1 of 91

Maker Protocol Technical Docs

MakerDAO Technical Docs

The Maker Protocol is the platform through which anyone, anywhere can generate the Dai stablecoin against crypto collateral assets. Learn how it works.

MakerDAO Documentation Overview

Introductory @ MakerDAO.world
@ manual.makerdao.com
@ docs.makerdao.com ← You are here
@ collateral.makerdao.com
@ mips.makerdao.com

Introduction

MakerDAO is a decentralized organization dedicated to bringing stability to the cryptocurrency economy. The Maker Protocol employs a two-token system. The first being, Dai, a collateral-backed stablecoin that offers stability. The Maker Foundation and the MakerDAO community believe that a decentralized stablecoin is required to have any business or individual realize the advantages of digital money. Second, there is MKR, a governance token that is used by stakeholders to maintain the system and manage Dai. MKR token holders are the decision-makers of the Maker Protocol, supported by the larger public community and various other external parties.

Maker is unlocking the power of decentralized finance for everyone by creating an inclusive platform for economic empowerment; enabling everyone with equal access to the global financial marketplace.

With the new version of the Maker Protocol, Multi Collateral Dai (MCD), being released and live on the main Ethereum network, we wanted to go over a few of the changes and features that it comes with. The biggest change to the Maker Protocol is that it now accepts any Ethereum-based asset as collateral to generate Dai given that it has been approved by MKR holders and has been given specific, corresponding Risk Parameters through the Maker decentralized governance process.

Additionally, there are a few other newly introduced features that come with the MCD upgrade. These new features include:

Support for multiple Vault collateral types (Launching with ETH and BAT)
- To open a Vault, head to

The Maker Protocol Smart Contract Modules System

Getting Started

Maker Protocol 101

Getting Started with Maker Protocol

For a fully comprehensive overview of the smart contracts within the Maker Protocol, please download the Maker Protocol 101 Slide Deck (PDF) below or visit the view-only link here.

Smart Contract Modules

Dai Module

The DAI token contract and all of the adapters DaiJoin adapters.

Module Name: DAI Module
Type/Category: Proxy —> Dai.sol and DaiJoin.sol
Associated MCD System Diagram
Contract Sources:

1. Introduction (Summary)

The origin of DAI was designed to represent any token that the core system considers equal in value to its internal debt unit. Thus, the DAI Module contains the DAI token contract and all of the adapters DaiJoin adapters.

2. Module Details

Glossary (DAI)

Key Functionalities (as defined in the smart contract)

Mint - Mint to an address

Burn - Burn at an address

Push - Transfer

Pull - Transfer From

Move - Transfer From

Approve - Allow pulls and moves

Permit - Approve by signature

Other

name - Dai Stablecoin

symbol - DAI

version - 1

decimals - 18

totalSupply - Total DAI Supply

balanceOf(usr: address) - User balance

allowance(src: address, dst: address) - Approvals

nonces(usr: address) - Permit nonce

Glossary (Join)

vat - storage of the Vat’s address
ilk - id of the Ilk for which a GemJoin is created for
gem - the address of the ilk

Core Module Components Documentation

(referenced in Join - Detailed Documentation)

3. Key Mechanism and Concepts

Why are these components important to the Multi-Collateral Dai (MCD) System?

The Dai contract is the user facing ERC20 contract maintaining the accounting for external Dai balances. Most functions are standard for a token with changing supply, but it also notably features the ability to issue approvals for transfers based on signed messages.

Join consists of three smart contracts, one of which is the DaiJoin contract. Each join contract is created specifically to allow the given token type to be joined to the vat. Because of this, each join contract has slightly different logic to account for the different types of tokens within the system. The DaiJoin contract allows users to withdraw their Dai from the system into a standard ERC20 token.

4. Gotchas (Potential sources of user error)

DAI is also susceptible to the known , but should not normally be an issue with unlimited approval. We recommend any users using the approval for a specific amount be aware of this particular issue and use caution when authorizing other contracts to perform transfers on their behalf.
There are limited sources of user error in the join contracts system due to the limited functionality of the system. Barring a contract bug, should a user call join by accident they could always get their tokens back through the corresponding exit call on the given join contract. The main issue to be aware of here would be a well-executed phishing attack. As the system evolves and potentially more join contracts are created, or more user interfaces are made, there is the potential for a user to have their funds stolen by a malicious join contract which does not actually send tokens to the vat, but instead to some other contract or wallet.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

There could potentially be a vat upgrade that would require new join contracts to be created.

If a gem contract were to go through a token upgrade or have the tokens frozen while a user's collateral was in the system, there could potentially be a scenario in which the users were unable to redeem their collateral after the freeze or upgrade was finished. This seems to be a small risk though because it would seem likely that the token going through this upgrade would want to work alongside the maker community to be sure this was not an issue.

Core Module

The State of the Maker Protocol

Module Name: Vault Core Module
Type/Category: Vault Core Module —> ( Vat.sol, Spot.sol )
Associated MCD System Diagram
Contract Sources:

1. Introduction (Summary)

The Core Module is crucial to the system as it contains the entire state of the Maker Protocol and controls the central mechanisms of the system while it is in the expected normal state of operation.

2. Module Details

Core Module Components Documentation

3. Key Mechanism and Concepts

Vat - The core Vault, Dai, and collateral state is kept in the Vat. The Vat contract has no external dependencies and maintains the central "Accounting Invariants" of Dai.
Spot - poke is the only non-authenticated function in spot. The function takes in a bytes32 of the

4. Gotchas (Potential sources of user error)

The methods in the Vat are written to be as generic as possible and as such have interfaces that can be quite verbose. Care should be taken that you have not mixed the order of parameters. Any module that is authed against the Vat has full root access, and can, therefore, steal all collateral in the system. This means that the addition of a new collateral type (and associated adapter) carries considerable risk.
When the Cat is upgraded, there are multiple references to it that must be updated at the same time (End, Vat.rely

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

Coding Errors

Vat - A bug in the Vat could be catastrophic and could lead to the loss (or locking) of all Dai and Collateral in the system. It could become impossible to modify Vault's or to transfer Dai. Auctions could cease to function. Shutdown could fail.
Spot - A bug in spot would most likely result in the prices for collaterals not being updated anymore. In this case, the system would need to authorize a new spot which would then be able to update the prices. Overall this is not a catastrophic failure as this would only pause all price fluctuation for some period.

Feeds

Vat - relies upon a set of trusted oracles to provide price data. Should these price feeds fail, it would become possible for unbacked Dai to be minted, or safe Vaults could be unfairly liquidated.
Spot - relies upon a set of trusted oracles to provide price data. Should these price feeds fail, it would become possible for unbacked Dai to be minted, or safe Vaults could be unfairly liquidated.

Governance

Vat - Governance can authorize new modules against the Vat. This allows them to steal collateral (slip) or mint unbacked Dai (suck/addition of worthless collateral types). Should the crypto economic protections that make doing so prohibitively expensive fail, the system may be vulnerable and left open for bad actors to drain collateral.

Spot - Detailed Documentation

The Maker Protocol's liaison between the Oracles and Core Contracts

Contract Name: spot.sol
Type/Category: DSS —> Core Module

Collateral Module

Adapters and Auction contracts for each specific collateral type

Module Name: Collateral Module
Type/Category: DSS —> join.sol, clip.sol
Associated MCD System Diagram
Contract Sources:

1. Introduction (Summary)

The collateral module is deployed for every new ilk (collateral type) added to Vat. It contains all the adapters and auction contracts for one specific collateral type.

For other information related to the collateral module, read the following resources:

2. Module Details

The Collateral Module has 3 core components consisting of the join, and flip contracts.

The Collateral Module is built up of the following components:

Clipper Contract - see

3. Key Mechanism and Concepts

Summary of the Collateral Module Components

Join - adapters that are used to deposit/withdraw unlocked collateral into the Vat. Join contains three smart contracts:
1. GemJoin
2. ETHJoin

How exactly do the `Join` contracts help the MCD system operate?

Join - the purpose of join adapters is to retain the security of the system, allowing only trusted smart contracts to add/remove value to/from the Vat. The location of collateral deposited/locked in Vaults is in the respective Join adapter.

4. Gotchas (Potential sources of user error)

When a user desires to enter the system and interact with the dss contracts, they must use one of the join contracts.
If there was a contract bug in a join contract and a user was to call join by accident, they can still retrieve their tokens back through the corresponding exit call on the given join contract.

5. Failure Modes

There could potentially be a vat upgrade that would require new join contracts to be created

Potential Phishing Attacks

As the MCD system evolves, we will see many more join contracts, user interfaces, etc. This surfaces the potential for a user to have their funds stolen by a malicious join contract which would send tokens to an external contract or wallet, instead of the vat.

Join - Detailed Documentation

Contract Name: join.sol
Type/Category: DSS —> Token Adapter Module
Associated MCD System Diagram
Etherscan

1. Introduction (Summary)

Join consists of three smart contracts: GemJoin, ETHJoin, and DaiJoin: GemJoin - allows standard ERC20 tokens to be deposited for use with the system. ETHJoin - allows native Ether to be used with the system. DaiJoin - allows users to withdraw their Dai from the system into a standard ERC20 token.

Each join contract is created specifically to allow the given token type to be join'ed to the vat. Because of this, each join contract has slightly different logic to account for the different types of tokens within the system.

2. Contract Details:

Glossary (Join)

vat - storage of the Vat’s address.
ilk - id of the Ilk for which a GemJoin is created for.
gem

Every join contract has 4 public functions: a constructor, join, exit, and cage. The constructor is used on contract initialization and sets the core variables of that join contract. Join and exit are both true to their names. Join provides a mechanism for users to add the given token type to the vat. It has slightly different logic in each variation, but generally resolves down to a transfer and a function call in the vat. Exit is very similar, but instead allows the the user to remove their desired token from the

3. Key Mechanisms & Concepts

The GemJoin contract serves a very specified and singular purpose which is relatively abstracted away from the rest of the core smart contract system. When a user desires to enter the system and interact with the dss contracts, they must use one of the join contracts. After they have finished with the dss contracts, they must call exit to leave the system and take out their tokens. When the GemJoin gets caged by an authed address, it can exit collateral from the Vat but it can no longer join new collateral.

User balances for collateral tokens added to the system via join are accounted for in the Vat as Gem according to collateral type Ilk until they are converted into locked collateral tokens (ink) so the user can draw Dai.

The DaiJoin contract serves a similar purpose. It manages the exchange of Dai that is tracked in the Vat and ERC-20 Dai that is tracked by Dai.sol. After a user draws Dai against their collateral, they will have a balance in Vat.dai. This Dai balance can be exit' ed from the Vat using the DaiJoin contract which holds the balance of Vat.dai and mint's ERC-20 Dai. When a user wants to move their Dai back into the Vat accounting system (to pay back debt, participate in auctions, pack bag's in the End, or utilize the DSR, etc), they must call DaiJoin.join. By calling DaiJoin.join

4. Gotchas (Potential source of user error)

The main source of user error with the Join contract is that Users should never transfer tokens directly to the contracts, they must use the join functions or they will not be able to retrieve their tokens.

There are limited sources of user error in the join contract system due to the limited functionality of the system. Barring a contract bug, should a user call join by accident they could always get their tokens back through the corresponding exit call on the given join contract.

The main issue to be aware of here would be a well-executed phishing attack. As the system evolves and potentially more join contracts are created, or more user interfaces are made, there is the potential for a user to have their funds stolen by a malicious join contract which does not actually send tokens to the vat, but instead to some other contract or wallet.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

There could potentially be a vat upgrade that would require new join contracts to be created.

If a gem contract were to go through a token upgrade or have the tokens frozen while a user's collateral was in the system, there could potentially be a scenario in which the users were unable to redeem their collateral after the freeze or upgrade was finished. This scenario likely presents little risk though because the token going through this upgrade would more than likely want to work alongside the Maker community to be sure this was not an issue.

Maker Protocol Emergency Shutdown

Introducing the Shutdown Mechanism of the Maker Protocol

Introduction

The Maker Protocol, which powers Multi Collateral Dai, is a smart-contract system that backs and stabilizes the value of Dai through a dynamic combination of Vaults, autonomous system of smart contracts, and appropriately incentivized external actors. The Dai Target Price is 1 US Dollar, translating to a 1:1 US Dollar soft peg. Shutdown is a process that can be used as a last resort to directly enforce the Target Price to holders of Dai and Vaults, and protect the Maker Protocol against attacks on its infrastructure.

