Exchange Rate During Major Slashing Event

Description

If a major slashing event occurs for the protocol's validators, which causes a large loss of ETH controlled by the protocol, the exchange rate will not reflect this slashing until the next Oracle update. As the Oracle is configured to run every 8 hours, it is possible for another party to detect the slashing event, and request an unstake of all of their ETH at an elevated exchange rate before the oracle data "catches up" and the correct rate is quoted.

This leads to a loss of ETH for all remaining stakers, and would cause a rush to exit the protocol.

Mitigation

All unstake requests have a property called "finalization" which determines whether or not they can be claimed by the user. Requests will only finalize when an Oracle update has been posted when covers the block in which they were requested, plus some buffer.

This means that it is not possible to claim an unstake request if the Oracle has not posted up to date information.

The Oracle smart contracts also contain a check to determine if ETH was lost in the report window. If more than 0.1% (configurable) of the protocol's ETH was lost, the Oracle will automatically pause, and the report will not be accepted without human intervention.

This guarantees that all unstakes which happened before this point will not be finalized — and therefore are not claimable — until the Oracle report has been accepted by the security council.

While the unstake requests are not finalized, the Mantle LSP system has the ability to cancel them by removing them from the queue. This ensures that nobody can take advantage of the delay in the exchange rate updating.

References

Node Operator slashing is a low frequency event, see: https://www.rated.network/

Scenario Example

Setup

Starting State: 10000 mETH, 11500 ETH, Exchange rate 1.150

Event: Mass slashing, 3000 ETH slashed

Handling

Action: Pause

Guardians

[Realtime] Detect mass slashing, pause the protocol (no stake or unstake requests allowed)

• pauser.setIsUnstakeRequestsAndClaimsPaused()

• pauser.setIsStakingPaused()

This allows Oracle to send the updated report which contains slashed details but stops new unstake claims which may need cancelling.

Oracles

[Within 8 hours] Detects consensus layer balance 8500 ETH

• Submits Oracle Report, with effective exchange rate 0.850.

• Oracle contract will consider this outside of Sanity Bounds and pause, see Oracle Sanity Checks

Action: Manual Review

Assess feasiblity of Slashing Insurance or compensation, if any:

• Rune topups if required: staking.topUp()

Assess the cause of out-of-bound Oracle Report:

• oracle.acceptPendingUpdate()

• oracle.rejectPendingUpdate()

Determine which unstakeRequest exchange rates are valid (before slashed happened), and which ones need to be cancelled with users needing to issue a new unstakeRequest:

• Run Oracle script: estimate-total-controlled <slashing-block> to determine what the new real totalControlled value is after the slashing.

• Run Allocator script: requests-to-cancel <total-controlled> <slashing-block> - this shows the breakdown of request that happened after the slashing block but before the pause, and what the effect on the protocol would be if they were not canceled.

• Run cancellations if required: unstakeRequestsManager.cancelUnfinalizedRequests()

Action: Unpause

Unpauser Role (Security Council)

• Verify actions above, escalate to Mantle Governance where required.

• Unpause: pauser.unpauseAll()

Result (assuming, no Topups)

• New Stakers will receive an exchange rate of 0.850

  • For example Stake 1000 ETH received 1176.48 mETH

    • Total ETH in system = 8500 + 1000 = 9500

    • Total mETH in system = 10000 + 1176.48 = 11176.48

    • Fair exchange rate = 9500/11176.48 = 0.850

• All slashing losses will be shared by old stakers (when the slashing happened)

  • New stakers will not incur loss