Tools to facilitate a relaunch will be developed, and testing the relaunch of MCD with the deployment of new smart contracts will be done on a regular basis by the Maker Foundation until the task can be assigned to actors appointed by MKR voters.

Summing It All Up

To discourage trolls and others that might be tempted to attack the system, it is important to have a well-defined Emergency Shutdown process. Let’s review:

  • The process of initiating Emergency Shutdown is decentralized and controlled by MKR voters, who can trigger it by depositing MKR into the Emergency Shutdown Module.
  • Emergency Shutdown is triggered in the case of serious emergencies, such as long-term market irrationality, hacks, or security breaches.
  • Emergency Shutdown stops and gracefully settles the Maker Protocol while ensuring that all users, both Dai holders and CDP users, receive the net value of assets they are entitled to.
  • CDP owners can retrieve excess collateral from their CDPs immediately after initialization of Emergency Shutdown. They can do this via CDP frontends, such as the CDP Portal, that have Emergency Shutdown support implemented, as well as via command-line tools.
  • Dai holders can, after a waiting period determined by MKR voters, swap their Dai for a relative share of all types of collateral in the system. The Maker Foundation will initially offer a web page for this purpose.
  • Dai holders always receive the same relative amount of collateral from the system, whether they are among the first or last people to process their claims.
  • Dai holders may also sell their Dai to Keepers (if available) to avoid self-management of the different collateral types in the system.

As we move forward, the Maker Foundation will provide additional documentation regarding the sequence and flow of transactions in the smart contracts should Emergency Shutdown be triggered. 

In the meantime, if you have questions or are curious as to what others in the community think, join the dialogue in the MakerDAO Forum.

August 12, 2019