Shutdown stops and gracefully settles the Maker Protocol while ensuring that all users, both Dai holders and Vault holders, receive the net value of assets they are entitled to.

In short, it allows Dai holders to directly redeem Dai for collateral after an Emergency Shutdown processing period.

Overview of the Shutdown Process

The process of initiating Emergency Shutdown is decentralized and controlled by MKR voters, who can trigger it by depositing MKR into the Emergency Shutdown Module.
Emergency Shutdown is triggered in the case of serious emergencies, such as long-term market irrationality, hacks, or security breaches.
Emergency Shutdown stops and gracefully settles the Maker Protocol while ensuring that all users, both Dai holders and Vault users, receive the net value of assets they are entitled to.

For more information about the Shutdown of the Maker Protocol, read the below End - Detailed Documentation as well as the

Emergency Shutdown for Partners

How to prepare for ES as a partner

For a quick overview of Emergency Shutdown within the Maker Protocol and the process to follow as an integration partner, please download and read the ES Partner Integration Slide Deck (PDF) below.

Glossary

Deployment Addresses

Maker Protocol Deployments

Find all Maker Protocol contract addresses and ABIs at chainlog.makerdao.com

The Chainlog provides valuable information for developers interacting with Maker Protocol deployments. This includes deployments on the following networks:

Ethereum Mainnet (latest release)
Ethereum Goerli Testnet ()

Each release includes the following information:

Contract addresses with link to Etherscan
ABIs

Onchain Contract Address Directory

The Chainlog is also available as an onchain smart contract directory () that allows developers to programatically fetch Maker Protocol contract addresses directly in a smart contract. This is useful for integrators that want to future-proof implementations in case a Maker module is updated. You can

Security

Security for the Maker Protocol

Ensuring the Security of the Maker Protocol and Multi Collateral Dai

Introduction

is dedicated to providing transparency to our community with respect to the results of our MCD Audits, our Bug Bounty Program, and Formal Verification. It is important to note that this release is the first version and we will continue to add information as it becomes available.

Building on top of the Maker Protocol

The Dai Javascript Library of the Maker Protocol

Dai.js is the JavaScript library that helps developers easily build DeFi applications on top of the Maker Protocol, MakerDAO's platform of smart contracts.

Introduction

is a JavaScript library that makes it easy to build applications on top of MakerDAO's platform of smart contracts. You can use Maker's contracts to open Vaults (formerly known as CDPs), deposit collateral and generate Dai, trade tokens on decentralized exchanges, and more.

The library features a pluggable, service-based architecture, which allows users to easily integrate Maker functionality into their own apps. It also includes convenient configuration presets for out-of-the-box usability and support for both front-end and back-end applications, plus plugins for integrating with Maker governance, hardware wallets, and both Single-Collateral and Multi-Collateral Dai.

Plugins

Dai.js supports plugins, which allow a developer to add functionality (hardware wallet support, exchange support, etc.) for specific needs without increasing the size and dependency list of the core library.

Available Plugins

Trezor Plugin for using Trezor with dai.js in a browser environment.
for using Ledger in a browser environment.
for working with the governance contracts.
for atomic trading on maker OTC (Oasis).
for interacting with the maker OTC contract (Oasis).
for interacting with the multi-collateral dai contracts.
for interacting with the single-collateral dai contracts.

Building your own plugin

Check out the .

Dai Savings Rate

Use the 'mcd:savings' service to work with the Dai Savings Rate system. In the code, this is called SavingsService.

Instance methods

All the methods below are asynchronous. join, exit, and exitAll use a proxy contract.

join(amount)

Deposit the specified amount of Dai into the Dai Savings Rate (DSR) contract.

exit(amount)

Withdraw the specified amount of Dai from the DSR contract.

exitAll()

Withdraw all Dai owned by the current account from the DSR contract.

balance()

Return the amount of Dai in the DSR contract owned by the . Strictly speaking, this method returns the amount of Dai owned by the proxy contract for the current address. to work with the methods above.

balanceOf(address)

Return the amount of Dai in the DSR contract owned by the specified address.

getTotalDai()

Get the total amount of Dai in the DSR contract for all users.

getYearlyRate()

Get the current annual savings rate.

Currency units

Methods that take numerical values as input can also take instances of token classes that the library provides. These are useful for managing precision, keeping track of units, and passing in wei values. Most methods that return numerical values return them wrapped in one of these classes. There are two types:

currency units, which represent an amount of a type of currency
price units, aka currency ratios, which represent an exchange rate between two currencies.

The classes that begin with USD are price units; e.g. USD_ETH represents the price of ETH in USD. Useful instance methods:

System data

Use the mcd:systemData service to look up system-wide parameters. In the code, this is called SystemDataService.

const service = maker.service('mcd:systemData');

Instance methods

getAnnualBaseRate()

Returns the base rate applied to all collateral types, in addition to their individual risk premiums.

getSystemWideDebtCeiling()

Returns the debt ceiling for the entire system.

isGlobalSettlementInvoked()

Returns a boolean that is true if emergency shutdown has been triggered.

Advanced

To override the address of one of the contracts used by Dai.js or a plugin, you can pass the smartContract.addressOverrides option. You need to know the key of the contract in the addresses file to override it.

List of mainnet addresses

const service = Maker.create('test' {
  smartContract: {
    addressOverrides: {
      PROXY_REGISTRY: '0xYourAddress'
    }
  } 
});

Transaction manager

The transactionManager service is used to track a transaction's status as it propagates through the blockchain.

Methods in Dai.js that start transactions are asynchronous, so they return promises. These promises can be passed as arguments to the transaction manager to set up callbacks when transactions change their status to pending, mined, confirmed or error.

Pass the promise to transactionManager.listen with callbacks, as shown below.

Note that the confirmed event will not fire unless transactionManager.confirm

Using multiple accounts

Summary

Dai.js supports the use of multiple accounts (i.e. private keys) with a single Maker instance. Accounts can be specified in the options for Maker.create or with the addAccount method.

Call useAccount to switch to using an account by its name, or useAccountWithAddress to switch to using an account by its address, and subsequent calls will use that account as the transaction signer.

When the Maker instance is first created, it will use the account named

CDP Service

Summary

This page applies only to Single-Collateral Dai.

Retrieve the ETH CDP Service through Maker.service('cdp'). The ETH CDP Service exposes risk parameter information for the Ether CDP type (in single-collateral Dai, this is the only CDP Type).

Price Service

Summary

Retrieve the PriceService through Maker.service('price'). The PriceService exposes the collateral and governance tokens' price information that is reported by the oracles in the Maker system.

getEthPrice

System Status

Summary

To access system status information, retrieve the ETH CDP Service through Maker.service('cdp').

const service = maker.service('cdp');

getSystemCollateralization

Params: none
Returns: promise (resolves to system collateralization ratio)

getSystemCollateralization() returns the collateralization ratio for the entire system, e.g. 2.75

getTargetPrice

Params: none
Returns: promise (resolves to target price)

getTargetPrice() returns the target price of Sai in USD, that is, the value to which Sai is soft-pegged, which historically has been 1. It returns a USD_SAI .

Token Conversion

Get the token conversion service with maker.service('conversion').

The token conversion service offers functions to convert between Eth, Weth and Peth, handling allowances when necessary.

convertEthToWeth

Params: amount of Eth to convert

Exchange Service

Summary

Retrieve the OasisExchangeService (or alternative implementation) through maker.service('exchange'). The exchange service allows to buy and sell DAI, MKR, and other tokens. The default OasisExchangeService implementation uses the OasisDEX OTC market for this.

Requires one of the exchange to be in use.

Keepers

Auction Keepers

Introduction

The Maker Protocol, which powers Multi Collateral Dai (MCD), is a smart contract based system that backs and stabilizes the value of Dai through a dynamic combination of Vaults (formerly known as CDPs), autonomous feedback mechanisms, and incentivized external actors. To keep the system in a stable financial state, it is important to prevent both debt and surplus from building up beyond certain limits. This is where Auctions and Auction Keepers come in. The system has been designed so that there are three types of Auctions in the system: Surplus Auctions, Debt Auctions, and Collateral Auctions. Each auction is triggered as a result of specific circumstances.

Auction Keepers are external actors that are incentivized by profit opportunities to contribute to decentralized systems. In the context of the Maker Protocol, these external agents are incentivized to automate certain operations around the Ethereum blockchain. This includes:

Market Maker Keepers

Introduction

A big part of the Maker Protocol is the incentivization of external agents, called Keepers (which can be human but are typically automated bots). Market Maker Keepers work by creating a series of orders in so-called bands (defined later), which are configured with a JSON file containing parameters like spreads, maximum engagement, etc. In short, the market-maker-keeper repository is a set of Keepers that facilitate market making on exchanges. For example, trading Dai motivated by the expected long-term convergence toward the indicated Target Price. This guide is dedicated to showing you how to create your very own Market Maker Keeper Bot as well as educate the community and help both users and developers understand the value of this incredible software. We are proud to say that all of the code needed to get a Market Maker Keeper bot up and running is open-sourced.

Command-line Interfaces

Miscellaneous

Liquidations 1.2 System (Deprecated)

ilk

poke

external

peek

file

Vow.rely

End

pause.proxy()

Get the current USD price of ETH, as a USD_ETH price unit.

confirmedBlockCount

default

txMgr.listen(open, {
  pending: tx => {
    // do something when tx is pending
  },
  mined: tx => {
    // do something when tx is mined
  },
  confirmed: tx => {
    // do something when tx is confirmed       
  },
  error: tx => {
    // do someting when tx fails
  }
});

await txMgr.confirm(open); 
// 'confirmed' callback will fire after 5 blocks

const lock = cdp.lockEth(1);
txMgr.listen(lock, {
  pending: tx => {
    const {contract, method} = tx.metadata;
    if(contract === 'WETH' && method === 'deposit') {
      console.log(tx.hash); // print hash for WETH.deposit
    }
  }
})

const maker = await Maker.create({
  url: 'http://localhost:2000',
  accounts: {
    other: {type: privateKey, key: someOtherKey},
    default: {type: privateKey, key: myKey}
  }
});

await maker.addAccount('yetAnother', {type: privateKey, key: thirdKey});

const cdp1 = await maker.openCdp(); // owned by "default"

maker.useAccount('other');
const cdp2 = await maker.openCdp(); // owned by "other"

maker.useAccount('yetAnother');
const cdp3 = await maker.openCdp(); // owned by "yetAnother"

await maker.addAccount({type: privateKey, key: fourthAccount.key}); // the name argument is optional
maker.useAccountWithAddress(fourthAccount.address);
const cdp4 = await maker.openCdp(); //owned by the fourth account

const maker = await Maker.create({
  url: 'http://localhost:2000',
  accounts: {
    // this will be the first account from the provider at
    // localhost:2000
    first: {type: 'provider'},

    // this will be the current account in MetaMask, and it
    // will send its transactions through MetaMask
    second: {type: 'browser'},

    // this account will send its transactions through the
    // provider at localhost:2000
    third: {type: 'privateKey', key: myPrivateKey}
  }
})

import TrezorPlugin from '@makerdao/dai-plugin-trezor-web';
import LedgerPlugin from '@makerdao/dai-plugin-ledger-web';

const maker = await Maker.create({
  plugins: [
    TrezorPlugin,
    LedgerPlugin,
  ],
  accounts: {
    // default derivation path is "44'/60'/0'/0/0"
    myTrezor: {type: 'trezor', path: derivationPath1},
    myLedger: {type: 'ledger', path: derivationPath2}
  }
});

import Maker from '@makerdao/dai';

// Multi-Collateral Dai

import { ETH, BAT, DAI } from '@makerdao/dai-plugin-mcd';

const maker = await Maker.create(...);
const mgr = maker.service('mcd:cdpManager');

// lock BAT into a new vault and draw Dai
const vault = await mgr.openLockAndDraw(
  'BAT-A',
  BAT(100),
  DAI(100)
);

// Single-Collateral Sai

const {
  MKR,
  SAI,
  ETH,
  WETH,
  PETH,
  USD_ETH,
  USD_MKR,
  USD_SAI
} = Maker;

// These are all identical:

// each method has a default type
cdp.lockEth(0.25);
cdp.lockEth('0.25');

// you can pass in a currency unit instance
cdp.lockEth(ETH(0.25));

// currency units have convenient converter methods
cdp.lockEth(ETH.wei(250000000000000000));

const eth = ETH(5);
eth.toString() == '5.00 ETH';

const price = USD_ETH(500);
price.toString() == '500.00 USD/ETH';

// multiplication handles units
const usd = eth.times(price);
usd.toString() == '2500.00 USD';

// division does too
const eth2 = usd.div(eth);
eth2.isEqual(eth);

ilk

vat

Cage

burn

Vat.dai

DaiJoin

Vat

Dai.totalSupply

Vat.dai(DaiJoin)

DaiJoin

cage

auth

exit

Tokens

Get a token object through the getToken(tokenSymbol) function on the tokenService.

