Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add priority emergency spells #1

Merged
merged 38 commits into from
Oct 18, 2024
Merged

Add priority emergency spells #1

merged 38 commits into from
Oct 18, 2024

Conversation

amusingaxl
Copy link
Contributor

@amusingaxl amusingaxl commented May 7, 2024

src/DssEmergencySpell.sol Outdated Show resolved Hide resolved
amusingaxl added 23 commits May 8, 2024 19:50
Make sure the spell does not revert if any of the `Clip` contracts has not relied on `ClipperMom`.
Make sure the spell does not revert if any of the `Clip` contracts has not relied on `ClipperMom`.
Define the expiration as `type(uint26).max`, meaning the emergency spells should never expire.
The new name conveys the meaning better.
In the unlikely case the spell emergency actions would revert due to block gas limit, there is an escape hatch through a custom method that would allow users to split the execution into batches.
In the unlikely case the spell emergency actions would revert due to block gas limit, there is an escape hatch through a custom method that would allow users to split the execution into batches.
Add config to run tests automatically on pull requests
@amusingaxl amusingaxl marked this pull request as ready for review May 24, 2024 14:27
src/DssEmergencySpell.sol Show resolved Hide resolved
src/DssEmergencySpell.sol Outdated Show resolved Hide resolved
src/DssEmergencySpell.sol Outdated Show resolved Hide resolved
src/DssEmergencySpell.sol Outdated Show resolved Hide resolved
src/auto-line-wipe/MultiAutoLineWipeSpell.sol Show resolved Hide resolved
src/osm-stop/MultiOsmStopSpell.sol Outdated Show resolved Hide resolved
src/osm-stop/MultiOsmStopSpell.sol Outdated Show resolved Hide resolved
src/osm-stop/MultiOsmStopSpell.sol Outdated Show resolved Hide resolved
src/osm-stop/SingleOsmStopSpell.sol Show resolved Hide resolved
src/osm-stop/SingleOsmStopSpell.sol Outdated Show resolved Hide resolved
@oddaf oddaf self-requested a review July 22, 2024 23:16
oddaf
oddaf previously approved these changes Jul 22, 2024
0xdecr1pto
0xdecr1pto previously approved these changes Jul 30, 2024
0xp3th1um
0xp3th1um previously approved these changes Jul 31, 2024
Comment on lines +93 to +95
function schedule() external {
_emergencyActions();
}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the chief-keeper block-scheme, I understand that it will try to call spell.schedule() in the loop, until "it is scheduled". On the technical level, "scheduled" is checked via spell.eta != 0. In case we don't modify eta, the keeper will call emergency spell in the loop in every single block and the whole interface "compliancy" wouldn't make much sense.

To solve this loop, we can either:

  • A. Always use factories and require deployment, even for multi-variations. Have fully compliment eta logic, expiration and one-time usage logic. I hardly can see when emergency spell with the same hat will need to be executed more than once
  • B. Set eta inside spell.schedule to non zero
    • Additional complexity: Setting eta will prevent spell from being directly reusable. We can potentially circumvent this by modifying it back to 0 either via cast or manually/permissionlessly via some other, e.g. reset() method
  • C. Modify keeper logic to determine that spell was already scheduled
    • Additional complexity: there no cross-compatible event or state variable that can be used for checking if "a spell" was scheduled. For example, if plot would've been called via emergency spell, keeper can check pause.plans[hash] != true instead of spell.eta != 0

All in all, I would recommend to make some changes to the base contract to prevent keeper loop.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at that line we have:
if spell.done() == False

Notice that all emergency spells have meaningful done() implementations, meaning that right after schedule() is called, it should return true, which would prevent the loop in the keeper.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hardly can see when emergency spell with the same hat will need to be executed more than once

  • Governance might be required to disable a specific DDM more than once during its lifespan
  • Oracle malfunctioning might happen more than once during its lifespan
  • Temporarily disabling new collateral intake through auto-line might happen more than once for the same ilk

Copy link
Contributor Author

@amusingaxl amusingaxl Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A. Always use factories and require deployment, even for multi-variations. Have fully compliment eta logic, expiration and one-time usage logic. I hardly can see when emergency spell with the same hat will need to be executed more than once

The idea of having pre-deployed spells is to not require any non-engineer to ever provide inputs manually. Even in the cases where there are factories, they would be used by engineers to deploy the contracts and hand over only the addresses to other stakeholders.

Comment on lines +106 to +108
function nextCastTime() external view returns (uint256 castTime) {
return _nextCastTime;
}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: if we don't need nor expect cast to be triggered, would it make more sense to return type(uint256).max? It shouldn't make a difference in practice, since it will never be planned into pause contract (unless we change this logic based on the previous comment)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't take a deep dive into the chief keeper, just looked at the most important aspects of it.
If any cleanup logic depends on the spell cast() being called, we don't want to clean it.
However, looking again, since cast() is permissionless, it's not guaranteed that the keeper is the one to call it every time, so it would make little sense to have such dependency, so your suggestion makes sense.

