What about Emergency Shutdown - Why Have we Ignored This Mechanism?

Heeding @cyrus and @MakerMan words we need to be prepared for possible scenarios.

Everyone sees ES as catastrophic, but we need to engage with that mechanism to understand our options.

Potentially it will be much less catastrophic if initiated before losses get extreme and while the system is still collateralized. Determining what is extreme is the question. Aka COST BENEFIT ANALYSIS of ES. Without ES as an option we risk really destroying dai holders, vault owners and/or mkr holders. It is clear that this could occur quite rapidly if eth drops again (based on global markets this is more likely than not). This is well outside my domain of understanding, but I don’t see a thread discussing this very possible reality.

A few topics which input into analysis

  1. Cyrus showed three scenarios in https://www.youtube.com/watch?v=AIW7lFg6gBI.

  2. Discussion of USDC parameter adjustments to promote keeper liquidity vs dai peg here: USDC: Peg Arbitrage vs. Auction Liquidity

  3. There are also potential issues in the SCD situation: Signal Thread: SCD Shutdown Cyrus pointed out in the meeting the risk PETH holders face if keeper stop biting in SCD. SCD is also

  4. Liquidation freeze is not audited afaik. Also requires two executives, unclear how fast mkr holders will respond, it certainly depends on many different factors, from Cyrus:

“As a result of this proposal, the MakerDAO governance community, by full executive vote, will have the ability to temporarily disable Vaults from being sent to the auction liquidation module. To re-enable liquidations, MKR Holders would have to pass a subsequent executive vote. Critically, this proposed module lives outside of the GSM and is not subject to any delay.”

The concept makes sense. Having a rate limiting mechanism intuitively helps liquidity risk. However this is a completely novel tool and new code (unless I am corrected on the new code part), which in highly volatile/congested times injects a ton of uncertainty/risk. We also need to monitors signals from keepers. Since the auctions occur concurrently we cant rely on simply viewing the discount from the market price. In the call Cyrus mentions we can estimate Keeper liquidity to guess when to trigger the circuit breaker. Governance does not want to be trigger happy since the circuit breaker could potentially hurt the protocol in highly volatile market conditions.

So the important thing for governance tomorrow to decide is agreeing on estimations for keeper liquidity. I am sure @cyrus and co is working on this. The obviously depends on USDC adjustments as well, further complicating the estimations.

Otherwise we need to be asking as many questions about https://docs.makerdao.com/smart-contract-modules/shutdown/end-detailed-documentation as possible. Who is the authority on ES? Elucidation of that process should really be a higher priority that has not gotten attention.

  1. Future develoment

My perspective is maybe guessable at this point, but preemptive ES while the market isnt melting down might not be the worst option. We are approaching highly uncertain market conditions and already hold a deficit.From what I understand an issue with ES right now is the 5 mil deficit encapsulated by sin. I am confused who sin would be passed to if ES occurred before the flop auction happens (or if the flop auction can even be canceled after cage is called). Unless the technical specific of ES are completely untenable even right now, unwinding the system would give us time to develop answers to several big issues that have cropped up post MCD launch.

One is the auction system. Cyrus basically admitted that it needs to be overhauled eventually https://youtu.be/AIW7lFg6gBI?t=2407. What happens if we keep adding patchwork solution after patchwork solution on a weak foundation

Another is governance, governance has been flying at the seat of its pants, without the foundations support of ALL domain experts (cyrus/rich/mariano/so many other badasses) I highly doubt this method would last long. MIPs have plenty of big questions and from what I have seen are not ready at all. “Scientific governance” does not exist in the governance design itself, I have not seen a single citation and many decisions clearly were rushed or reactive to outstanding circumstances. Governance design cannot be rushed if we want to achieve self reliance.

A third is emergency response tools. Considering the last minute nature of the circuit breaker and desperate addition of USDC, our emergency tools appear under developed (in hindsight easier to say obviously). The catastrophic aura around ES and its uncertain/highly complex dynamics have basically precluded it from all discussions. As noted by others that is very dangerous. Testing emergency solutions in the wild seems vital for confidence. No test of ES had ever occurred.