The list of tokens that can be passed into getToken() are: SAI, MKR, WETH, PETH, ETH.

This list can also be obtained with tokenService.getTokens(). This function returns a string representation of the token symbol, e.g. 'SAI', which can also be passed into getToken.

When the Multi-Collateral Dai plugin is in use, getToken('DAI') will return a token object for Dai.

Most of the methods below can be called on any token object. deposit and withdraw are for WETH only, and join and exit are for PETH only.

allowance

Params:
tokenOwner - address of token owner
spender - address of token spender
Returns: promise (resolves to token allowance)

allowance returns a representing the token allowance.

balance

Params: none
Returns: promise (resolves balance of current account)

balance returns a representing the token balance of the current account

balanceOf

Params: address to check
Returns: promise (resolves balance of address)

balanceOf returns a representing the token balance of the supplied account.

totalSupply

Params: none
Returns: promise (resolves total supply of token)

totalSupply returns a representing the total token supply

approve

Params:
spender - address of token spender
amount - amount of token to allow
Returns: promise (resolves to once mined)

approve approves the spending address to spend up to amount of msg.sender's tokens.

approveUnlimited

Params: address of token spender
Returns: promise (resolves to once mined)

approveUnlimited approves the spending address to spend the maximum amount of msg.sender's tokens.

transfer

Params:
to - address to send to
amount - amount of token to send
Returns: promise (resolves to once mined)

transfer transfers amount of token to to address.

transferFrom

Params:
from - address to send tokens from
to - address to send to
amount - amount of token to send

transferFrom() transfers amount of token from from address to to address. Transaction will fail if msg.sender does not have allowance to transfer the amount of tokens from the from address.

deposit (WETH only)

Params: amount of Eth to deposit
Returns: promise (resolves to once mined)

deposit converts amount of Eth to amount of Weth.

withdraw (WETH only)

Params: amount of Weth to withdraw
Returns: promise (resolves to once mined)

withdraw converts amount of Weth to amount of Eth.

join (PETH only)

Params: amount of Weth to join
Returns: promise (resolves to once mined)

join converts amount of Weth to Peth, at the .

exit (PETH only)

Params: amount of Peth to exit
Returns: promise (resolves to once mined)

withdraw converts amount of Peth to Weth, at the .

import Maker from '@makerdao/dai';
import { ScdPlugin } from '@makerdao/dai-plugin-scd';

async function openLockDraw() {
  const maker = await Maker.create("http", {
    plugins: [ScdPlugin],
    privateKey: YOUR_PRIVATE_KEY,
    url: 'https://kovan.infura.io/v3/YOUR_INFURA_PROJECT_ID'
  });

  await maker.authenticate();
  const cdpService = await maker.service('cdp');
  const cdp = await cdpService.openCdp();

  await cdp.lockEth(0.25);
  await cdp.drawSai(50);

  const debt = await cdp.getDebtValue();
  console.log(debt.toString); // '50.00 SAI'
}

openLockDraw();

//example code in ExampleService.js for steps 3-6
import PublicService from '../core/PublicService';

export default class ExampleService extends PublicService {
    constructor (name='example') {
        super(name, ['log']);
    }

    test(){
        this.get('log').info('test');
    }

//example code in ExampleService.spec.js for step 8
import Maker from '../../src/index';

//step 8: a new service role ('example') is used
test('test 1', async () => {
  const maker = await Maker.create('http', {example: "ExampleService"});
  const exampleService = customMaker.service('example');
  exampleService.test(); //logs "test"
});

//step 8: a custom service replaces a default service (Web3)
test('test 2', async () => {
  const maker = await Maker.create('http', {web3: "MyCustomWeb3Service"});
  const mycustomWeb3Service = maker.service('web3');
});

//step 10: in ExampleService.spec.js
const maker = await Maker.create('http', {
    example: ["ExampleService", {
    exampleSetting: "this is a configuration setting"
  }]
});

//step 10: accessing configuration settings in ExampleService.js
initialize(settings) {
  if(settings.exampleSetting){
    this.get('log').info(settings.exampleSetting);
  }
}

const maker = await Maker.create('http', {example: "ExampleService"});
const exampleService = customMaker.service('example');

//wait for example service and its dependencies to initialize
await exampleService.manager().initialize();

//wait for example service and its dependencies to connect
await exampleService.manager().connect();

//wait for example service and its dependencies to authenticate
await exampleService.manager().authenticate();

//can also use callback syntax
exampleService.manager().onConnected(()=>{
    /*executed after connected*/
});

//wait for all services used by the maker object to authenticate
maker.authenticate();

//in PriceService.js
this.get('event').registerPollEvents({
      'price/ETH_USD': {
        price: () => this.getEthPrice()
      }
    });

//in Web3Service.js
this.get('event').emit('web3/INITIALIZED', {
  provider: { ...settings.provider }
});

//in the constructor in the Cdp.js
this._emitterInstance = this._cdpService.get('event').buildEmitter();
this.on = this._emitterInstance.on;
this._emitterInstance.registerPollEvents({
  COLLATERAL: {
    USD: () => this.getCollateralValueInUSD(),
    ETH: () => this.getCollateralValueInEth()
  },
  DEBT: {
    dai: () => this.getDebtValueInDai()
  }
});

Vat - Detailed Documentation

The Maker Protocol's Core Accounting System

Contract Name: Vat.sol
Type/Category: DSS —> Core System Accounting
Associated MCD System Diagram

1. Introduction (Summary)

The Vat is the core Vault engine of dss. It stores Vaults and tracks all the associated Dai and Collateral balances. It also defines the rules by which Vaults and balances can be manipulated. The rules defined in the Vat are immutable, so in some sense, the rules in the Vat can be viewed as the constitution of dss.

2. Contract Details

Glossary (Vat - Vault Engine)

gem: collateral tokens.
dai: stablecoin tokens.
sin: unbacked stablecoin (system debt, not belonging to any urn).

Note: art and Art represent normalized debt, i.e. a value that when multiplied by the correct rate gives the up-to-date, current stablecoin debt.

Accounting

debt is the sum of all dai (the total quantity of dai issued).
vice is the sum of all sin (the total quantity of system debt).
Ilk.Art

Collateral

gem can always be transferred to any address by it's owner.

Dai

dai can only move with the consent of it's owner.
dai can always be transferred to any address by it's owner.

3. Mechanisms & Concepts

The core Vault, Dai, and collateral state is kept in the Vat. The Vat contract has no external dependencies and maintains the central "Accounting Invariants" of Dai. The core principles that apply to the vat are as follows:

Dai cannot exist without collateral:

An ilk is a particular type of collateral.
Collateral gem is assigned to users with slip.
Collateral gem is transferred between users with flux

2. The Vault data structure is the Urn:

has ink - encumbered collateral
has art - encumbered, normalized debt

3. Similarly, a collateral is an Ilk:

has Art - encumbered, normalized debt
has rate - debt scaling factor (discussed further below)
has spot - price with safety margin

Note: Above, when using the term "encumbered", this refers to being "locked in a Vault".

Vault Management

Vaults are managed via frob(i, u, v, w, dink, dart), which modifies the Vault of user u, using gem from user vand creating dai for user w.
Vaults are confiscated via grab(i, u, v, w, dink, dart), which modifies the Vault of user u

Rate Updates via `fold(bytes32 ilk, address u, int rate)`

An ilk's rate is the conversion factor between any normalized debt (art) drawn against it and the present value of that debt with accrued fees. The rate parameter to fold is actually the change in the Ilk.rate value, i.e. a difference of scaling factors (new - old). It is a signed integer, and hence current account values may increase or decrease. The quantity Ilk.Art*rate is added to the dai balance of the address u (representing an increase or decrease in system surplus); the debt balances of all Vaults collateralized with the specified Ilk are updated implicitly via the addition of rate to Ilk.rate.

For more information on Rates and System Stabilization, see the Rates Module and System Stabilizer Module documentation below:

4. Gotchas

The methods in the Vat are written to be as generic as possible and as such have interfaces that can be quite verbose. Care should be taken that you have not mixed the order of parameters.

Any module that is authed against the Vat has full root access, and can therefore steal all collateral in the system. This means that the addition of a new collateral type (and associated adapter) carries considerable risk.

5. Failure Modes

Coding Error

A bug in the Vat could be catastrophic and could lead to the loss (or locking) of all Dai and Collateral in the system. It could become impossible to modify Vault's or to transfer Dai. Auctions could cease to function. Shutdown could fail.

Feeds

The Vat relies upon a set of trusted oracles to provide price data. Should these price feeds fail, it would become possible for unbacked Dai to be minted, or safe Vaults could be unfairly liquidated.

Governance

Governance can authorize new modules against the Vat. This allows them to steal collateral (slip) or mint unbacked Dai (suck / addition of worthless collateral types). Should the cryptoeconomic protections that make doing so prohibitively expensive fail, the system may be vulnerable and left open for bad actors to drain collateral.

Adapters

The Vat relies on external Adapter contracts to ensure that the collateral balances in the Vat represent real external collateral balances. Adapter contracts are authorized to make arbitrary modifications to all collateral balances. A faulty collateral adapter could result in the loss of all collateral in the system.

ESM - Detailed Documentation

The ESM is the trigger system for the shutdown of the Maker Protocol

Contract Name: esm.sol
Type/Category: Emergency Shutdown Module
Associated MCD System Diagram

1. Introduction (Summary)

The Emergency Shutdown Module (ESM) is a contract with the ability to call End.cage() to trigger the Shutdown of the Maker Protocol.

2. Contract Details

ESM (Glossary)

Key Functionalities (as defined in the smart contract)

rely - Grant an address admin powers

deny - Revoke admin powers from an address

file - Allow admin to update threshold min and address of end

cage - Permanently disable the shutdown module

fire - Trigger shutdown by calling End.cage

denyProxy - Following the wards rely/deny pattern, calls deny on a given contract

join - Deposit MKR to the shutdown module

burn - Burn any MKR deposited into the shutdown module

Other

gem - MKR Token contract [address]

wards(admin: address) - Whether an address has admin powers [address: uint]

sum(usr: address) - MKR join balance by user [address: uint]

Sum - Total MKR deposited [uint]

min - Minimum MKR amount required for fire and denyProxy [uint]

end - The End contract [address]

live - Whether the contract is live (not caged) [uint]

3. Key Mechanisms & Concepts

MKR holders that wish to trigger Shutdown must join MKR into the ESM. When the ESM's internal Sum variable is equal to or greater than the minimum threshold (min), the ESM's fire() and denyProxy() methods may be called by anyone. The fire() method, in turn, calls End.cage(), which starts the Shutdown process.

The ESM is intended to be used in a few potential scenarios:

To mitigate malicious governance
To prevent the exploitation of a critical bug (for example one that allows collateral to be stolen)

In the case of a malicious governance attack, the joiners will have no expectation of recovering their funds (as that would require a malicious majority to pass the required vote), and their only option is to set up an alternative fork in which the majority's funds are slashed and their funds are restored.

In other cases, the remaining MKR holders may choose to refund the ESM joiners by minting new tokens.

Note: Governance can disarm the ESM by calling cage() (this is distinct from End.cage()).

4. Gotchas (Potential Source of User Error)

Unrecoverable of Funds

It is important for users to keep in mind that joining MKR into the ESM is irreversible—they lose it forever, regardless of whether they successfully trigger Shutdown. While it is possible that the remaining MKR holders may vote to mint new tokens for those that lose them triggering the ESM, there is no guarantee of this.

