Pausing

Background

In the event of instability or unintended-performance by the exchange rate Oracle, node operators, and Ethereum, various components of the system can be paused to prevent exploitation or unintended consequence — in particular the staking contract can be paused to preserve the integrity of mETH : ETH exchange rate and supply balances.

Example Scenario

  • A mass slashing event occurs due to an Ethereum or Node Operator upgrade.

  • If the Oracle fails to promptly update the exchange rate, there may be a window where the accurate mETH : ETH exchange rate will be lower than the one quoted by the Oracle. For example: accurate = 0.8 : 1; quoted = 0.9 : 1.

  • If the staking contract is not paused, new stakers will receive less mETH than fair value, and unstakers would receive more ETH than fair value.

Impact on User Experience

  • Pausing is an extremely unlikely scenario.

  • Pausing means that temporarily Staking and Unstaking cannot be executed by users. There is no impact on the underlying ETH or mETH. If there has been any losses due to Slashing, these losses have already occurred and are not impacted by pausing.

  • Staking and Unstaking services will return to normal after unpausing, this is expected to take 12 to 36 hours after incident review.

  • Pausing only affects the Primary Market (similar to USDC-USD fiat, and WBTC-BTC subscriptions and redemptions), it does not impact on the Secondary Market mETH trading on exchanges.

Pausing Mechanics

This contains key points only, for more details please refer to the Pausing contract 0x29Ab878aEd032e2e2c86FF4A9a9B05e3276cf1f8 or GitHub.

  • Pauser role permission will be granted to Guardians who will monitor the protocol in real time for anomalies and extraordinary events (such as mass slashing).

  • Any Guardian may unilaterally paused. A compromised or malicious Guardians may only temporarily grief (but pausing services), until they are removed by the Security Council. Guardians cannot access ETH, mETH, or perform any other function besides pausing.

  • The protocol smart contracts may also automatically pause if there are events outside of the configured sanity bounds.

  • Not all pauses will affect the primary market user experience. Individual functions can be paused such as: AllocateETH, InitiateValidators, Staking, Unstaking, and SubmitOracleRecords.

  • Only the Unpauser role may unpause.

PreviousExchange RateNextOracle Validity Checks

Last updated