Setting the Emergency Shutdown Module (ESM) Threshold

###### tags:`Research` # Setting the Emergency Shutdown Module (ESM) Threshold In this document, we investigate how to set the ESM threshold value and the tradeoffs that should be taken into account. ## How does the ESM work? The Emergency Shutdown Module exists to allow a minority of MKR holders to shut down the protocol by depositing their MKR into the ESM. MKR deposited into the ESM is immediately burned. If the amount of MKR deposited into the ESM exceeds the ESM Threshold, emergency shutdown is activated. Note that delegates cannot deposit MKR delegated to them into the ESM - it must be done by the MKR token owners. More details about the emergency shutdown process can be found [here](https://docs.makerdao.com/smart-contract-modules/shutdown). ## Mode of attack The ability to shutdown the Maker protocol this way represents a possible attack vector. The attack considered here is the "shorting attack". The goal of the attacker in this scenario is to open a short on MKR, trigger the ESM and then close the short when the price of MKR drops. The goal of this document is to recommend an ESM threshold that makes such an attack unprofitable. ## Trade-offs Since the ESM threshold determines the fixed cost of the shorting attack, setting it to be too low could result in any entity with access to sufficient funds being able to profit by triggering the ESM. Setting the ESM threshold to be too high could result in it being unusable in a genuine emergency. In this report, this possibility is not considered since it is currently unclear what circumstances merit a genuine deployment of the ESM. ## Assumptions ### Methodology (Critical) 1. The total amount of MKR that can be borrowed by the attacker is limited by the total amount MKR available on Compound, Aave and centralized exchanges. An additional safety factor is incorporated since MKR can be resupplied on these platforms after the attacker borrows all available MKR. 2. Leveraged shorts are equivalent to non-leveraged shorts since the attack is constrained by the total amount of MKR available to borrow. 3. Synthetic options to short MKR on DeFi such as on Synthetix, dydx, gains.trade, etc. are not significant in volume. 4. The attacker's total profit is bounded by the total MKR that can be borrowed multiplied by the price drop suffered by MKR due to the attack i.e. there are no other correlated assets such as ETH or DAI to short. ### Methodology (Non-critical) These assumptions benefit the attacker. If they turn out to be false, the attacker's profits only decrease. 1. The attacker performs the shorting attack and incurs no slippage to procure the MKR required to trigger the ESM. 2. MKR is freely available after the ESM has been triggered, allowing the attacker to close the short without slippage. 3. The cost of borrowing MKR (i.e. interest paid) to execute this attack is negligible. 4. All the MKR deposited on Compound is available to borrow. In reality, Compound Governance has restricted MKR available to borrow to a maximum of 5000 MKR through proposal 97 - however, we do not take this into account. 5. The attacker has sufficient collateral to borrow the MKR required for this attack. ### Input values To estimate the profitability of the attack, we must know how much MKR there is available to borrow (maximum short volume) and how much the price of MKR might drop after the ESM is triggered. These inputs are taken from recommendations of the Risk CU. 1. Price of MKR before attack = 1500 USD 2. Lowest price of MKR during attack = 75 USD 3. MKR Available on lending platforms and CEXes = 110,000 MKR 4. Safety factor for MKR availability = 1 This assumes that MKR holders could resupply lending platforms after the attacker drains them in order to exploit rising interest rates. If the total MKR on CEXes and lending platforms is x and the safety factor is s, we assume there will be s*x MKR available to borrow over the course of the attack. 5. ESM Threshold = 150,000 MKR ## Calculations The initial cost for the attacker is to deposit 150,000 MKR into the ESM module. The cost of this is 225,000,000 USD. The attacker is able to borrow at most 110,000 x 1 = 110,000 MKR. Collateral required for this is 165,000,000 USD. Thus, the capital requirements to pull off such an attack is estimated to be 390,000,000 USD. After opening a short, the attacker closes the short as MKR hits a price low. The profits from the short is 110,000 x 1 x (1500 - 75) = 156,750,000 USD. The net profit from the attack is -68,250,000 USD. Alternative input values can be entered into [this spreadsheet](https://docs.google.com/spreadsheets/d/15UEqcu0qaBoP-B-KNsPU9xOU_S1f1kllnAGkWPGC69I/edit?usp=sharing) to repeat the above calculation. ## Conclusions The current ESM threshold of 150,000 MKR is sufficiently large as of the date of this report to deter a shorting attack. A good rule of thumb is to ensure that the ESM threshold significantly exceeds the total amount of MKR available to borrow on lending platforms and centralized exchanges. ## Is the ESM too high? The situation(s) when the ESM should be legitimately triggered remains unclear. Commonly cited scenarios are when there is a critical protocol bug or if governance is malicious. If MKR holders became aware of such a scenario, it is likely to be more profitable to sell their MKR than to burn it by depositing it into the ESM. For this reason, it is also unclear what negative consequences we may face if the ESM threshold is set too high (or in the extreme case, if the ESM is disabled). The analysis is here is relatively simplistic. More realistic models of a shorting attack are likely to result in a lower safe ESM threshold. However, since the tradeoff of setting the ESM too high is not clear, such a refined analysis may not be necessary. ## Comments on parameter assumptions made Thanks to monet_supply for this analysis. 