-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle stop of price submission in the oracle gracefully #851
Comments
This can most be achieved by just removing the error state altogether. That would let everything continue as normal, except that any calls that do a currency conversion to that collateral will fail. We might also want disable rewards for vault with that collateral. However, what would we want to do when an asset is delisted? Would we liquidate all vaults and borrows? There wouldn't be a straightforward exit path |
If we remove the error state, how would the downstream components like the UI or squid know that we stopped submitting that asset? Possibly, we need still some state change but instead of For delisting, what other protocols are doing is setting the ceiling to 0. I'm not sure if that would break our code though. In these other protocols, setting the ceiling to 0 allows vaults/borrowers to withdraw their assets but not deposit more collateral. Likewise, the capacity for borrows/bridging for that asset would be 0. |
For oracle going offline:
Questions:
Plan of action:
|
So let's just make ActiveBlockNumber a map of CurrencyId -> ActiveBlockNumber. In the on_initialize hook, we can just iterate over the currencies and increment those that are still active. The on_initialize hook can return a dynamic weight so that shouldn't be a problem. We could also optimize this in the future by only recording a (ActiveBlockNumber, BlockNumber, IsOnline) tuple when there is a state change between [online, offline]. The client can then add (currentBockNumber - recordedBlockNumber) to ActiveBlockNumber to determine the current value. But that's premature optimization, let's stick with the loop in on_initialize for now. |
Seems like a substantial escalation of complexity but I haven't reviewed the problem in-depth to understand if there is an alternate solution. Which value would you propose we use for issue, redeem and replace requests? |
I was thinking for issue/redeem, the active block number associated with the collateral currency. But actually, now that I think about it.. Do we need the active block number at all? Right now we need it because you can't execute when the oracle is offline. But if we remove that limitation, I think we may actually be able to just execute if the oracle is down. Probably not all codepaths would work - for issue overpayment we need to check vault minting capacity, so we need the oracle to be online.. But it may be acceptable to not mint extra tokens tokens in that case. I'll investigate this idea further |
What should work as normal:
What wouldn't work (or work differently):
All in all, I think this would be acceptable - there is no need to extend the time allocated for execution if the oracle goes down. All actors are able to process open requests as normal, as long as they act correctly. By that I mean that we can't provide some of the mitigations in place for user error (e.g. issue overpayment). But since these mitigations are "best effort" anyway, I think that's acceptable. The only problem is |
@sander2 so the new proposal is to remove the error status and active block handling? For the latter I would assume we would still want to increase the global counter for now pending some future migration to revert back to the system height. I can't recall if there was another reason to extend the time allocated for execution but I'm open to this approach. |
Yea that's right. Basically, we'd allow every function that doesn't fail in the oracle conversion to be callable. Thanks for your reply, I'll discuss with Dom as well when he's back |
Yes, in case we would pause the parachain via However, this is not currency-specific. The So, I'd be in favor of the following change:
|
Describe the bug
When the oracle stops submitting prices for an asset, the parachain goes into an error state
ORACLE_OFFLINE
. However, there is a valid reason to stop submitting prices for an asset: The asset is delisted from the bridge or lending protocol, so the prices are no longer needed.Also, it's possible that a single asset could just be removed from our oracle source. Delisting might happen due to issues with the underlying asset, lack of demand, or more.
Expected behavior
When a single oracle asset is not reported anymore, we should not stop the whole bridge and the whole lending market. Instead, the affected assets should be paused.
Delisting assets requires governance. Within the same governance to delist a market or a collateral asset from the bridge, governance should be able to delist the oracle price reporting of an asset without the parachain entering the
ORACLE_OFFLINE
state.The text was updated successfully, but these errors were encountered: