Development of DeFi Circuit Breaker System
Named from traditional finance: NYSE and Nasdaq auto-halt trading at index drops 7%, 13%, 20%. Prevents panic spiral, gives market time to cool. DeFi needs equivalent—smart contracts execute without pause, exploits drain protocol in seconds.
Euler Finance ($197M), Compound ($90M), Mango Markets ($117M)—all damaged by losses that could have been minimized with circuit breaker activation at first anomaly signs.
Circuit breaker—automatic triggers stopping or limiting key protocol functions on anomalies. Goal—minimize attack damage, allow quick recovery.
Trigger Classification
Group 1: Withdrawal Volume Triggers
contract WithdrawalCircuitBreaker {
uint256 public constant WINDOW_DURATION = 1 hours;
uint256 public constant MAX_WITHDRAWAL_PERCENT_BPS = 1500; // 15% TVL per window
function processWithdrawal(address user, uint256 amount) external {
currentWindow.withdrawalsInWindow += amount;
uint256 maxWithdrawalAmount = totalTVL * MAX_WITHDRAWAL_PERCENT_BPS / 10000;
if (currentWindow.withdrawalsInWindow > maxWithdrawalAmount) {
withdrawalsPaused = true;
emit CircuitBreakerTriggered("withdrawal_volume_exceeded");
revert("Circuit breaker: withdrawal limit exceeded");
}
_executeWithdrawal(user, amount);
}
}
Set limits at 2-3x typical volume. Doesn't block normal work but stops drain-attacks.
Group 2: Oracle Price Anomalies
contract OracleCircuitBreaker {
uint256 public constant MAX_PRICE_DEVIATION_BPS = 500; // 5% from TWAP
function checkOracleHealth(address token, uint256 currentPrice) external returns (bool) {
_recordSnapshot(token, currentPrice);
uint256 twap = _calculateTWAP(token);
if (twap == 0) return true;
uint256 deviation = (currentPrice > twap)
? (currentPrice - twap) * 10000 / twap
: (twap - currentPrice) * 10000 / twap;
if (deviation > MAX_PRICE_DEVIATION_BPS) {
oraclePaused[token] = true;
return false;
}
return true;
}
}
Group 3: Protocol Invariant Violations
Invariants always hold. For lending: total_borrows <= total_deposits * (1 - reserve_factor).
Violation = something wrong. Immediate stop.
Gradual vs Hard Circuit Breaker
Binary approach too crude. Multiple reaction levels:
Level 0—Normal: Works fine.
Level 1—Monitoring: Anomalies detected, increased checks, team notified. No user impact.
Level 2—Throttling: Limits reduced, cooldown between large operations.
Level 3—Partial Pause: Freeze specific function (e.g., only new borrows). Deposits/withdrawals continue.
Level 4—Full Pause: Critical anomaly. Everything stopped except emergency withdraw.
enum CircuitBreakerLevel { Normal, Monitoring, Throttling, PartialPause, FullPause }
contract GradualCircuitBreaker {
mapping(CircuitBreakerLevel => LevelConfig) public levelConfigs;
function escalateLevel(CircuitBreakerLevel newLevel) external onlyRiskManager {
require(uint8(newLevel) > uint8(currentLevel), "Can only escalate");
currentLevel = newLevel;
}
}
Management: Who Can Stop
Automatic triggers cover predictable anomalies. Real attacks often new and unexpected. Need humans with emergency stop rights.
Conflict of interest: one person/team stopping protocol = centralization risk. Could abuse for market manipulation.
Solution: Security Council
Separate multisig with N signers (often independent security experts). Can:
- Pause immediately
- Execute emergency patches with short timelock (24-72 hours vs 7+ days)
Cannot: access treasury, change tokenomics, normal governance decisions.
contract SecurityCouncil {
address[] public members;
uint256 public constant REQUIRED_SIGNATURES = 5; // out of 9
function emergencyPause(address protocol) external onlyMember {
IProtocol(protocol).emergencyPause();
}
function proposeEmergencyFix(address target, bytes calldata data) external onlyMember {
// Propose, sign, execute if signatures >= threshold
}
}
Off-Chain Monitoring Integration
class DeFiMonitoringService {
async monitorBlock(blockNumber) {
const [tvl, borrows, deposits, prices] = await Promise.all([
this.protocol.getTotalTVL(),
this.protocol.getTotalBorrows(),
this.protocol.getTotalDeposits(),
this.getPricesSnapshot(blockNumber)
]);
const tvlChangePct = Math.abs(tvl - prevMetrics.tvl) / prevMetrics.tvl;
if (tvlChangePct > 0.05) { // 5% per block
await this.alertService.sendCritical({ type: 'tvl_spike' });
if (this.hasEmergencyRole) {
await this.protocol.triggerCircuitBreaker();
}
}
}
}
Parameter Tuning
Historical analysis to find optimal thresholds. P99 metric × 1.5 for throttle, P99 × 2.5 for pause.
Need periodic review—what was anomaly at $10M TVL becomes normal at $1B.
Timeline
Full development: 4–6 months for production-grade system.