Skip to main content

Shutdown machinery

A branch can be shut down. The whole system can be shut down by shutting down every branch. Shutdown is a terminal state for a branch, there is no path back to normal operation. This page covers the triggers, the effects, and what stays alive afterward.

Triggers

A branch becomes shutdownable when any of these conditions hold:

  1. Branch TCR has fallen below SCR (typically 110%). The branch is dangerously undercollateralized and continuing to issue debt would be irresponsible. Anyone can call BorrowerOperations.shutdown() to formalize.
  2. Branch oracle is failing. priceFeed.previewWillShutdown(false) == true means the feed is in a fallback state with no path to recovery. Anyone can call BorrowerOperations.shutdownFromOracleFailure().

The Aggregator also exposes:

Aggregator.shutdownBranches()  // attempts shutdown on every branch that reports shutdownable
Aggregator.getShutdownableBranches() returns (address[])

so a keeper can sweep all branches in one tx.

The protocol does not include an admin-only shutdown trigger. Shutdown is permissionless and condition-driven.

What changes on shutdown

When a branch is marked isShutdown[troveManager] = true:

SubsystemBehavior
BorrowerOperationsNew openTrove, withdrawRD, addColl etc. revert. closeTrove, repayRD, claimCollateral still work.
InterestEngineInterest stops accruing on the branch (effective rate set to 0; existing accrued interest is preserved).
StabilityPoolSpIssuance stops emitting FEE for this branch. Existing depositor balances and gains remain claimable.
AggregatorBranch removed from the redemption basket weights (no normal-mode redemption). Branch removed from the cross-branch drip sweep. Branch's debt EMA stops being refreshed.
RedemptionsSwitches to shutdown pricing mode. Both unshielded and shielded sorted lists are reachable.
LiquidationsStill callable. Existing path (offset + redistribute) still works.

In short: no new borrowing, no new SP incentives, but redemption and liquidation continue so the branch can wind down to zero.

Shutdown redemption pricing

In shutdown mode, redemption no longer uses the live oracle price minus a redemption fee. Instead, it applies a discount multiplier to the oracle price (or to a fallback if the oracle failed).

The multiplier depends on why the branch was shut down and how much time has passed:

Trigger                   Initial discount    Max discount             Decay window
------------------- ----------------- -------------------- --------------
TCR < SCR BASE_DISCOUNT = 2% MAX_TCR_BELOW_SCR = 4% MAX_DISCOUNT_TIME_SCR = 1 day
Oracle failure BASE_DISCOUNT = 2% MAX_ORACLE = 99.9999% MAX_DISCOUNT_TIME_FAILURE = 14 days

The discount climbs linearly from BASE_DISCOUNT to the max value over the decay window. After the decay window, it sits at the max.

A redeemer hands the protocol RD and receives collateral × (1 − discount). So at maximum oracle-failure discount, the redeemer effectively pays full par for a fraction of a percent of collateral, the discount has consumed almost the whole leg. That's intentional: it lets the branch fully clear even when its price feed is broken.

For TCR-below-SCR shutdowns, the maximum discount is bounded at 4%, much gentler, because the protocol still trusts the oracle and is just adjusting for the branch being thin on collateral.

Why shielded troves lose their shield

Inside shutdown mode, redemption can walk both books on the same discount schedule. The shield's purpose was to delay redemption while the unshielded book existed, but the branch is being wound down anyway, so that delay would just leave RD holders unable to exit.

The fairness argument: shielded troves paid a premium when the branch was operating. The premium they paid is captured in the branch's fee history. In shutdown, they get the same discount treatment as unshielded, but the protocol is also no longer accruing the premium against them. The deal balances at the moment of shutdown.

Effects across branches

A single-branch shutdown has cross-system consequences via the Aggregator:

  • Basket weights: _basketWeights() checks isShutdown[troveManagers[i]] and sets the shutdown branch's weight to 0. Subsequent Aggregator.redeemCollateral calls route 100% of the requested RD across the remaining active branches.
  • Drip sweep: Aggregator.dripAll() skips shutdown branches.
  • Issuance quotas: the shutdown branch's quota is frozen.
  • Debt EMA: the shutdown branch's unshielded debt EMA stops contributing to total system debt.

Healthy branches keep operating normally. The only externally visible change for a borrower on a healthy branch is that they no longer share fees with the shutdown branch's depositors (because SP issuance there has stopped).

System-wide shutdown

The protocol doesn't have a "global shutdown" switch. System-wide shutdown is what happens when every branch has been shut down individually. There's no global state for it; each branch just transitions on its own conditions.

In a system-wide shutdown:

  • All RD holders can redeem against whichever branch they choose, at that branch's discount schedule.
  • No new borrowing anywhere.
  • Liquidations on each branch continue until troves are cleared or oracle pricing is no longer trustworthy.
  • The Aggregator effectively becomes a redemption-only contract.

What survives shutdown

StateSurvives
RD tokenYes, it's a standalone ERC-20
Trove debt and collateralYes, claimable via redemption / liquidation / closeTrove
SP depositor balances and gainsYes, claimable via withdrawFromSP
FEE staking lockupsYes, earnings stop for that branch's fees, but principal and other-branch fees continue
FEE tokenYes
Pending redistribution rewardsYes, applied on the next state-touching call
Front-end tagsYes, preserved

No admin can confiscate, freeze, or migrate user assets. Shutdown is a controlled wind-down, not a rug.

When not to use a shutdown branch

If a branch is in shutdown:

  • Don't open a new trove on it. You can't.
  • Don't deposit fresh RD into its Stability Pool. Deposits are still accepted, but FEE emissions for the pool have stopped, and you're just signing up for the wind-down's liquidation exposure with no upside.
  • Do redeem RD against it. The discount schedule rewards early redeemers, and the branch's collateral has to clear.
  • Do close your existing trove if you can. Repaying full debt and claiming collateral is unaffected by shutdown.

Deep dive