Okay I’m sorry for maybe the least comprehensive post by someone in awhile. Basically all I am trying to do is express the info I have gathered and follow up on the call to discuss exit strategies. This was rushed since time is an issue. I hope the smarter/more conceptually organized people in the community can engage and help develop a clearer picture of what we need to consider with ES. It takes the community to deal with this outstanding complexity. Even then the complexity still appears pretty dominate.


Wouldn’t the ES possibly destroy all faith in DAI/MKR so when revived - noone will use it anymore? The value of MKR might be close to zero.

I’m 90% sure this lands on Dai holders. They recieve less than $1 worth of collateral at ES if the system has bad debt.


Not necessarily, my take:

  • users need to be informed that ES is part of the protocol and could happen at any time. And by informed, i do not mean only it’s existence, but also how it’s triggered and all the consequences for all the actors (dai holders, Vault owners, keepers, MKR holders)
  • visual representation of the shutdown process and up-to-date visual representation of the state of the system (blockchain) is extremely important
  • user interfaces for Vault owners and Dai holders
  • automatic detection of the event and reliable automatic notifications
  • prepared public announcements, also for crypto news sites.
  • (possible) redeployment protocol
  • etc.

I think a lot of trust is based on how ES would be handled.


I believe that users are already informed that ES is reserved for catastrophic events and is not a part of the measures to control the peg when ETH drops xx% and recovers within weeks.

Such catastrophic events IMO include:

  • MakerDAO bugs that cannot be fixed in a timely manner which could wipe most of collateral
  • serious ETH protocol bugs
  • persecution of devs / legal issues / bans that make it dangerous to hold stablecoins and hard to maintain the protocol
  • DAI off the peg for months (±2% ??) despite trying all the existing and new weapons to control it
1 Like

Yeah think your right. Current implementation favors vault holders according to the docs. They can retrieve excess collateral immediately in ES

I wonder how many Vault owners is aware of this…

In regards to ES tooling, I wasn’t able to find much about how exactly Dai holders would redeem their Dai aside from the migration portal. Since users are holding Dai, I assume that many of them would not want exposure to the underlying volatile collateral, so I created this tool to automate the process of redeeming Dai for the underlying collateral, and swapping all the collateral for USDC.

I wasn’t able to get a test environment setup to fully test the pack and cash calls, but otherwise the rest of it should be good. Part of the complexity of developing tooling is figuring out how to get the Maker system in your test environment into the right state to test what you are trying to test. There’s some documentation on how to do that, but it doesn’t cover many things, such as how to test a shutdown.

Another thought is that I have not seen a list of all available tooling in the event of an ES, but something like that would be useful to track what is available and what is needed.


Oh this is awesome. Your thought process that DAI holders wouldn’t want exposure to the underlying collateral makes total sense to me. Looks like this is your first time posting if you don’t already know you could probably find help with setting up the testing environment at https://chat.makerdao.com/channel/help devs usually are around and probably love to see this type of work.

1 Like

I did get some help in the dev channel—Kurt and Brian were super helpful—though I never was able to get the full test environment set up. Figured I’d circle back and ask again in a few days once things were a little calmer.

God thanks for doing the initial work on this mds1.

You are completely correct DAI holders will not want to have underlying collateral pricing risk so they will convert to USDC or other stablecoings. At least a start on this work is needed and great you worked on that.

I think we also need to put together ES scenarios and look at exposure to stake holders so we understand better risks to all players. I have that as a todo on my list at the moment.

BTW: Welcome to the forums! @mds1

1 Like

I am pretty sure that during ES the deficits in the system are passed off exclusively to DAI holders. Vault owners get immediate access to collateral at the OSM price. They were already exposed to collateral pricing risks via their deposited collateral and loan liquidation risks.

MKR holders after ES basically get to choose their exposure by subsequent governance actions. Which usually will be the make up any deficit to make DAI holders ‘whole’. But this is a choice not a requirement.

Note to us all. Is there anything in docs that say Maker will make up any discrepencies on DAI collateral value change after ES? I mean it could be possible after shutdown collateral price rises and DAI is >1 - if MKR is on hook for losses do we then also get gains? I can’t remember what docs say on this point and we better be clear on it to DAI and MKR holders.