Game Theory of Funding and Firing the ESM

An entity wishing to trigger the ESM but possessing insufficient MKR to do so independently must proceed with caution. The entity could simply send MKR to the ESM to signal its desire and hope others join in; this, however, is poor strategy. Governance, whether honest or malicious, will see this, and likely move to de-authorize the ESM before the tipping point can be reached. It is clear why malicious governance would do so, but honest governance might act in a similar fashion—e.g. to prevent the system from being shut down by trolls or simply to maintain a constant threshold for ESM activation. (Honest governance, or even deceptive malicious governance, would be expected to then replace the ESM.) If governance succeeds in this, the entity has simply lost MKR without accomplishing anything.

If an entity with insufficient MKR wishes to trigger the ESM, it is better off first coordinating with others either off-chain or ideally via a trustless smart contract.. If a smart contract is used, it would be best if it employed zero-knowledge cryptography and other privacy-preserving techniques (such as transaction relayers) to obscure information such as the current amount of MKR committed and the addresses of those in support.

If an entity thinks others will join in before governance can react (e.g. if the delay for governance actions is very long), it is still possible that directly sending insufficient MKR to the ESM may work, but it carries a high degree of risk. Governance could even collude with miners to prevent cage calls, etc if they suspect an ESM triggering is being organized and wish to prevent it.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

Authorization Misconfigurations

The ESM itself does not have an isolated failure mode, but if the other parts of the system do not have proper authorization configurations (e.g. the End contract does not authorize the ESM to call cage()), then the ESM's fire() method may be unable to trigger the Shutdown process even if sufficient MKR has been committed to the contract.

Chief Keeper

Keeper that lifts the hat and streamlines executive actions

Introduction

The chief-keeper monitors and interacts with DSChief and DSSSpells, which is the executive voting contract and a type of proposal object of the Maker Protocol.

Its purpose is to lift the hat in DSChief as well as streamline executive actions.

To lift a spell, that spell must have more approvals than the current hat. The approvals of this spell can fluctuate and be surpassed by other spells, some of which could be malicious. This keeper "guards" the hat by ensuring the spell with the most approval is always the hat. The chief-keeper does this in order to maximize the barrier of entry (approval) to lift a spell to the hat, thus acting as a "guard" against malicious governance actions.

While in operation, the chief-keeper:

Monitors each new block for a change in the state of executive votes
lifts the hat for the spell (yay) most favored (approvals[yay])
Schedules spells in the GSM by calling DSSSpell.schedule()

Review

The following section assumes familiarity with the , DSSSpells, and (Governance Security Module), as well as the processes within .

Architecture

chief-keeper interacts directly with the DS-Chief and DSSSpells.

Operation

This keeper is run continuously, and saves a local database of yays (spell addresses) and an yay:eta dictionary to reduce chain state reads. If you'd like to create your own database from scratch, first delete src/database/db_mainnet.json before running bin/chief-keeper; the initial query could take up to 15 minutes.

Installation

Prerequisites:

- This project requires virtualenv to be installed if you want to use Maker's python tools. This helps with making sure that you are running the right version of python and checks that all of the pip packages that are installed in the install.sh are in the right place and have the right versions.

In order to clone the project and install required third-party packages please execute:

If tinydb isn't visible/installed through ./install.sh, simply run pip3 install tinydb after the commands above.

For some known Ubuntu and macOS issues see the README.

Sample Startup Script

Make a run-chief-keeper.sh to easily spin up the chief-keeper.

Testing

Download

This project uses for unit testing. Testing of Multi-collateral Dai is performed on a Dockerized local testchain included in tests\config.

In order to be able to run tests, please install development dependencies first by executing:

You can then run all tests with:

Roadmap

License

See file.

Support

If you have questions regarding Cage Keepers, please reach out to us on the channel on .

Cage Keeper

A Keeper to facilitate Emergency Shutdown

Introduction

The cage-keeper is used to help facilitate Emergency Shutdown of the Maker Protocol. Emergency shutdown is an involved, deterministic process, requiring interaction from all user types: Vault owners, Dai holders, Redemption keepers, MKR governors, and other Maker Protocol Stakeholders. A high level overview is as follows:

System Caged - The Emergency Security Module calls End.cage() function, which freezes the USD price for each collateral type as well as many parts of the system.
Processing Period - Next, Vault owners interact with End to settle their Vault and withdraw excess collateral. Auctions are left to conclude or are yanked before Dai redemption.
Dai Redemption - After the processing period duration End.wait has elapsed, Vault settlement and all Dai generating processes (auctions) are assumed to have concluded. At this point, Dai holders can begin to claim a proportional amount of each collateral type at a fixed rate.

To prevent a race-condition for Dai holders during Step 3, it's imperative that any Vaults having a collateralization ratio of less than 100% at Step 1 must be processed during Step 2. The owner of an underwater Vault would not receive excess collateral, so they lack an incentive to skim their position in the End contract. Thus, it is the responsibility of a MakerDAO Stakeholder (MKR holders, large Dai holders, etc) to ensure the system facilitates a Dai redemption phase without a time variable. The cage-keeper is a tool to help stakeholders carry out this responsibility.

Prerequisites

The following section assumes familiarity with Emergency Shutdown. Good places to start is the Emergency Shutdown Module in Section 3 and Section 4 of the as well as a more thorough, . Functions mentioned are from the implementation contained by the End contract, which is .

To be consistent with the Protocol's technical terminology for the rest of this description:

urn = Vault
ilk = Collateral Type

Architecture

The cage-keeper directly interacts with the End, Flopper and Flapper contracts.

The central goal of the cage-keeper is to process all under-collateralized urns. This accounting step is performed within End.skim(), and since it is surrounded by other required/important steps in the Emergency Shutdown, a first iteration of this keeper will help to call most of the other public function calls within the End contract.

As can be seen in the above flowchart, the keeper checks if the system has been caged before attempting to skim all underwater urns and skip all flip auctions. After the processing period has been facilitated and the End.wait wait time has been reached, it will transition the system into the Dai redemption phase of Emergency Shutdown by calling End.thaw() and End.flow(). This first iteration of this keeper is naive, as it assumes it's the only keeper and attempts to account for all urns, ilks, and auctions. Because of this, it's important that the keeper's address has enough ETH to cover the gas costs involved with sending numerous transactions. Any transaction that attempts to call a function that's already been invoked by another Keeper/user would simply fail.

Operation

This keeper can either run continuously on a local/virtual machine or be run when the operator becomes aware of Emergency Shutdown. A sample startup script is shown below. The keeper's Ethereum address should have enough ETH to cover gas costs and is a function of the protocol's state at the time of shutdown (i.e. more urns to skim means more required ETH to cover gas costs). When new collateral types are added to the protocol, the operator should pull the latest version of the keeper, which would include contracts associated with the aforementioned collateral types.

After the cage-keeper facilitates the processing period, it can be turned off until End.wait is nearly reached. Then, at that point, the operator would pass in the --previous-cage argument during keeper start in order to bypass the feature that supports the processing period.

Installation

This project uses Python 3.6.2.

In order to clone the project and install required third-party packages please execute:

For some known Ubuntu and macOS issues see the README.

Sample Startup Script

Make a run-cage-keeper.sh to easily spin up the cage-keeper.

Testing

Prerequisites:

Download

This project uses for unit testing. Testing of Multi-collateral Dai is performed on a Dockerized local testchain included in tests\config.

In order to be able to run tests, please install development dependencies first by executing:

You can then run all tests with:

License

See file

Support

If you have questions regarding Cage Keepers, please reach out to us on the channel on .

MKR Module

The MKR Governance Token Implementation

Contract Name: token.sol
Type/Category: MKR Module
Associated MCD System Diagram

1. Introduction (Summary)

The MKR Module contains the MKR token, which is a deployed contract. It is an ERC20 token that provides a standard ERC20 token interface. It also contains logic for burning and authorized minting of MKR.

2. Contract Details:

Glossary (MKR)

guy - user address
wad - a quantity of tokens, usually as a fixed point integer with 10^18 decimal places.
dst - refers to the destination address.

Key Functionalities (as defined in the smart contract)

mint - credit tokens at an address whilst simultaneously increasing totalSupply (requires auth).

burn - debit tokens at an address whilst simultaneously decreasing totalSupply (requires auth).

Aliases

push - transfer an amount from msg.sender to a given address.

pull - transfer an amount from a given address to msg.sender (requires trust or approval).

move - transfer an amount from a given src address to a given dst address (requires trust or approval).

Standard ERC-20

name - returns the name of the token - e.g. "MyToken".

symbol - token symbol.

decimals - returns the number of decimals the token uses - e.g. 8, means to divide the token amount by 100000000 to get its user representation.

transfer - transfers _value amount of tokens to address _to, and MUST fire the Transfer event. This SHOULD throw if the message caller’s account balance does not have enough tokens to spend.

transferFrom - transfers _value amount of tokens from address _from to address _to, and MUST fire the Transfer event.

approve - allows _spender to withdraw from your account multiple times, up to the _value amount. If this function is called again it overwrites the current allowance with _value.

totalSupply - returns the total token supply.

balanceOf - returns the account balance of another account with address _owner.

allowance - returns the amount which _spender is still allowed to withdraw from _owner.

Further information about the ERC20 Token standard can be found .

Important note: there is a transferFrom auto approval when src == msg.sender.

3. Key Mechanisms & Concepts

Along with MKR having a standard ERC20 token interface, it also has the addition of DSAuth-protected mint and burn functions; binary approval via MAX_UINT; as well as a push, pull and move aliases for transferFrom operations.

The MKR token has 3 methods of use within the Maker Protocol (reference ):

As a utility token: As Dai stability fees earned on Vaults accrue within the Maker Protocol, MKR holders can use MKR to vote to enable the Flapper auction house to sell Dai surplus for MKR. Once the auction is complete the Maker protocol burns the MKR.
As a governance token: MKR is used by MKR holders to vote for the risk management and business logic of the Maker Protocol. Tokens are a simple representation of voting power.
As a recapitalization resource: MKR can autonomously be minted by the Flopper auction house and sold for DAI, which is used to recap the Maker Protocol in times of insolvency.

4. Gotchas (Potential source of user error)

The MKR token is an ERC-20 token created using DSToken. A key difference to note between Dai and most other popular ERC20 tokens is that both these fields use bytes32 instead of the string type.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

MKR.stop - ES cannot be triggered. MKR in the chief can still vote, but cannot join or exit.

const makerBrowser = await Maker.create('browser');

const makerHttp = await Maker.create('http', {
  url: 'https://kovan.infura.io/v3/YOUR_INFURA_PROJECT_ID'
});

const makerTest = await Maker.create('test');

// It doesn't necessarily make sense to set all these
// options at the same time (e.g. `url` and `inject`),
// this is just meant to illustrate the shape of the
// options object.
const maker = await Maker.create('http', {
  privateKey: YOUR_PRIVATE_KEY, // '0xabc...'
  url: 'http://some-ethereum-rpc-node.net',
  web3: {
    statusTimerDelay: 2000,
    confirmedBlockCount: 8
    transactionSettings: {
      gasPrice: 12000000000
    },
    inject: someProviderInstance
  },
  log: false,
  autoAuthenticate: false
});

// you provide these values
const infuraKey = 'your-infura-api-key';
const ownerAddress = '0xf00...';

const maker = await Maker.create('http', {
  plugins: [McdPlugin],
  url: `https://mainnet.infura.io/v3/${infuraKey}`
});

const manager = maker.service('mcd:cdpManager');
const proxyAddress = maker.service('proxy').getProxyAddress(ownerAddress);
const data = await manager.getCdpIds(proxyAddress); // returns list of { id, ilk } objects
const vault = await manager.getCdp(data[0].id);

console.log([
  vault.collateralAmount, // amount of collateral tokens
  vault.collateralValue,  // value in USD, using current price feed values
  vault.debtValue,        // amount of Dai debt
  vault.collateralizationRatio, // collateralValue / debt
  vault.liquidationPrice  // vault becomes unsafe at this price
].map(x => x.toString());

import Maker from '@makerdao/dai';
import { McdPlugin, ETH, DAI } from '@makerdao/dai-plugin-mcd';

// you provide these values
const infuraKey = 'your-infura-api-key';
const myPrivateKey = 'your-private-key';

const maker = await Maker.create('http', {
  plugins: [McdPlugin],
  url: `https://mainnet.infura.io/v3/${infuraKey}`,
  privateKey: myPrivateKey
});

// verify that the private key was read correctly
console.log(maker.currentAddress());

// make sure the current account owns a proxy contract;
// create it if needed. the proxy contract is used to 
// perform multiple operations in a single transaction
await maker.service('proxy').ensureProxy();

// use the "vault manager" service to work with vaults
const manager = maker.service('mcd:cdpManager');
  
// ETH-A is the name of the collateral type; in the future,
// there could be multiple collateral types for a token with
// different risk parameters
const vault = await manager.openLockAndDraw(
  'ETH-A', 
  ETH(50), 
  DAI(1000)
);

console.log(vault.id);
console.log(vault.debtValue); // '1000.00 DAI'

art

urn

Ilk

gem

v

sin

w

grab

sin

Oracle Security Module (OSM) - Detailed Documentation

Contract Name: OSM
Type/Category: Oracles - Price Feed Module
Associated MCD System Diagram

1. Introduction

Summary

The OSM (named via acronym from "Oracle Security Module") ensures that new price values propagated from the Oracles are not taken up by the system until a specified delay has passed. Values are read from a designated contract (or any contract that has the read() and peek() interfaces) via the poke() method; the read() and peek() methods will give the current value of the price feed, and other contracts must be whitelisted in order to call these. An OSM contract can only read from a single price feed, so in practice one OSM contract must be deployed per collateral type.