Comment on lines +92 to +94
1. No `MCD_PAUSE` interaction: as its name might suggest, the main goal of `MCD_PAUSE` is to introduce a _pause_ (GSM
delay) between the approval of a spell and its execution. Emergency spells by definition bypass the GSM delay, so
there is no strong reason to `plan` them in `MCD_PAUSE` as regular spells.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated to this code review, I wonder how current "whitelisting"-based monitoring implemented by techops works and if it detects votes on a random non-whitelisted contract before it's been too late / spell is already scheduled or if they even depend on the event emitted by plan to detect that something is off

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me raise that question to them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From Techops:

We're "whitelisting" the spells in advance before they are voted through and get the hat. Otherwise any spell that is not whitelisted and that gets the hat, will trigger a P1 alert saying that aunothorized spell has the hat. Where we'll have to react by involving stakeholders and doing necessary actions required for blocking it from being cast.
Idea is that if that happens and malicious spell is scheduled, we can quickly get all the people online and put "concurrent" spell that would be executed before the malicious one and will cancel it. Or start marketing and informational campaign notifying the users about it. Or preparing some press-release and informing about our next actions. So whitelist is mainly to not any unauthorized spells be executed silently and notifying us about it.

README.md Outdated
Comment on lines 43 to 48
| Description | Single ilk | Universal |
| :---------- | :--------: | :-------: |
| Wipe `AutoLine` | :white_check_mark: | :white_check_mark: |
| Set `Clip` breaker | :white_check_mark: | :white_check_mark: |
| Disable `DDM` | :white_check_mark: | :x: |
| Stop `OSM` | :white_check_mark: | :white_check_mark: |
Copy link

@SidestreamColdMelon SidestreamColdMelon Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think that if we aim to allow potential usage of emergency spells without involvement of engineers, we might want to use less technical, more general terms in describing them? Also, we might want to describe not what they actually do, but when to use each of them.
Anyway, I guess this will be addressed in the place where the deployed contracts will be listed in the end – with some kind of guide on how to use them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyway, I guess this will be addressed in the place where the deployed contracts will be listed in the end – with some kind of guide on how to use them.

That's the intention. This repo's docs are more useful to a technical audience.

README.md Outdated
Comment on lines 52 to 53
No further debt can be generated from an ilk which is wiped from `AutoLine`. It also prevents the debt ceiling
(`line`) for the affected ilk from being changed without Governance interference.
Copy link

@SidestreamColdMelon SidestreamColdMelon Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: I think it would be great to link 1) contract you're talking about 2) mom contract

(here, but also in every other section)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be better to maybe reference the chainlog key instead?
Contracts can be updated, making this document stale.

src/DssEmergencySpell.sol Outdated Show resolved Hide resolved
IlkRegistryLike public immutable ilkReg = IlkRegistryLike(_log.getAddress("ILK_REGISTRY"));
LineMomLike public immutable lineMom = LineMomLike(_log.getAddress("LINE_MOM"));

event Wipe(bytes32 indexed ilk);
Copy link

@SidestreamColdMelon SidestreamColdMelon Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: I would recommend to emit uniform event from all emergency contracts, e.g.: EmergencyAction(bytes32 indexed type, bytes32 indexed what)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you believe this would be beneficial?

@amusingaxl amusingaxl dismissed stale reviews from 0xp3th1um and 0xdecr1pto via 04fe1d7 September 19, 2024 13:29
@amusingaxl amusingaxl self-assigned this Sep 21, 2024
@DaiFoundation-DevOps
Copy link

DaiFoundation-DevOps commented Oct 8, 2024

CLA assistant check
All committers have signed the CLA.

src/auto-line-wipe/MultiAutoLineWipeSpell.sol Outdated Show resolved Hide resolved
src/auto-line-wipe/MultiAutoLineWipeSpell.sol Outdated Show resolved Hide resolved
src/auto-line-wipe/SingleAutoLineWipeSpell.sol Outdated Show resolved Hide resolved
src/osm-stop/MultiOsmStopSpell.t.integration.sol Outdated Show resolved Hide resolved
src/osm-stop/SingleOsmStopSpell.sol Outdated Show resolved Hide resolved
src/osm-stop/SingleOsmStopSpell.sol Outdated Show resolved Hide resolved
src/osm-stop/SingleOsmStopSpell.t.integration.sol Outdated Show resolved Hide resolved
src/DssEmergencySpell.sol Outdated Show resolved Hide resolved
Copy link
Member

@oddaf oddaf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@amusingaxl amusingaxl merged commit 4825bfb into master Oct 18, 2024
1 check passed
@amusingaxl amusingaxl deleted the feat/add-spells branch October 18, 2024 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants