You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+7-20Lines changed: 7 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,25 +35,12 @@ The diagram below provides and example of calling to mint USDS using the Sky all
35
35
All contracts in this repo inherit and implement the AccessControl contract from OpenZeppelin to manage permissions. The following roles are defined:
36
36
-`DEFAULT_ADMIN_ROLE`: The admin role is the role that can grant and revoke roles. Also used for general admin functions in all contracts.
37
37
-`RELAYER`: Used for the ALM Planner offchain system. This address can call functions on `controller` contracts to perform actions on behalf of the `ALMProxy` contract.
38
-
-`FREEZER`: Allows an address with this role to freeze all actions on the `controller` contracts. This role is intended to be used in emergency situations.
38
+
-`FREEZER`: Allows an address with this role to remove a `RELAYER` that has been compromised. The intention of this is to have a backup `RELAYER` that the system can fall back to when the main one is removed.
39
39
-`CONTROLLER`: Used for the `ALMProxy` contract. Only contracts with this role can call the `call` functions on the `ALMProxy` contract. Also used in the RateLimits contract, only this role can update rate limits.
40
40
41
41
## Controller Functionality
42
-
All functions below change the balance of funds in the ALMProxy contract and are only callable by the `RELAYER` role.
43
-
44
-
-`ForeignController`: This contract currently implements logic to:
45
-
- Deposit and withdraw on EVM compliant L2 PSM3 contracts (see [spark-psm](https://github.com/marsfoundation/spark-psm) for implementation).
46
-
- Initiate a transfer of USDC to other domains using CCTP.
47
-
- Deposit, withdraw, and redeem from ERC4626 contracts.
48
-
- Deposit and withdraw from AAVE.
49
-
-`MainnetController`: This contract currently implements logic to:
50
-
- Mint and burn USDS.
51
-
- Deposit, withdraw, redeem from ERC4626 contracts.
52
-
- Deposit and withdraw from AAVE.
53
-
- Mint and burn USDe.
54
-
- Cooldown and unstake from sUSDe.
55
-
- Swap USDS to USDC and vice versa using the mainnet PSM.
56
-
- Transfer USDC to other domains using CCTP.
42
+
The `MainnetController` contains all logic necessary to interact with the Sky allocation system to mint and burn USDS, swap USDS to USDC in the PSM, as well as interact with mainnet external protocols and CCTP for bridging USDC.
43
+
The `ForeignController` contains all logic necessary to deposit, withdraw, and swap assets in L2 PSMs as well as interact with external protocols on L2s and CCTP for bridging USDC.
57
44
58
45
## Rate Limits
59
46
@@ -79,8 +66,8 @@ Below are all stated trust assumptions for using this contract in production:
79
66
- The `RELAYER` role is assumed to be able to be fully compromised by a malicious actor. **This should be a major consideration during auditing engagements.**
80
67
- The logic in the smart contracts must prevent the movement of value anywhere outside of the ALM system of contracts.
81
68
- Any action must be limited to "reasonable" slippage/losses/opportunity cost by rate limits.
82
-
- The `FREEZER` must be able to stop the compromised `RELAYER` from performing more harmful actions within the max rate limits by using the `freeze()` function.
83
-
- A compromised `RELAYER` can DOS Ethena unstaking, but this can be mitigated by freezing the Controller and reassigning the `RELAYER`. This is outlined in a test `test_compromisedRelayer_lockingFundsInEthenaSilo`.
69
+
- The `FREEZER` must be able to stop the compromised `RELAYER` from performing more harmful actions within the max rate limits by using the `removeRelayer` function.
70
+
- A compromised `RELAYER` can perform DOS attacks. These attacks along with their respective recovery procedures are outlined in the `Attacks.t.sol`test files.
84
71
- Ethena USDe Mint/Burn is trusted to not honor requests with over 50bps slippage from a delegated signer.
85
72
86
73
## Operational Requirements
@@ -100,9 +87,9 @@ forge test
100
87
```
101
88
102
89
## Deployments
103
-
All commands to deploy:
90
+
All commands to deploy:
104
91
- Either the full system or just the controller
105
-
- To mainnet or base
92
+
- To mainnet or base
106
93
- For staging or production
107
94
108
95
Can be found in the Makefile, with the nomenclature `make deploy-<domain>-<env>-<type>`.
0 commit comments