2. Contract Details - Glossary (OSM)

Storage Layout

stopped : flag (uint256) that disables price feed updates if non-zero
src : address of DSValue that the OSM will read from
ONE_HOUR

Public Methods

Administrative Methods

These functions can only be called by authorized addresses (i.e. addresses usr such that wards[usr] == 1).

rely/deny : add or remove authorized users (via modifications to the wards mapping)
stop()/start() : toggle whether price feed can be updated (by changing the value of stopped)

Feed Reading Methods

These can only be called by whitelisted addresses (i.e. addresses usr such that buds[usr] == 1):

peek() : returns the current feed value and a boolean indicating whether it is valid
peep() : returns the next feed value (i.e. the one that will become the current value upon the next poke() call), and a boolean indicating whether it is valid
read()

Feed Updating Methods

poke() : updates the current feed value and reads the next one

Feed struct: a struct with two uint128 members, val and has. Used to store price feed data.

3. Key Mechanisms & Concepts

The central mechanism of the OSM is to periodically feed a delayed price into the MCD system for a particular collateral type. For this to work properly, an external actor must regularly call the poke() method to update the current price and read the next price. The contract tracks the time of the last call to poke() in the zzz variable (rounded down to the nearest multiple of hop; see for more discussion of this), and will not allow poke() to be called again until block.timestamp is at least zzz+hop. Values are read from a designated DSValue contract (its address is stored in src). The purpose of this delayed updating mechanism is to ensure that there is time to detect and react to an Oracle attack (e.g. setting a collateral's price to zero). Responses to this include calling stop() or void(), or triggering Emergency Shutdown.

Other contracts, if whitelisted, may inspect the cur value via the peek() and read() methods (peek() returns an additional boolean indicating whether the value has actually been set; read() reverts if the value has not been set). The nxt value may be inspected via peep().

The contract uses a dual-tier authorization scheme: addresses mapped to 1 in wards may start and stop, set the src, call void(), and add new readers; addresses mapped to 1 in buds may call peek(), peep(), and read().

4. Gotchas (Potential Sources of User Error)

Confusing `peek()` for `peep()` (or vice-versa)

The names of these methods differ by only a single character and in current linguistic usage, both "peek" and "peep" have essentially the same meaning. This makes it easy for a developer to confuse the two and call the wrong one. The effects of such an error are naturally context-dependent, but could e.g. completely invalidate the purpose of the OSM if the peep() is called where instead peek() should be used. A mnemonic to help distinguish them: "since 'k' comes before 'p' in the English alphabet, the value returned by peek() comes before the value returned by peep() in chronological order". Or: "peek() returns the kurrent value".

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

`poke()` is not called promptly, allowing malicious prices to be swiftly uptaken

For several reasons, poke() is always callable as soon as block.timestamp / hop increments, regardless of when the last poke() call occurred (because zzz is rounded down to the nearest multiple of hop). This means the contract does not actually guarantee that a time interval of at least hop seconds has passed since the last poke() call before the next one; rather this is only (approximately) guaranteed if the last poke() call occurred shortly after the previous increase of block.timestamp / hop. Thus, a malicious price value can be acknowledged by the system in a time potentially much less than hop.

This was a deliberate design decision. The arguments that favoured it, roughly speaking, are:

Providing a predictable time at which MKR holders should check for evidence of oracle attacks (in practice, hop is 1 hour, so checks must be performed at the top of the hour)
Allowing all OSMs to be reliably poked at the same time in a single transaction

The fact that poke is public, and thus callable by anyone, helps mitigate concerns, though it does not eliminate them. For example, network congestion could prevent anyone from successfully calling poke() for a period of time. If an MKR holder observes that poke has not been promptly called, the actions they can take include:

Call poke() themselves and decide if the next value is malicious or not
Call stop() or void() (the former if only nxt is malicious; the latter if the malicious value is already in cur)

In the future, the contract's logic may be tweaked to further mitigate this (e.g. by only allowing poke() calls in a short time window each hop period).

Authorization Attacks and Misconfigurations

Various damaging actions can be taken by authorized individuals or contracts, either maliciously or accidentally:

Revoking access of core contracts to the methods that read values, causing mayhem as prices fail to update
Completely revoking all access to the contract
Changing src to either a malicious contract or to something that lacks a peek() interface, causing transactions that poke() the affected OSM to revert

The only solution to these issues is diligence and care regarding the wards of the OSM.

Pot - Detailed Documentation

The Dai Savings Rate

Contract Name: pot.sol
Type/Category: DSS —> Rates Module
Associated MCD System Diagram

1. Introduction (Summary)

The Pot is the core of theDai Savings Rate. It allows users to deposit dai and activate the Dai Savings Rate and earning savings on their dai. The DSR is set by Maker Governance, and will typically be less than the base stability fee to remain sustainable. The purpose of Pot is to offer another incentive for holding Dai.

2. Contract Details

Math

mul(uint, uint), rmul(uint, uint), add(uint, uint)& sub(uint, uint) - will revert on overflow or underflow
rpow(uint x, uint n, uint base), used for exponentiation in drip, is a fixed-point arithmetic function that raises x to the power n

Auth

wards are allowed to call protected functions (Administration)

Storage

pie - stores the address' Pot balance.
Pie - stores the total balance in the Pot.
dsr

The values of dsr and vow can be changed by an authorized address in the contract (i.e. Maker Governance). The values of chi, pie, Pie, and rho are updated internally in the contract and cannot be changed manually.

3. Key Mechanisms & Concepts

drip()

Calculates the most recent chi and pulls dai from the vow (by increasing the Vow's Sin).
A user should always make sure that this has been called before calling the exit() function.

join(uint wad)

uint wad this parameter is based on the amount of dai (since wad = dai/ chi ) that you want to join to the pot. The wad * chi must be present in the vat and owned by the msg.sender.

exit(uint wad)

exit() essentially functions as the exact opposite of join().
uint wad this parameter is based on the amount of dai that you want to exit the pot. The wad * chi must be present in the vat and owned by the pot

Administration

Various file function signatures for administering Pot:

Setting new dsr (file(bytes32, uint256))
Setting new vow (file(bytes32, address))

Usage

The primary usage will be for addresses to store their dai in the pot to accumulate interest over time

4. Gotchas / Integration Concerns

The dsr is set (globally) through the governance system. It can be set to any number > 0%. This includes the possibility of it being set to a number that would cause the DSR to accumulate faster than the collective Stability Fees, thereby accruing system debt and eventually causing MKR to be minted.
If drip() has not been called recently before an address calls exit() they will not get the full amount they have earned over the time of their deposit.

5. Failure Modes and Impact

Coding Error

A bug in the Pot could lead to locking of dai if the exit() function or the underlying vat.suck() or vat.move() functions were to have bugs.

Governance

The dsr rate initially can be set through the Chief. Governance will be able to change the DSR based on the rules that the DS-Chief employs (which would include a Pause for actions).

One serious risk is if governance chooses to set the dsr to an extremely high rate, this could cause the system's fees to be far too high. Furthermore, if governance allows the dsr to (significantly) exceed the system fees, it would cause debt to accrue and increase the Flop auctions.

Jug - Detailed Documentation

Accumulation of Stability Fees for Collateral Types

Contract Name: Jug
Type/Category: DSS —> Rates Module
Associated MCD System Diagram

1. Introduction

Summary

The primary function of the Jug smart contract is to accumulate stability fees for a particular collateral type whenever its drip() method is called. This effectively updates the accumulated debt for all Vaults of that collateral type as well as the total accumulated debt as tracked by the Vat (global) and the amount of Dai surplus (represented as the amount of Dai owned by the ).

2. Contract Details

Structs

Ilk : contains two uint256 values—duty, the collateral-specific risk premium, and rho, the timestamp of the last fee update

VatLike : mock contract to make Vat interfaces callable from code without an explicit dependency on the Vat contract itself

Storage Layout

wards : mapping(address => uint) that indicates which addresses may call administrative functions

ilks : mapping (bytes32 => Ilk) that stores an Ilk struct for each collateral type

vat : a VatLike that points the the system's contract

vow : the address of the Vow contract

base : a uint256 that specifies a fee applying to all collateral types

Public Methods

Administrative Methods

These methods require wards[msg.sender] == 1 (i.e. only authorized users may call them).

rely/deny : add or remove authorized users (via modifications to the wards mapping)

init(bytes32) : start stability fee collection for a particular collateral type

file(bytes32, bytes32, uint) : set duty for a particular collateral type

file(bytes32, data) : set the base value

file(bytes32, address) : set the vow value

Fee Collection Methods

drip(bytes32) : collect stability fees for a given collateral type

3. Key Mechanisms & Concepts

`drip`

drip(bytes32 ilk) performs stability fee collection for a specific collateral type when it is called (note that it is a public function and may be called by anyone). drip does essentially three things:

calculates the change in the rate parameter for the collateral type specified by ilk based on the time elapsed since the last update and the current instantaneous rate (base + duty);
calls Vat.fold to update the collateral's rate, total tracked debt, and Vow surplus;

The change in the rate is calculated as:

where "now" represents the current time, "rate" is Vat.ilks[ilk].rate, "base" is Jug.base, "rho" is Jug.ilks[ilk].rho, and "duty" is Jug.ilks[ilk].duty. The function reverts if any sub-calculation results in under- or overflow. Refer to the Vat documentation for more detail on fold.

`rpow`

rpow(uint x, uint n, uint b), used for exponentiation in drip, is a fixed-point arithmetic function that raises x to the power n. It is implemented in Solidity assembly as a repeated squaring algorithm. x and the returned value are to be interpreted as fixed-point integers with scaling factor b. For example, if b == 100, this specifies two decimal digits of precision and the normal decimal value 2.1 would be represented as 210; rpow(210, 2, 100) returns 441 (the two-decimal digit fixed-point representation of 2.1^2 = 4.41). In the current implementation, 10^27 is passed for b, making x and the rpow result both of type ray

Parameters Can Only Be Set By Governance

Jug stores some sensitive parameters, particularly the base rate and collateral-specific risk premiums that determine the overall stability fee rate for each collateral type. Its built-in authorization mechanisms need to allow only authorized MakerDAO governance contracts/actors to set these values. See "Failure Modes" for a description of what can go wrong if parameters are set to unsafe values.

4. Gotchas (Potential Sources of User Error)

Ilk Initialization

init(bytes32 ilk) must called when a new collateral is added (setting duty via file() is not sufficient)—otherwise rho will be uninitialized and fees will accumulate based on a start date of January 1st, 1970 (start of Unix epoch).

