Skip to content

Security Mechanisms

Spells are immutable contracts designed to implement a predefined set of changes to the protocol—such as module authorizations or parameter adjustments—once approved through governance voting on ds-chief. Detailed information on spell crafting, review processes, testing, and a history of previously executed spells can be accessed here.

Various instant access modules have been integrated into the protocol to allow for immediate parameter updates within predefined limits, bypassing the standard governance voting process and its associated security delays. These modules ensure that certain adjustments can be made quickly while still maintaining protocol integrity.

All governance actions must pass through a governance security delay before they can be executed. However, some functions are pre-configured to bypass this delay, either through specific authorized actors or governance itself. For example, the FlapperMom contract allows governance to instantly disable the Flapper instance without waiting for the governance security delay.

Oracle Security Module (OSM) MOM allows the oracle collateral price feed provider (Chronicle) to freeze the current price value, preventing a potentially malicious price—queued within the OSM’s one-hour window—from becoming active.

Minting excessive DAI, even with sufficient collateralization, can introduce significant risk. To mitigate this, the Debt Ceiling defines the maximum amount of DAI that can be minted against a specific collateral type. To provide more flexibility, the AutoLine IAM enables the broader community to adjust the debt ceiling within predefined parameters established by token holders.

Delays are utilized throughout the system to provide actors and users with sufficient time to review and respond to pending changes. This mechanism allows for the opportunity to make adjustments or take necessary actions before the scheduled changes are implemented, ensuring proper oversight and reaction time.

Governance Security Module (GSM) enforces a governance security delay via the Pause Proxy. This ensures that all governance actions executed through the Pause Proxy are subject to a delay, providing the ecosystem with time to observe the upcoming changes and respond accordingly before they go live.

Oracle Security Module (OSM) enforces a delay of one hour on all price value updates to collateral types like ETH. This ensures vault owners have sufficient time to react and adjust their positions by adding more collateral or repay debt when the new price is lower. It also allows the oracle price feed provider (Chronicle) to freeze the current price value and stop a queued malicious price value from going through.

Governance controls a surplus buffer in DAI (or USDS), which serves as reserves fully owned by the protocol.

The ds-chief contract prevents SKY locked for voting from being used in the same block as the deposit. This measure blocks the use of flash loans to temporarily increase voting weight for governance decisions, such as spells. However, this restriction does not affect legitimate borrowers who have obtained SKY through lending protocols like AAVE, allowing them to use their borrowed SKY for voting.

The Hole and ilk.hole parameters set a global limit and a limit per collateral type on the total amount of DAI debt that can be in auction at any given time. These limits are designed to ensure that collateral liquidations do not overwhelm the liquidity available in external markets, helping to maintain stability during liquidation events. Dutch auctions enable a wide range of participants, including those without direct access to their own capital, to take part in collateral auctions. This open participation mechanism helps ensure broader access and competition during the auction process.

Global Settlement and Emergency Shutdown Module are disabled

Section titled “Global Settlement and Emergency Shutdown Module are disabled”

Global Settlement is a complex feature from a previous era that is now considered deprecated and not intended for use. Similarly, the Emergency Shutdown mechanism, which can be triggered by a subset of SKY holders, is also considered deprecated. Its trigger threshold has been set to a very high level to reflect this.

Released into the public domain (CC0 1.0 Universal) – trademarks remain with their owners; no warranty. See full license.