Define Safety Module Configuration

Configuration for a Safety Module consists of ReservePoolConfig[], TriggerConfig[], and DelaysConfig. These configs are passed to CozySafetyModuleManager.createSafetyModule to deploy a new Safety Module.

/// @notice Parameters for configuration updates.
struct UpdateConfigsCalldataParams {
  // The new reserve pool configs.
  ReservePoolConfig[] reservePoolConfigs;
  // The new trigger configs.
  TriggerConfig[] triggerConfigUpdates;
  // The new delays config.
  Delays delaysConfig;

/// @notice Deploys a new SafetyModule with the provided parameters.
/// @param owner_ The owner of the SafetyModule.
/// @param pauser_ The pauser of the SafetyModule.
/// @param configs_ The configuration for the SafetyModule.
/// @param salt_ Used to compute the resulting address of the SafetyModule.
function createSafetyModule(
    address owner_,
    address pauser_,
    UpdateConfigsCalldataParams calldata configs_,
    bytes32 salt_
) external returns (ISafetyModule safetyModule_);

Reserve Pool Config

struct ReservePoolConfig {
  // The maximum percentage of the reserve pool assets that can be slashed in a single transaction, represented as a
  // ZOC. If multiple slashes occur, they compound, and the final reserve pool amount can be less than
  // (1 - maxSlashPercentage)% following all the slashes.
  uint256 maxSlashPercentage;
  // The underlying asset of the reserve pool.
  IERC20 asset;

Note: The order of the reserve pool configs in the ReservePoolConfig[] array passed to CozySafetyModuleManager.createSafetyModule are used to determine the resulting reserve pool IDs in the deployed Safety Module.

Reserve Pool Maximum Slash Percentages

The maxSlashPercentage configured for a reserve pool allows Safety Module owners to specify the maximum allowed amount of assets that are allowed to be slashed in a single transaction (see Safety Module Slashing). Note, if multiple slashes occur on a reserve pool, they compound and the maxSlashPercentage is checked pro-actively.

Reserve Pool Assets

Each reserve pool must have an underlying asset. Assets used by the Safety Module must follow the Token Integration Guidelines to avoid any unexpected behaviour.

Trigger Config

struct TriggerConfig {
  // The trigger that is being configured.
  ITrigger trigger;
  // The address that is authorized to slash assets when the trigger is triggered.
  address payoutHandler;
  // Whether the trigger is used by the SafetyModule.
  bool exists;

Safety Modules contain a list of triggers which are allowed to be used to "trigger" the Safety Module using SafetyModule.trigger(ITrigger trigger_), allowing assets from the reserve pools to be slashed (see Safety Module Slashing).


The trigger to add to the Safety Module (see Creating a Trigger).

Payout Handler

Each trigger configured for a Safety Module has an assigned payoutHandler address which is allowed to slash assets from each reserve pool in the case that the trigger is used to trigger the Safety Module. Note, payout handlers do not need to be unique for each trigger.


A boolean which specifies whether or not the trigger is used by the Safety Module. This is helpful for configuration updates to remove triggers from the list of triggers that are allowed to trigger the Safety Module.

Delays Config

struct Delays {
  // Duration between when SafetyModule updates are queued and when they can be executed.
  uint64 configUpdateDelay;
  // Defines how long the owner has to execute a configuration change, once it can be executed.
  uint64 configUpdateGracePeriod;
  // Delay for two-step withdraw process (for deposited reserve assets).
  uint64 withdrawDelay;

The Delays config is for Safety Module-level delays.

Config Update Delay

The config update delay is the duration between when Safety Module updates are queued and when they can be applied / executed (see Manage a Safety Module). This delay should be longer than the withdraw delay to allow Safety Module depositors to respond to queued config updates before they are applied.

Config Update Grace Period

The config update grace period is the duration after the config update delay that the Safety Module owner is allowed to apply / execute the queued config changes (see Manage a Safety Module). If the owner does not apply the updates by the end of this period, they cannot be applied.

Withdraw Delay

The withdraw delay is for the two-step withdraw process (see Safety Module Deposits). This delay should be shorter than the config update delay to allow Safety Module depositors to respond to queued config updates before they are applied.

Last updated