`base + Ilk.duty` imbalance in `drip()`

A call to drip(bytes32 ilk)will add the base rate to the Ilk.duty rate. The rate is a calculated compounded rate, so rate(base + duty) != rate(base) + rate(duty). This means that if base is set, the duty will need to be set factoring the existing compounding factor in base, otherwise the result will be outside of the rate tolerance. Updates to the base value will require all of the ilks to be updated as well.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

Tragedy of the Commons

If drip() is called very infrequently for some collateral types (due, for example, to low overall system usage or extremely stable collateral types that have essentially zero liquidation risk), then the system will fail to collect fees on Vaults opened and closed between drip() calls. As the system achieves scale, this becomes less of a concern, as both Keepers and MKR holders are have an incentive to regularly call drip (the former to trigger liquidation auctions, the latter to ensure that surplus accumulates to decrease MKR supply); however, a hypothetical asset with very low volatility yet high risk premium might still see infrequent drip calls at scale (there is not at present a real-world example of this—the most realistic possibility is base being large, elevating rates for all collateral types).

Malicious or Careless Parameter Setting

Various parameters of Jug may be set to values that damage the system. While this can occur by accident, the greatest concern is malicious attacks, especially by an entity that somehow becomes authorized to make calls directly to Jug's administrative methods, bypassing governance. Setting duty (for at least one ilk) or base too low can lead to Dai oversupply; setting either one too high can trigger excess liquidations and therefore unjust loss of collateral. Setting a value for vow other than the true Vow's address can cause surplus to be lost or stolen.

Median - Detailed Documentation

The Maker Protocol's trusted reference price

Contract Name: median.sol
Type/Category: Oracles Module
Associated MCD System Diagram

1. Introduction (Summary)

The median provides Maker's trusted reference price. In short, it works by maintaining a whitelist of price feed contracts which are authorized to post price updates. Every time a new list of prices is received, the median of these is computed and used to update the stored value. The median has permissioning logic which is what enables the addition and removal of whitelisted price feed addresses that are controlled via governance. The permissioning logic allows governance to set other parameters that control the Median's behavior—for example, the bar parameter is the minimum number of prices necessary to accept a new median value.

A High-level overview diagram of the components that involve and interact with the median:

Note: All arrows without labels are governance calls.

2. Contract Details

Median (Glossary)

Key Functionalities (as defined in the smart contract)

read - Gets a non-zero price or fails.
peek - Gets the price and validity.
poke - Updates price from whitelisted providers.

Note: read returns the value or fails if it's invalid & peek gives back the value and if the value is valid or not.

Other

wards(usr: address) - Auth mechanisms.
orcl(usr: address) - val writers whitelist / signers of the prices (whitelisted via governance / the authorized parties).
bud(usr: address) - val

3. Key Mechanisms & Concepts

As mentioned above, the median is the smart contract that provides Maker's trusted reference price. Authorization (auth) is a key component included in the mechanism of this contract and its interactions. For example, the price (val) is intentionally kept not public because the intention is to only read it from the two functions read and peek, which are whitelisted. This means that you need to be authorized, which is completed through the bud. The bud is modified to get whitelisted authorities to read it on-chain (permissioned), whereas, everything of off-chain is public.

The poke method is not under any kind of auth. This means that anybody can call it. This was designed for the purpose of getting Keepers to call this function and interact with Auctions. The only way to modify its state is if you call it and send it valid data. For example, let's say this oracle needs 15 different sources. This means that we would need it to send 15 different signatures. It will then proceed to go through each of them and validate that whoever sent the the data has been auth'd to do so. In the case of it being an authorized oracle, it will check if it signed the message with a timestamp that is greater than the last one. This is done for the purpose of ensuring that it is not a stale message. The next step is to check for order values, this requires that you send everything in an array that is formatted in ascending order. If not sent in the correct order (ascending), the median is not calculated correctly. This is because if you assume the prices are ordered, it would just grab the middle value which may not be sufficient or work. In order to check for uniqueness, we have implemented the use of a bloom filter. In short, a bloom filter is a data structure designed to tell us, rapidly and memory-efficiently, whether an element is present in a set. This use of the bloom filter helps with optimization. In order to whitelist signers, the first two characters of their addresses (the first byte) have to be unique. For example, let's say that you have 15 different price signers, none of the first two characters of their addresses can be the same. This helps to filter that all 15 signers are different.

Next, there are lift functions. These functions tell us who can sign messages. Multiple messages can be sent or it can just be one but they are put into the authorized oracle). However, there is currently nothing preventing someone from lift'ing two prices signers that start with the same address. This is something for example, that governance needs to be aware of (see an example of what a governance proposal would look like in this case in the Gotchas section).

Due to the mechanism design of how the oracles work, the quorum has to be an odd number. If it is an even number, it will not work. This was designed as an optimization (val = uint128(val_[val_.length >> 1]);); this code snippet outlines how it works, which is by taking the array of values (all the prices that each of the prices signers reported, ordered from 200-215) and then grabbing the one in the middle. This is done by taking the length of the array (15) and shifting it to the right by 1 (which is the same as dividing by 2). This ends up being 7.5 and then the EVM floors it to 7. If we were to accept even numbers this would be less efficient. This presents the issue that you should have a defined balance between how many you require and how many signers you actually have. For example, let's say the oracle needs 15 signatures, you need at least 17-18 signers because if you require 15 and you only have 15 and one of them goes down, you have no way of modifying the price, so you should always have a bit more. However, you should not have too many, as it could compromise the operation.

4. Gotchas

Emergency Oracles

They can shutdown the price feed but cannot bring it back up. Bringing the price feed back up requires governance to step in.

Price Freeze

If you void the oracles Ethereum module, the idea is that you cannot interact with any Vault that depends on that ilk.
- Example: ETHUSD shutdown (can still add collateral and pay back debt - increases safety) but you cannot do anything that increases risk (decreases safety - remove collateral, generate dai, etc.) because the system would not know if you would be undercollateralized.

Oracles Require a lot of Upkeep

They need to keep all relayers functioning.
The community would need to self-police (by looking at each price signer, etc.) if any of them needs to be replaced. They would need to make sure they are constantly being called every hour (for every hour, a transaction gets sent to the OSM, which means that a few transactions have already been sent to the median to update it as well. In addition, there would need to be a transaction sent to the spotter, as DSS operates in a pool-type method (doesn't update the system/write to it, you tell it to read it from the OSM).

There is nothing preventing from `lift`'ing two prices signers that start with the same address

The only thing that this prevents is that you cannot have more than 256 oracles but we don't expect to ever have that many, so it is a hard limit. However, Governance needs to be sure that whoever they are voting in anyone that they have already voting in before with the same two first characters.
An example of what a governance proposal would look like in this case:
- We are adding a new oracle and are proposing (the Foundation) a list of signers (that have been used in the past) and we already have an oracle but want to add someone new (e.g. Dharma or dydx). We would say that they want to be price signers, so these are their addresses and we want to lift those two addresses. They would vote for that, and we would need to keep a list of the already existing addresses and they would need to create an address that doesn't conflict with the existing ones.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

By design, there is currently no way right now to turn off the oracle (failure or returns false) if all the oracles come together and sign a price of zero. This would result in the price being invalid and would return false on peek, telling us to not trust the value.
- We are currently researching (Oracles ETH module) that would invalidate the price but there is no way to do this in the median today. This is due to the separation of concerns that DSS does not read directly from median, it reads from the OSM, but this may end up changing.

#!/bin/bash
/full/path/to/chief-keeper/bin/chief-keeper \
	--rpc-host 'sample.ParityNode.com' \
	--network 'kovan' \
	--eth-from '0xABCAddress' \
	--eth-key 'key_file=/full/path/to/keystoreFile.json,pass_file=/full/path/to/passphrase/file.txt' \
	--chief-deployment-block 14374534

#!/bin/bash
/full/path/to/cage-keeper/bin/cage-keeper \
	--rpc-host 'sample.ParityNode.com' \
	--network 'kovan' \
	--eth-from '0xABCAddress' \
	--eth-key 'key_file=/full/path/to/keystoreFile.json,pass_file=/full/path/to/passphrase/file.txt' \
	--vat-deployment-block 14374534

The first time an account is used to interact with any Maker application, the user will be prompted to deploy a profile proxy. This copy of DSProxy can be used in any product, including dai.js, by way of a universal proxy registry. Then, the calldata from any function in the forwarding proxy can be passed to DSProxy's execute()method, which runs the provided code in the context of the profile proxy.

pragma solidity ^0.8.0;

import "./interfaces/IERC20.sol";
import "./interfaces/IERC3156FlashBorrower.sol";
import "./interfaces/IERC3156FlashLender.sol";

contract FlashBorrower is IERC3156FlashBorrower {
    enum Action {NORMAL, OTHER}

    IERC3156FlashLender lender;

    constructor (
        IERC3156FlashLender lender_
    ) public {
        lender = lender_;
    }

    /// @dev ERC-3156 Flash loan callback
    function onFlashLoan(
        address initiator,
        address token,
        uint256 amount,
        uint256 fee,
        bytes calldata data
    ) external override returns (bytes32) {
        require(
            msg.sender == address(lender),
            "FlashBorrower: Untrusted lender"
        );
        require(
            initiator == address(this),
            "FlashBorrower: Untrusted loan initiator"
        );
        (Action action) = abi.decode(data, (Action));
        if (action == Action.NORMAL) {
            require(IERC20(token).balanceOf(address(this)) >= amount);
            // make a profitable trade here
            IERC20(token).transfer(initiator, amount + fee);
        } else if (action == Action.OTHER) {
            // do another
        }
        return keccak256("ERC3156FlashBorrower.onFlashLoan");
    }

    /// @dev Initiate a flash loan
    function flashBorrow(
        address token,
        uint256 amount
    ) public {
        bytes memory data = abi.encode(Action.NORMAL);
        uint256 _allowance = IERC20(token).allowance(address(this), address(lender));
        uint256 _fee = lender.flashFee(token, amount);
        uint256 _repayment = amount + _fee;
        IERC20(token).approve(address(lender), _allowance + _repayment);
        lender.flashLoan(this, token, amount, data);
    }
}

pragma solidity ^0.6.12;

import "dss-interfaces/dss/VatAbstract.sol";

import "./interfaces/IERC3156FlashLender.sol";
import "./interfaces/IVatDaiFlashBorrower.sol";

contract FlashBorrower is IVatDaiFlashBorrower {
    enum Action {NORMAL, OTHER}

    VatAbstract vat;
    IVatDaiFlashLender lender;

    constructor (
        VatAbstract vat_,
        IVatDaiFlashLender lender_
    ) public {
        vat = vat_;
        lender = lender_;
    }

    /// @dev Vat Dai Flash loan callback
    function onVatDaiFlashLoan(
        address initiator,
        uint256 amount,
        uint256 fee,
        bytes calldata data
    ) external override returns (bytes32) {
        require(
            msg.sender == address(lender),
            "FlashBorrower: Untrusted lender"
        );
        require(
            initiator == address(this),
            "FlashBorrower: Untrusted loan initiator"
        );
        (Action action) = abi.decode(data, (Action));
        if (action == Action.NORMAL) {
            // do one thing
        } else if (action == Action.OTHER) {
            // do another
        }

        // Repay the loan amount + fee
        // Be sure not to overpay as there are no safety guards for this
        vat.move(address(this), lender, amount + fee);

        return keccak256("VatDaiFlashBorrower.onVatDaiFlashLoan");
    }

    /// @dev Initiate a flash loan
    function vatDaiFlashBorrow(
        uint256 amount
    ) public {
        bytes memory data = abi.encode(Action.NORMAL);
        lender.vatDaiFlashLoan(this, amount, data);
    }
}

// Calling the forwarding proxy with dai.js

function lockAndDraw(tubContractAddress, cdpId, daiAmount, ethAmount) {
  const saiProxy = maker.service('smartContract').getContractByName('SAI_PROXY');

  return saiProxy.lockAndDraw(
    tubContractAddress,
    cdpId,
    daiAmount,
    {
      value: ethAmount,
      dsProxy: true
    }
  );
}

Permit()

uint16(3600)

x

base

base == 100

rpow(210, 2, 100)

base

x

rpow

ray

rpow

dai savings rate

1

ONE = 10^27

msg.sender

pie

If a user wants to join or exit 1 DAI into/from the Pot, they should send a wad = to 1 / chi as the amount moved from their balance will be 1 * chi (for an example of this, see DSS-Proxy-Actions

updates ilks[ilk].rho to be equal to the current timestamp.

rpow

CDP Manager - Detailed Documentation

Managing Vaults to be transferred between users

Contract Name: cdpManager.sol
Type/Category: Vault Management
Associated MCD System Diagram

1. Introduction (Summary)

Summary: The DssCdpManager (aka manager) was created to enable a formalized process for Vaults to be transferred between owners, much like assets are transferred. It is recommended that all interactions with Vaults be done through the CDP Manager. Once unlocked collateral has been deposited into the Maker Protocol, users can make use of the following features:

Multi Vault ownership and numerical identification (users can own N number of Vaults)
Vault transferability

Note: The MCD system diagram above shows that the Vault user goes through the proxy in order to interact with the CDP Manager but it is also possible to directly use the CDP Manager contract.

