Shared Safety Module Functionality

A Shared Safety Module is an external module that allows many individual Safety Modules to coordinate, so they can share risk by pooling reserve assets.

When a Safety Module is part of a Shared Safety Module, its ISharedSafetyModule sharedSafetyModule storage variable will be a non-zero address that is the associated SharedSafetyModule contract. If sharedSafetyModule == address(0), the Safety Module is not part of Shared Safety Module.

Specifying A Shared Safety Module

Setting a Shared Safety Module follows a three-step process, where the last two steps are similar to configuration changes (see Manage a Safety Module):

1. The Safety Module owner first sets a proposedSharedSafetyModule by calling:

/// @notice Used to set the proposed SharedSafetyModule.
/// @param proposedSharedSafetyModule_ The new proposed SharedSafetyModule.
/// @dev Only the owner can call this function.
function setProposedSharedSafetyModule(ISharedSafetyModule proposedSharedSafetyModule_) external onlyOwner {

1. The proposedSharedSafetyModule is allowed to queue itself by calling:

/// @notice Used to queue an update to this SafetyModule's SharedSafetyModule.
/// @dev Only the proposed SharedSafetyModule can call this function.
function queueSharedSafetyModule() external onlyProposedSharedSafetyModule;

1. The queued sharedSafetyModule can get applied by the proposedSharedSafetyModule after the config update delay has elapsed and within the config update grace period with SafetyModule.finalizeSharedSafetyModule:

/// @notice Finalizes an update SharedSafetyModule for the SafetyModule.
/// @dev Only the proposed SharedSafetyModule can call this function.
function finalizeSharedSafetyModule() external onlyProposedSharedSafetyModule;

The delay period allows Safety Module depositors to withdraw in case they do not wish to be part of the specified Shared Safety Module.

Shared Safety Module Privileges

A Shared Safety Module is given certain privileges with respect to the Safety Module, explained below.

Triggering the Safety Module

A Shared Safety Module is triggered indirectly via one of its child SafetyModule contracts. When a child SafetyModule’s trigger() function is called, it forwards the trigger to its parent SharedSafetyModule if one is configured. This is done by invoking SharedSafetyModule.propagateTrigger().

Note: The snippet below only shows the relevant portion of the child module’s trigger() function. It is not the complete implementation of the trigger flow.

function trigger(bytes32 triggerEventId_) external {
  if (address(sharedSafetyModule) != address(0)) {
    numPendingSsmRaises += 1;
    sharedSafetyModule.propagateTrigger(controller_, triggerEventId_);
  }
}

PropagateTrigger will then call sharedSafetyModuleTrigger on all of the sibling Safety Modules

  function sharedSafetyModuleTrigger(
    bytes32 triggerEventId_,
    ISafetyModule originSafetyModule_,
    ISafetyModuleController originController_
  ) external onlySharedSafetyModule {

Updating Safety Module Configurations

The Shared Safety Module assumes the traditional role of the owner in Safety Module update configurations. Specifically, it is authorized to call SafetyModule.updateConfigs:

/// @notice Signal an update to the safety module configs. Existing queued updates are overwritten.
/// @param configUpdates_ The new configs. Includes:
/// - reservePoolConfigs: The array of new reserve pool configs, sorted by associated ID. The array may also
/// include config for new reserve pools.
/// - controllerConfigUpdates: The array of controller config updates. It only needs to include configs for updates to
/// existing controllers or new controllers.
/// - delaysConfig: The new delays config.
/// @dev Only the SharedSafetyModule can call this function, if it is set. Else, only the owner can call this
/// function.
function updateConfigs(ConfigUpdateCalldataParams calldata configUpdates_)
    external
    onlySharedSafetyModuleIfSetElseOwner;

Configuration updates that occur while a Safety Module is part of a Shared Safety Module have two unique features:

• The Shared Safety Module's config update delay and config update grace period are used

• Only the sharedSafetyModule is authorized to call SafetyModule.finalizeUpdateConfigs instead of anyone

Resetting The Shared Safety Module

The Shared Safety Module is the only address authorized to reset the sharedSafetyModule to address(0):

/// @notice Used to trigger the SafetyModule if it is part of a SharedSafetyModule.
/// @dev Only the SharedSafetyModule can call this function.
function resetSharedSafetyModule() external onlySharedSafetyModule;

This is intended to be used when the Safety Module leaves the Shared Safety Module.