I wanted to weigh in with some thoughts from the @Risk side. Also worth mentioning that emergency shutdown mechanism is interrelated with technical, oracle, and governance matters. Emergency shutdown is both a source of risk to the protocol and a key risk mitigation mechanism, so any changes need to be carefully balanced.
Emergency shutdown can become necessary in response to auction issues, critical technical faults, oracle issues, or governance attacks (among other things). The response timelines needed and alternative options vary based on the circumstance:
- For critical oracle faults where a bad OSM price was queued, MKR holders would need to muster a response within 1 hour. If it was not possible to sufficiently mitigate losses via other means (e.g. by deactivating liquidations on affected collaterals), holders would need to trigger shutdown.
- For technical issues, it may be possible to organize a fix via the Dark Spell Mechanism. If it was not possible to issue a fix safely, or if the system was being actively exploited or drained, it would be necessary to trigger emergency shutdown to limit damage.
- For governance attacks, MKR holders could first attempt to pass a further vote to cancel the malicious pending executive. This requires surpassing the MKR balance on the current executive within the governance delay period (currently 2 days). If it’s not possible to meet this higher token threshold, MKR holders would need to trigger emergency shutdown.
- For auction issues, MKR holders may be able to avoid losses by deactivating liquidations (which is not behind the GSM delay). If this does not sufficiently mitigate the issue, it would be necessary to pass an executive and wait for the GSM delay, or trigger shutdown.
If emergency shutdown was triggered in a case where it was not necessary, this would cause substantial disruption to Maker and the wider defi ecosystem. DAI would cease to function as a stablecoin, instead tracking its underlying basket of collateral. While impact on DAI holders would vary depending on market conditions, it seems likely there would be a rush to dispose of unstable collateral in exchange for an alternative stablecoin, likely leading to losses at least in the short term. Integrated lending or derivatives products collateralized in DAI would also become unstable.
While this would be extremely problematic, an alternative case where emergency shutdown was unable to be triggered when necessary would be even more disastrous. In a worst case scenario, all system collateral could be lost which would result in total losses for both vault owners and DAI holders.
DAI holders don’t necessarily benefit from the aggregate system collateral levels, as vault owners are able to receive excess collateral first before DAI holders can redeem during emergency shutdown. It’s possible for DAI to become underfunded well before system collateralization reaches 100%.
While mitigating governance attacks are one important use case for emergency shutdown, the window of opportunity for triggering ES is relatively long. Increasing the GSM delay could impede responses to oracle, auction, or technical issues, in addition to slowing down non emergency governance action.
Malicious Shutdown Threat
To trigger emergency shutdown, users must burn their MKR tokens. In most cases this would impose a substantial financial cost upon an attacker, but there may be certain hedging mechanisms available that would make the process less costly. For example, an attacker could borrow tokens from Aave v1 or v2 and use them to trigger shutdown, on the assumption that they’d be able to repurchase at low prices in the ensuing market turmoil. It may also be possible to open short positions via futures or perpetual contracts to offset the cost of the MKR tokens burned.These strategies assume MKR tokens would substantially fall in value during an emergency shutdown attack.
Certain competing protocols or hostile organizations may also have a vested interest in MakerDAO’s failure, with financial stakes that outweigh the cost of acquiring and burning 50,000 MKR.
We can help mitigate risk of emergency shutdown through a holistic approach to operational readiness and governance security.
First, we should adopt and implement a protocol continuity plan. Continuity planning is a standard practice (often required by regulators) for mission critical businesses like financial institutions. Testing response plans for various emergencies will give us a better idea of the appropriate token requirement for triggering shutdown and minimum response times required to take action.
We can also engage with parties offering short interest on MKR to see if we can encourage them to curtail these products. Without borrowing or derivatives liquidity, it will be much more difficult for potential attackers to avoid the financial cost of triggering emergency shutdown. Aave is a primary source of MKR borrowing liquidity and would be a good target for DAO engagement. MKR is also listed on several centralized derivatives and lending venues, which may be more difficult to curtail.
Offering additional utility for keeping MKR tokens within the Maker system is another strategy to help mitigate the issue. The governance rewards mechanism would make holding long MKR positions through derivatives or lending platforms less competitive, which would increase the cost of financing short positions. Offering MKR holders an opportunity to borrow through the Maker may also incentivize users against supplying assets to external platforms.
Finally, a continuous monitoring program for MKR tokens could help MakerDAO understand governance risk conditions and set relevant parameters. This could include review of MKR liquidity and availability on spot, lending, and derivatives platforms, as well as ownership changes and concentration.
With respect to the emergency shutdown threshold, I propose an increase to 75,000 MKR. This is comfortably above the MKR liquidity on Aave v2 (35,000), Aave v1 (7,000), and reported open interest on perpetual swaps on Binance and FTX (roughly 5,000), which helps reduce attack risk. On the other hand the threshold would remain low enough to be confident in voters’ ability to respond in an emergency - MKR holders were able to activate nearly 75,000 votes within a few hours to pass last week’s executive vote.