2. Contract Details

Key Functionalities (as defined in the smart contract)

cdpAllow(uint cdp, address usr, uint ok): Allow/Disallow (ok) a usr address to manage the cdp.
urnAllow(address usr, uint ok) : Allow/Disallow (ok) a usr address to interact with an urn for the purposes of either entering (src

Note: dst refers to the destination address.

Storage Layout

vat : core contract address that holds the Vaults.
cdpi: Auto incremental id.
urns: Mapping CDPId => UrnHandler

3. Key Mechanisms & Concepts

Summary

The CDP Manager was created as a way to enable Vaults to be treated more like assets that can be exchanged. Originally, the core contracts did not have the functionality to enable transferring Vault positions. The CDP Manager was created to wrap this functionality and enable transferring between users.

High-level Purpose

The manager receives the vat address in its creation and acts as an interface contract between it and the users.
The manager keeps an internal registry of id => owner and id => urn allowing for the owner to execute vat functions for their

CDP Manager Usage Example (common path):

A User executes open and gets a CDPId in return.
After this, the CDPId gets associated with an urn with manager.urns(cdpId) and then join's collateral to it.

4. Gotchas (Potential source of user error)

For the developers who want to integrate with the manager, they will need to understand that the Vault actions are still in the urn environment. Regardless of this, the manager tries to abstract the urn usage by a CDPId. This means that developers will need to get the urn (urn = manager.urns(cdpId)) to allow the joining of collateral to that Vault.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

Potential Issues around Chain Reorganization

When open is executed, a new urn is created and a cdpId is assigned to it for a specific owner. If the user uses join to add collateral to the urn immediately after the transaction is mined, there is a chance that a reorganization of the chain occurs. This would result in the user losing the ownership of that cdpId/urn pair, therefore losing their collateral. However, this issue can only arise when avoiding the use of the via a as the user will open the cdp and join collateral in the same transaction.

Chief - Detailed Documentation

Electing a Chief contract via an approval voting system

Contract Name: chief.sol
Type/Category: Governance Module
Associated MCD System Diagram

1. Introduction (Summary)

The Ds-Chief smart contract provides a method to elect a "chief" contract via an approval voting system. This may be combined with another contract, such as DSAuthority, to elect a ruleset for a smart contract system.

In short, voters will lock up their voting tokens in order to give their votes some weight in the system. The voting is then done by continuous , where users receive IOU tokens when they lock their voting tokens up, which is useful for secondary governance mechanisms. The IOU tokens may not be exchanged for the locked tokens except by individuals who have actually locked funds in the contract itself, and only up to the amount they have locked.

2. Contract Details

Glossary (Chief)

**DSChiefApprovals provides the following public properties:**

slates: A mapping of bytes32 to address arrays. Represents sets of candidates. Weighted votes are given to slates.
votes: A mapping of voter addresses to the slate they have voted for.
approvals

Most of the functions are decorated with the the note modifier from , meaning that they fire a standardized event when called. Additionally, one custom event is also provided:

Etch(bytes32 indexed slate): Fired when a slate is created.

3. Key Mechanisms & Concepts

There are two contracts in ds-chief:

DSChiefApprovals
DSChief, which inherits from DSChiefApprovals.

Key Functionalities (as defined in the smart contract)

DSChiefApprovals

`DSChiefApprovals(DSToken GOV_, DSToken IOU_, uint MAX_YAYS_)`

The constructor. Sets GOV, IOU, and MAX_YAYS.

`lock(uint wad)`

Charges the user wad GOV tokens, issues an equal amount of IOU tokens to the user, and adds wad weight to the candidates on the user's selected slate. Fires a LogLock event.

`free(uint wad)`

Charges the user wad IOU tokens, issues an equal amount of GOV tokens to the user, and subtracts wad weight from the candidates on the user's selected slate. Fires a LogFree event.

`etch(address[] yays) returns (bytes32 slate)`

Save a set of ordered addresses as a slate and return a unique identifier for it.

`vote(address[] yays) returns (bytes32 slate)`

Save a set of ordered addresses as a slate, moves the voter's weight from their current slate to the new slate, and returns the slate's identifier.

`vote(bytes32 slate)`

Removes voter's weight from their current slate and adds it to the specified slate.

`lift(address whom)`

Checks the given address and promotes it to s/chief/hat if it has more weight than the current s/chief/hat.

DSChief

DSChief is a combination of DSRoles from the ds-roles package and DSChiefApprovals. It can be used in conjunction with ds-auth (as an authority object) to govern smart contract systems.

Public Functions

`DSChief(DSToken GOV_, DSToken IOU_, uint MAX_YAYS_)`

The constructor. Sets GOV, IOU, and MAX_YAYS.

`setOwner(address owner_)`

Reverts the transaction. Overridden from DSAuth.

`setAuthority(DSAuthority authority_)`

Reverts the transaction. Overridden from DSAuth.

`isUserRoot(address who) constant returns (bool)`

Returns true if the given address is the chief.

`setRootUser(address who, bool enabled)`

Reverts the transaction. Overridden from DSRoles.

`DSRoles`

See for inherited features.

4. Gotchas (Potential source of user error)

In general, when we refer to the "hat", it can be any address — be it a single-use contract like ds-spell, a multi-use contract or an individual's wallet. Thus, ds-chief can work well as a method for selecting code for execution just as well as it can for realizing political processes.

Example:

The ds-chief could be used as a token-weighted voting system governing another set of smart contracts that uses the ds-auth with ds-roles. In a scenario such as this, "candidates" would consist of contracts changing the state of the smart contract set under governance. Such a contract being elected as ”hat" would be granted all of the permissions to execute whatever changes are necessary. The ds-chief could also be used within such a contract set in conjunction with a proxy contract, such as ds-proxy or a name resolution system like ENS for the purpose of voting in new versions of contracts.

Understanding the IOU Token

The purpose of the IOU token is to allow for the chaining of governance contracts. In other words, this allows you to have a number of DSChief or other similar contracts use the same governance token by means of accepting the IOU token of the DSChief contract before it is a governance token.

Example:

Let’s say there are three DSChief contracts (chiefA, chiefB, and chiefC) and a chiefA.GOV that is the MKR token. If we set chiefB.GOV to chiefA.IOU and chiefC.GOV to chiefB.IOU, this allows all three contracts to run using a common group of MKR.

Approval Voting

This type of voting is when each voter selects which candidates they approve of, with the top n "most approved" candidates being then elected. Each voter can cast up to n + k votes, where k equals some non-zero positive integer. This way voters to move their approval from one candidate to another without needing to first withdraw support from the candidate being replaced. Without this in place, moving approval to a new candidate could result in a less-approved candidate moving momentarily into the set of the elected candidates. Note: In the case of ds-chief, n is equal to 1.

In addition, the ds-chief weighs votes according to the quantity of a voting token that has been chosen to lock up in the DSChief or the DSChiefApprovals contract. It's important to note that the voting token used in a ds-chief deployment must be specified at the time of deployment and cannot be changed afterward.

Implementations

If you are writing a front-end UI for this smart contract, please note that the address[] parameters that are passed to the etch and vote functions must be byte-ordered sets.

Example:

Using [0x0, 0x1, 0x2, ...] is valid but using [0x1, 0x0, ...] and [0x0, 0x0, 0x1, ...] is not. This ordering constraint allows the contract to cheaply ensure voters cannot multiply their weights by listing the same candidate on their slate multiple times.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

MKR users moving their votes from one spell to another
- One of the biggest potential failure modes occurs when people are moving their votes from one spell to another. This opens up a gap/period of time when only a small amount of MKR is needed to lift a random hat.
Lift is not called on spells that have more MKR than the current hat

The Auctions of the Maker Protocol

Introduction

The Multi-Collateral Dai (MCD) system within the MakerDAO Protocol is a smart contract platform on Ethereum that backs and stabilizes the value of our stablecoin, Dai. It does this through a dynamic system of Vaults, autonomous feedback mechanisms, and appropriately incentivized external actors.

In this document, we explain the auction mechanisms within the system, as well as particular types of external actors, called Keepers, that bid on the Auctions.

Auctions

When everything in the system is going well, Dai accrues through collected from Vaults. Whenever the net surplus from stability fees reaches a certain limit, that surplus in Dai is auctioned off to external actors for MKR which subsequently is burnt, thereby reducing the amount of MKR in circulation. This is done through a Surplus Auction.

The system protects against debt creation by overcollateralization. Under ideal circumstances and with the right risk parameters, the debt for an individual Vault can be covered by the collateral deposited in that Vault. If the price of that collateral drops to the point where a Vault no longer sustains the required collateralization ratio, then the system automatically liquidates the Vault and sells off the collateral until the outstanding debt in the Vault (and a liquidation penalty), is covered. This is done through a Collateral Auction.

Further, if, for example, the collateral price drops sharply or no one wants to buy the collateral, there may be debt in the liquidated Vault that cannot be repaid through a collateral auction and must be addressed by the system. The first course of action is to cover this debt using surplus from stability fees, if there is any surplus to cover it. If there is not, then the system initiates a Debt Auction, whereby the winning bidder pays Dai to cover the outstanding debt and in return receives an amount of newly minted MKR, increasing the amount of MKR in circulation.

To summarize, we have three types of Auctions:

Surplus Auction: The winning bidder pays MKR for surplus Dai from stability fees. The MKR received is burnt, thereby reducing the amount of MKR in circulation.
Collateral Auction: The winning bidder pays Dai for collateral from a liquidated Vault. The Dai received is used to cover the outstanding debt in the liquidated Vault
Debt Auction: The winning bidder pays Dai for MKR to cover outstanding debt that Collateral Auctions haven’t been able to cover. MKR is minted by the system, thereby increasing the amount of MKR in circulation.

The actors that bid on these Auctions are called Keepers.

Keepers

With all information published on the Ethereum blockchain, anyone can access or monitor price feeds and data on individual Vaults, thereby determining whether certain Vaults are in breach of the Liquidation Ratio. The system incentivizes these market participants (which can be human or automated bot), known as “keepers,” to monitor the MCD System and trigger liquidation when the Liquidation Ratio is breached.

In the context of Multi-Collateral Dai, Keepers may participate in auctions as a result of liquidation events and thereby acquire collateral at attractive prices. Keepers can also perform other functions, including trading Dai motivated by the expected long-term convergence toward the Target Price.

We will now go into more detail about how the Auctions work.

The Auction Parameters and Mechanisms

Various considerations were taken into account when designing the auction mechanisms. For example, from a systems point of view, it’s best to complete the auction as soon as possible to keep the system in a steady state, so the auction mechanism incentivizes early bidders. Another consideration is that the Auctions are executed on-chain, minimizing the number of required transactions and reducing associated fees.

Auctions Glossary

Risk parameters. In general, the following parameters are used across all of the auction types:

beg: Minimum bid increase (for example, 3%).
ttl: Bid duration (for example, 6 hours). The auction ends if no new bid is placed during this time.
tau: Auction duration (for example, 24 hours). The auction ends after this period under all circumstances.

The values of the risk parameters are determined by Maker Governance voters (MKR holders) per auction type. Note that there are different Collateral Auction risk parameters for each type of collateral used in the system.

Auction and bid information. The following information is always available during an active auction:

lot : Amount of asset that is up for auction/sale.
bid: Current highest bid.
guy: Highest bidder.

