Recently there was an update to Emergency Shutdown Module (ESM) and End. In the OP of the thread linked, it is mentioned that a dual-ESM system may be considered at some point: one for critical bugs ("BugESM") in which governance retains control after ES, and one for governance attacks ("GovESM") in which it does not. To secure this Multi-ESM system it was also suggested that a gobetween permissions module ("VatMom") be deployed; this would, in theory, keep an attacker from using the BugESM to hack the system to prevent the GovESM from being used.

Granted, it may be way early to discuss it, but I’d like to discuss in this here thread the two models, Monolithic (single many-purpose ESM) and Polylithic (many single-purpose ESM, overseen by the VatMom), and the benefits and drawbacks of each.




  • Currently in active use.
  • Less code to maintain.
  • Fewer "moving parts".
  • One-stop-shop for all your Emergency Shutdown needs at everyday high gas prices.


  • Doesn't necessarily give us information about what exactly went wrong, in case off-chain information proves insufficient.
  • One-size-fits-all solution which must be tailored to the worst-case scenario, meaning certain traits that are desirable under certain ES circumstances (and strictly undesirable in others) cannot be included without compromising security.



  • Allows us to tailor an ES contract to the specific scenario it is designed to be used in.
  • Gives us more on-chain information about why an ES happened by effectively segregating ES scenarios by contract address.
  • It can be made much clearer what the ES system is supposed to be used for by dividing ESM by use case.


  • More code to maintain.
  • A more complex system means it's that much harder to bring new people up to speed on how things are put together and for them to maintain a working model of the system in their heads as they use it. (I try to do the latter as much as possible, I don't know about anyone else; I find it helps me optimize usage)
  • More moving parts, meaning more can go wrong. ("The more you overthink the plumbing, the easier it is to stop up the drain.")


"Single/multiple attack vector(s)" was considered as a pro/con. However, there can only be one ES at a time, so if I'm not misunderstanding, by design of the ES system there is always exactly one vector an ES-related attack can take at a time regardless of the model chosen thus rendering the point moot; an attacker that flooded all available ESM with MKR in a Polylithic model would therefore just be wasting resources.

I would imaging in the long-run the Community should push for a “Polylithic” mechanism but at the moment we don’t have the bandwidth. Assuming there is an attack and we don’t have as you said, “enough information about what exactly went wrong” – should the approach then be similar to what large corporations go thru when they (Equifax, Adult Friend Finder, Ebay, etc.) publish a report and ask for forgiveness? Just wondering what the thought process will be if such occurred…