Summary
The majority of the addresses affected by the recent incident have revoked access to the contract containing the vulnerability.
The following proposal aims to safely unpause Prisma and re-enable borrowing.
Note that unpausing can only be enacted via governance.
Warning to users with open positions
We would like to remind our users who have open positions with delegate approval still enabled that this proposal will impact them. The absolute priority is for these users to revoke the approval as soon as possible (here) to avoid any impact on their position.
Once enacted, this proposal will affect these users in the manner described below under Net Effect in the Specification section. If you are one of these users, simply revoke your approval to avoid any issues.
Not sure if you are affected? Check here
Motivation
Unpausing the protocol is a critical part of the path to recovery and it will reestablish normal functionality, including complete Vault management and deposits into the Stability Pool.
Nothing has changed in the market demand for stablecoins overcollateralized by LSTs and LRTs. After undertaking the safety precautions outlined below and enacting this proposal, the Prisma DAO can continue to drive demand for mkUSD and ULTRA and work with other protocols to further the DeFi space.
Safety precautions
Before unpausing we will ensure that the protocol is safe for all users.
-
Accounts with no open vaults that have yet to revoke access to the contract with the vulnerability are still at risk and therefore will not have access to borrowing until they revoke access. This is only enforceable on the UI level.
-
Accounts with open Vaults that did not revoke access before the unpausing will be closed (see below) and will not have access to borrowing until they revoke access to the contract with the vulnerability.
Migration Process
The incident happened in the middle of our migration process to the new V2 vaults and this migration is still necessary.
Concerning LRTs, users need to migrate from old vaults that are being sunsetted to V2 ones as soon as possible after unpausing.
Concerning LSTs, the timing on the sunsetting of the LST vaults will be adjusted to give enough time for users to migrate before sunsetting the old vaults. It will be proposed as an on-chain vote 7 days after the protocol unpausing.
The Zap contract will be undergoing an audit by MixBytes and will be ready for the unpausing.
Specification
- Approve
VulnerableTroveRedeemerto transfer mkUSD out of the fee receiver. - Unpause the protocol.
- Execute
VulnerableTroveRedeemer.redeemVulnerableTrovesto close all vulnerable troves via redemption:
a. Use the old zap to close each vulnerable trove, and then reopen it with the minimum collateral ratio.
b. Recover the remaining collateral from the zap, and transfer it to the owner of the vulnerable trove.
c. Redeem each of the vulnerable troves.
d. Transfer enough mkUSD from the fee receiver to perform the necessary redemptions.
e. Redeem all of the vulnerable troves.
f. Transfer the collateral from the redemption back to the fee receiver.
g. Return the mkUSD received as gas compensation back to the owners of the redeemed troves. - Revoke
VulnerableTroveRedeemer’s approval to transfer mkUSD from the fee receiver.
Net effect
- Vulnerable troves will be redeemed, lowering their exposure to their collateral. They will retain all of their mkUSD. Some collateral will be sent to their address, the remaining collateral will be claimable in the Trove Manager.
- The DAO fee receiver will be down in mkUSD due to the redemptions, but up the same amount in collateral. This collateral should be swapped back to mkUSD fairly quickly by an MEV searcher.
Timeline
Depending on this temperature check and how the Snapshot will be received, an on-chain vote could be live in 2 to 6 days. Like every proposal, your feedback will be essential for the success of these actions.
To the Community
We know the last several days have been difficult for everyone and we appreciate the support shown by the community. The team is currently in discussions with MixBytes regarding a contract for continuous auditing services for future development. We are also collaborating with some of our close partners to create a new bug bounty program for the protocol. Additionally, discussions are ongoing with several security professionals to advice the Prisma DAO to further improve security of its system.