SafetyModule
What is SafetyModule?
SafetyModule is the protocol's circuit breaker. It monitors protocol health indicators and automatically pauses operations when thresholds are breached. It also enforces deposit caps and withdrawal minimums.
SafetyModule is intentionally not upgradeable. As the trust anchor that can halt the entire protocol, its behavior must be verifiable and unchangeable. If it needs to be replaced, governance deploys a new instance and calls OllaCore.setSafetyModule().
It holds no assets and is only referenced by OllaCore and OllaVault.
See Safety Mechanisms for a conceptual overview.
Circuit breakers
Three independent checks that automatically pause the protocol:
Rate drop
Triggers when the exchange rate drops more than minRateDropBps between accounting updates. Indicates possible slashing.
| Parameter | Range |
|---|---|
minRateDropBps | 1 – 5,000 bps (0.01% – 50%) |
Queue ratio
Triggers when pending withdrawals exceed maxQueueRatioBps of total assets. Indicates potential liquidity stress.
| Parameter | Range |
|---|---|
maxQueueRatioBps | 100 – 9,000 bps (1% – 90%) |
Accounting staleness
Triggers when time since last accounting update exceeds maxAccountingDelay. Indicates the protocol state may be stale.
| Parameter | Range |
|---|---|
maxAccountingDelay | 1 hour – 7 days |
When any breaker fires, SafetyModule emits CircuitBreakerTriggered(reason) and sets paused = true. The guardian must manually unpause after investigating.
Methods
Guardian
Requires GUARDIAN_ROLE.
pause()
Manually pause the protocol. Idempotent.
function pause() external
unpause()
Resume operations after investigation. Idempotent.
function unpause() external
Governance
Requires DEFAULT_ADMIN_ROLE (OllaGovernance).
setDepositCap()
Set the maximum total deposits. Set to type(uint256).max to disable.
function setDepositCap(uint256 cap) external
setWithdrawalMinimum()
Set the minimum shares for withdrawal/redemption requests. Range: 0–1,000e18.
function setWithdrawalMinimum(uint256 minimumShares) external
setMinRateDropBps()
Set the rate drop threshold for the circuit breaker. Range: 1–5,000 bps.
function setMinRateDropBps(uint256 minRateDropBps) external
setMaxQueueRatioBps()
Set the queue ratio threshold for the circuit breaker. Range: 100–9,000 bps.
function setMaxQueueRatioBps(uint256 maxQueueRatioBps) external
setMaxAccountingDelay()
Set the staleness threshold for the circuit breaker. Range: 1 hour–7 days.
function setMaxAccountingDelay(uint256 maxAccountingDelay) external
View methods
isPaused()
Whether the protocol is currently paused.
function isPaused() external view returns (bool pausedState)
checkDepositAllowed()
Whether a deposit of the given size is allowed under the cap.
function checkDepositAllowed(uint256 deposit, uint256 total) external view returns (bool allowed)
checkWithdrawalMinimum()
Whether the share amount meets the withdrawal minimum.
function checkWithdrawalMinimum(uint256 shares) external view
depositCap()
Returns the current deposit cap.
function depositCap() external view returns (uint256)
Events
event CircuitBreakerTriggered(BreakerReason reason)
Automatic pause triggered. Reason: RateDrop, QueueRatio, or AccountingStale.
event Paused()
Protocol paused (manual or automatic).
event Unpaused()
Protocol unpaused.
event DepositCapUpdated(uint256 cap)
event WithdrawalMinimumUpdated(uint256 minimumShares)
event RateDropLimitUpdated(uint256 minRateDropBps)
event QueueRatioLimitUpdated(uint256 maxQueueRatioBps)
event AccountingDelayUpdated(uint256 maxAccountingDelay)
event AccountingTimestampUpdated(uint256 latestAccountingTimestamp)
Parameter change events.