9.3 Emergency Response Protocol (ERP)

Although OmniPact has undergone rigorous audits and formal verification, when facing unknown zero-day exploits, the protocol must have "Fail-Safe" capabilities. The ERP protocol aims to limit the losses caused by attacks to a controllable range and prevent systemic collapse.

9.3.1 Circuit Breakers & Rate Limiting

To prevent large-scale theft of funds in a short period of time, we have built-in Algorithmic Circuit Breakers in the OmniVault core contract. This is a set of passive defense logic that can be triggered automatically without manual intervention.

1. Outflow Rate Limiting

We have set a time-window-based withdrawal limit for OmniVault.

Limit(t) = TVL_{t-1} \times \text{MaxDrawdownPercentage}

Mechanism: If the net outflow of funds exceeds 10% of TVL (safety threshold) within a specific time window (such as 1 hour), the contract will be automatically triggered. Suspension Status.
Effect: This ensures that even if a hacker gains control, they cannot steal all the funds at once, giving the team and community valuable response time.

2. Price Deviation Breaker

When the price feed from the oracle (Chainlink) fluctuates sharply (such as a 99% drop within 1 hour), or when the price difference from the backup oracle (such as Uniswap TWAP) exceeds 5%, all liquidation and exchange operations involving that asset will be automatically suspended.

9.3.2 Pausable Interfaces

Based on the OpenZeppelin Pausable standard, we divide the functions of the protocol into different security levels and implement refined pause control.

1. Implementation

The core contract inherits from PausableUpgradeable. Key state-changing functions are protected by the whenNotPaused modifier.

Solidity

function deposit(address token, uint256 amount) external whenNotPaused {
    // ... logic
}

function withdraw(address token, uint256 amount) external {
    // Special logic: Usually, withdrawals will also be suspended in emergency mode to prevent the spread of bad debts.
    require(!isEmergencyPaused, "Protocol paused due to security event");
    // ... logic
}

2. Trigger Authority

Guardian Multisig (6-of-9): To respond to second-level attacks, a multi-signature wallet composed of core developers and trusted community leaders has the authority to instantly pause the protocol (Instant Pause).
Note: To prevent abuse of power, Guardian only has the right to pause, not the right to unpause. Unpausing must be approved by a vote on a DAO timelock proposal. This ensures that the end of a state of emergency must undergo careful evaluation by the community.

3. The ERP Workflow

Once the Forta monitoring robot detects attack characteristics:

Freeze : The fuse is automatically triggered or Guardianmanual call pause()At this point, all recharges, transaction creations, and fund withdrawals are frozen.
Diagnose: The security team and auditing firms (such as Trail of Bits) stepped in to analyze the attack vectors and determine the scope of the damage.
Patch : The development team writes a fix patch and deploys a new logic contract implementation through the UUPS proxy pattern.
Vote & Restart : Submit the repair plan to DAO for voting. After the community verifies that it is correct, the vote will be executed. upgradeTo() and unpause(), the agreement resumed normal operation.

Previous9.2 Audits & Formal Verification NextConclusion: The Future of Trustless Commerce

Last updated 1 month ago

Good evening

hashtag9.3.1 Circuit Breakers & Rate Limiting

hashtag9.3.2 Pausable Interfaces

9.3.1 Circuit Breakers & Rate Limiting

9.3.2 Pausable Interfaces