1. **MKR price drop:** Assumptions between 50-95% seem reasonable. Given relatively low MKR liquidity, even a small share of price insensitive selling during a crisis could reduce price significantly. See below for example (collected as of June 7 2022) of a trade through 1inch. Selling as little as 10,000 MKR could cause 50% price decline based on DEX liquidity. Similar illiquidity exists on CEX markets, eg Binance spot MKRUSDT market has only ~500 MKR in bids down to 50% decline from current price. ![](https://i.imgur.com/UbUCJQ4.png) On the other hand, high volatility tends to increase leveraged trading activity (as seen in Terra collapse), with short covering and squeezes providing price support that prevents an immediate collapse to 0. This is the reasoning behind 95% upper bound in price decline after emergency shutdown. Influences on potential drawdown include degree of continued support from large investors, solvency position of the protocol at time of shutdown (DAI holders facing significant losses is negative for MKR price due to lower user trust and/or greater compensation costs), and collateral damage inflicted on other DeFi or CeFi organizations. Greater collateral damage is negative for MKR price due to lower future integration potential and brand value. Coordination and advanced planning should help improve outcomes and market confidence in the event of an ESM attack, and better market confidence should increase an attacker’s cost of repurchasing borrowed MKR. 2. **MKR supply safety factor:** We can gather some empirical evidence of this from recent borrowing activity on DeFi lending protocols. It seems that there is very little supply elasticity with respect to deposit rate changes, and in fact there may be a negative relationship between deposit rate and supply due to user fears of governance or ESM attacks. For the purposes of this analysis, it seems reasonable to assume no net increase in borrowable MKR liquidity due to increasing deposit rates. Some users may deposit funds to earn yield but others may remove liquidity to reduce attack risk. ![](https://i.imgur.com/9F80m5l.png) ## Comments on the model 1. Financial incentives are not the only incentives that may be in play when the protocol is attacked. For instance, actors backed by nation states may be able to trigger the ESM without worry about the financial cost of doing so. How to protect the protocol against such attacks is unclear. A relevant thread on the Maker Forum discussing this is [here](https://forum.makerdao.com/t/risk-what-if-a-powerful-intelligence-agency-attacked-the-emergency-shutdown/7525/1). In general, disabling the ESM entirely may be prudent if such attacks are of concern. 2. The protocol can be restarted after the ESM is triggered. Hence, an attacker who triggers the ESM in a shorting attack does not spell the end of the Maker protocol. Moreover, since the MKR deposited to trigger the ESM is immediately burned and it represents over 15% of MKR supply, the effect of such an action may even cause the price of MKR to rise, thereby blunting the shorting attack. 3. The attacker may consider shorting DAI, ETH or other tokens with the expectation that problems with Maker could have wider repercussions across the crypto markets. There may be market volatility which can be proftiable. Finally, Maker's competitors may see an increase in usage and tokens associated with those protocols may go up in value. However, it is worth noting that vault owners will not lose any of their collateral and DAI will remain backed by all the collateral held by the protocol. Over a short period, DAI is likely to remain approximately pegged to USD since it remains backed. While the shorting attack inconveniences DAI holders, users and vault owners, the ESM is specifically designed to allow it to be triggered without causing losses to any of these parties, creating race conditions among them and causing market turmoil. Nevertheless, these possibilities should be considered in a more refined analysis. 4. The current ESM threshold of 150,000 MKR requires 10 unique individual wallets to collude. While some of top 10 individual wallets may be owned by the same entity, it is unlikely that any single individual has the power to trigger the ESM. 5. Fire drills for the ESM have been suggested as a possibility to ensure that the ESM can be triggered by MKR holders when needed. However, if MKR holders were made aware of a critical bug, it is likely to be more profitable for them to simply sell their MKR and rebuy later than to deposit their MKR into the ESM. While fire drills help, they do not capture this aspect of a real emergency where financial incentives are not the same. ## Recommendations Given the lack of clarity around when the ESM should legitimately be triggered *and* given that in such a situation, MKR holders are financially incentivized to sell their tokens than deposit them in the ESM, it is worth considering whether the community wants to simply disable the ESM altogether. This can be done with no technical difficulty by increasing the ESM Threshold to beyond the total current supply of MKR. ## Acknowledgements Many thanks to LongForWisdom, Patrick J., the Data Insights CU and the Risk CU for various comments and feedback. The dataset of MKR holders used here was created by the Data Insights CU.