Bid Increments During an Auction

During an auction, bid amounts will increase by a percentage with each new bid. This is the beg at work. For example, the beg could be set to 3%, meaning if the current bidder has placed a bid of 100 Dai, then the next bid must be at least 103 Dai. Overall, the purpose of the bid increment system is to incentivize early bidding and make the auction process move quickly.

How Bids are Placed During an Auction

Bidders send DAI or MKR tokens from their addresses to the system/specific auction. If one bid is beat by another, the losing bid is refunded back to that bidder’s address. It’s important to note, however, that once a bid is submitted, there is no way to cancel it. The only possible way to have that bid returned is if it is outbid.

Now, let’s review the mechanisms of the three different auction types.

Surplus Auction

Summary: A Surplus Auction is used to auction off a fixed amount of surplus Dai in the system in exchange for MKR. This surplus Dai will generally come from accumulated stability fees. In this auction, bidders compete with increasing bids of MKR. Once the auction has ended, the auctioned Dai is sent to the winning bidder, and the system burns the MKR received from the winning bidder.

High-level Mechanism Process:

Maker Governance voters determine the amount of surplus allowed in the system at any one time. A Surplus auction is triggered when the system has a Dai surplus over the pre-determined amount as set by MKR governance.
- To determine whether the system has a net surplus, accrued stability fees and debt in the system must be added together. Any user can do this by sending the heal transaction to the system contract called Vow.
- Provided there is a net surplus, the Surplus Auction is triggered when any user sends the flap

Collateral Auction (Collateral Sale)

Summary: Collateral Auctions serve as a means to recover debt in liquidated Vaults. Those Vaults are being liquidated because the value of the Vault collateral has fallen below a certain limit determined by the Maker Governance voters.

High-level Mechanism Process:

For each type of collateral, MKR holders approve a specific risk parameter called the liquidation ratio. This ratio determines the amount of overcollaterization a Vault requires to avoid liquidation. For example, if the liquidation ratio is 150%, then the value of the collateral must always be one and a half times the value of the Dai generated. If the value of the collateral falls below the liquidation ratio, then the Vault becomes unsafe and is liquidated by the system. The system then takes over the collateral and auctions it off to cover both the debt in the Vault and an applied liquidation penalty.

The Collateral Auction is triggered when a Vault is liquidated.
- Any user can liquidate a Vault that is unsafe by sending the bite transaction identifying the Vault. This will launch a collateral auction.
- If the amount of collateral in the Vault being “bitten” is less than the lot size for the auction, then there will be one auction for all collateral in the Vault.

An important aspect of a Collateral Auction is that the auction expiration and bid expiration parameters are dependent on the specific type of collateral, where more liquid collateral types have shorter expiration times and vice-versa.

Once the auction begins, the first bidder can bid any amount of Dai to aquire the collateral amount (lot). Other bidders can raise that bid offering more Dai for the same collateral amount (lot) until there is a bid that covers the outstanding debt. If and when there is a bid that covers the outstanding debt, the auction will turn into a reverse auction, where a bidder bids on accepting smaller parts of the collateral for the fixed amount of Dai that covers the outstanding debt. The auction ends when the bid duration (ttl) has passed OR when the auction duration (tau) has been reached. Again, this process is designed to encourage early bidding. Once the auction is over, the system sends the collateral to the winning bidder’s address.

Debt Auction

Summary: Debt Auctions are used to recapitalize the system by auctioning off MKR for a fixed amount of Dai. In this process, bidders compete with their willingness to accept decreasing amounts of MKR for the fixed Dai they will have to pay.

High-level Mechanism Process:

Debt Auctions are triggered when the system has Dai debt that has passed the specified debt limit.

Maker Governance voters determine the debt limit. The Debt auction is triggered when the system has a debt in Dai below that limit.
- In order to determine whether the system has a net debt, the accrued stability fees and debt in the system must be added together. Any user can do this by sending the heal transaction to the system contract named Vow.
- Provided there is a sufficiently sized net debt, the debt auction is triggered when any user sends the flop

This is a reverse auction, where Keepers bid on how little MKR they are willing to accept for the fixed Dai amount (lot) they have to pay at auction settlement. The auction ends when the bid duration (ttl) has passed OR when the auction duration (tau) has been reached. Once the auction is over, the Dai, paid into the system by bidders in exchange for newly minted MKR, reduces the original debt balance in the system.

To participate as a Keeper in MCD, please visit thee Auction Keeper Bot Setup Guide .

Emergency Shutdown (ES) CLI

Level: Intermediate

Estimated-Time: 30 minutes

Description

Emergency Shutdown (ES) is the last resort to protect the Maker Protocol against a serious threat, such as but not limited to governance attacks, long-term market irrationality, hacks and security breaches. The Emergency Shutdown Module (ESM) is responsible for coordinating emergency shutdown, the process used to gracefully shutdown the Maker Protocol and properly allocate collateral to both Vault users and Dai holders. This guide outlines the steps and procedures necessary to check, interact with and trigger the ESM.

Learning Objectives: To be able to Check, Deposit and Trigger Emergency Shutdown.

Installation
Contract Address Setup
Commands and Explanations
- Checking your MKR balance

1. Installation

In order to interface with the Ethereum blockchain, the user needs to install seth, a command line tool as part of the toolset. We also provide further . Once the user has installed and configured correctly to use the main Ethereum network and the address which holds their MKR they can query contract balances, approvals and transfers.

2. Contract Address Setup

3. Commands and Explanations

Checking your MKR balance

Before depositing your MKR into the ESM contract, first check your address MKR balance:

Checking and setting your MKR approval

In order to execute the contract functions of the MKR token it is required that approvals be set on the token. The first step is to check if the ESM contract is allowed to withdraw from your address:

If the ESM contract is not allowed to withdraw from your address, the following can be used to set the allowance on the MKR token. This will approve the ESM to withdraw from the user's wallet:

Following which we again check to confirm that the ESM is allowed to withdraw from the user's account. This action will return uint256 to confirm the allowance to withdraw.

Checking the live flag

Live contracts have live = 1, indicating that the system is running normally. Thus when cage() is invoked, it sets the flag to 0.

Checking the ESM threshold

In order to check the min value, you can call:

Deposit a small amount (0.1 MKR) into the ESM

To deposit a small amount of MKR into the esm contract to test correct deposit function, we use the join function and specify a small amount.

Checking how much MKR is in the ESM

To check for the total amount of MKR that has been added to the ESM we call the Sum() function

Checking how much MKR you have included in the ESM

To check how much MKR you have included in the ESM we can call lowercase sum() with the user address as an argument:

Depositing e.g. 50,000 MKR into the ESM

To deposit MKR into the esm contract we use the join function and specify the amount.

Please specify the amount of MKR that you intend to deposit into the ESM.

Checking whether the ESM has been triggered

To validate that the Emergency Shutdown has been triggered, the fired() function can be called which will return a boolean.

Triggering the ESM

In order for the emergency shutdown to trigger, it is required that the Sum() is greater than the min() . Only then can the fire() function be executed successfully.

Note: If triggering the ESM is not successful, ensure gas is set at an appropriate level

Note: The triggering of the ESM is not to be taken lightly; for a full explanation of the implications please review the below documentation.

Spell - Detailed Documentation

Contract Name: spell.sol
Type/Category: Governance Module
Associated MCD System Diagram

1. Introduction (Summary)

A DSSpell is an un-owned object that performs one action or series of atomic actions (multiple transactions) one time only. This can be thought of as a one-off DSProxy with no owner (no DSAuth mix-in, it is not a DSThing).

This primitive is useful to express objects that do actions which shouldn't depend on "sender", like an upgrade to a contract system that needs to be given root permission. By convention, it is usually what is used to change SCD or MCD system parameters (where it is given auth via voting in ).

2. Contract Details

The spell.sol contract contains two main contracts: DSSPELL and DSSpellBook. DSSPELL is the core contract that, with call instructions set in the constructor, can actually perform the one-time action. DSSpellBook is a factory contract designed to make the creation of DSSPELLs easier.

Glossary (Spell)

whom - is the address the spell is targeting, usually SAI_MOM in SCD.
mana - is the amount of ETH you are sending, which in spells it is usually 0.
data - bytes memory calldata.

3. Key Mechanisms & Concepts

hat - A spell comes into effect as the hat when someone calls the lift function. This is only possible when the spell in question has more MKR voted towards it than the current hat.
cast - Once a spell has become the hat, it can be cast and its new variables will go into effect as part of the live Maker system. It is worth noting that a spell can only be cast once.
lift - The process whereby a new spell replaces the old proposal.

Note: the hat and lift have more to do with ds-chief than ds-spell but are important to mention here for context.

Immutable Actions

whom, mana, and data are set in the constructor, so the action a spell is to perform cannot be changed after the contract has been deployed.

4. Gotchas (Potential source of user error)

Note that the spell is only marked as "done" if the CALL it makes succeeds, meaning it did not end in an exceptional condition and it did not revert. Conversely, contracts that use return values instead of exceptions to signal errors could be successfully called without having the effect you might desire. "Approving" spells to take action on a system after the spell is deployed generally requires the system to use exception-based error handling to avoid griefing.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

spell - A spell may remain uncast if it did not reach the required amount of MKR in order to pass. If this occurs, the spell may remain available as a later target if enough MKR is voted towards it.
lift - Although spells cannot be cast a second time, they can be lifted to become the hat more than once if enough MKR votes remain on that proposal. The proposals parameters will not go into effect, however any additional spell will need to have more than that amount of MKR voted towards it in order to become the new hat. See for a description of this having once occurred.

Pause - Detailed Documentation

A delegatecall based proxy with an enforced delay

Contract Name: pause.sol
Type/Category: Governance Module
Associated MCD System Diagram

1. Introduction (Summary)

The ds-pause is a delegatecall based proxy with an enforced delay. This allows authorized users to schedule function calls that can only be executed once a predetermined waiting period has elapsed. The configurable delay attribute sets the minimum wait time that will be used during the governance of the system.

2. Contract Details:

Key Functionalities (as defined in the smart contract)

Plans A plan describes a single delegatecall operation and a unix timestamp eta before which it cannot be executed.

A plan consists of:

usr: address to delegatecall into
tag: the expected codehash of usr
fax: calldata to use

It is important to note that each plan has a unique id, defined as a keccack256(abi.encode(usr, tag, fax, eta)).

Operations

Plans can be manipulated in the following ways:

plot: schedule a plan
exec: execute a scheduled plan
drop: cancel a scheduled plan

The pause contract contains the DSPauseProxy contract in order to allow plan to be executed in an isolated storage context to protect the pause from malicious storage modification during plan execution.

3. Key Mechanisms & Concepts

The ds-pause was designed to be used as a component in the Maker Protocol’s governance system in order to give affected parties time to respond to decisions. If those affected by governance decisions have e.g. exit or veto rights, then the pause can serve as an effective check on governance power.

4. Gotchas (Potential source of user error)

Identity & Trust

In order to protect the internal storage of the pause from malicious writes during plan execution, we perform the delegatecall operation in a separate contract with an isolated storage context (DSPauseProxy), where each pause has its own individual proxy.

This means that plans are executed with the identity of the proxy. Thus when integrating the pause into some auth scheme, you will want to trust the pause's proxy and not the pause itself.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

A break of any of the following would be classified as a critical issue:

High level

There is no way to bypass the delay
The code executed by the delegatecall cannot directly modify storage on the pause
The pause will always retain ownership of it's proxy

Administrative

authority, owner, and delay can only be changed if an authorized user plots a plan to do so

Plot

A plan can only be plotted if its eta is after block.timestamp + delay
A plan can only be plotted by authorized users

Exec

A plan can only be executed if it has previously been plotted
A plan can only be executed once it's eta has passed
A plan can only be executed if its tag matches extcodehash(usr)
A plan can only be executed once

Drop

A plan can only be dropped by authorized users

Other Failure Modes

DSPause.delay - when the pause delay is set to the maximum, governance can no longer modify the system.

DSPause.delay - when the pause delay is set to the minimum, it is easier to pass malicious governance actions.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

* The user will require the following contract addresses; MCD_END and MCD_ESM accessible at [Changelog.makerdao.com](https://changelog.makerdao.com) as well as the Maker contract address, to be added in place of MKR_ADR below, which can be verified on [Etherscan](https://etherscan.io/token/0x9f8f72aa9304c8b593d555f12ef6589cc3a579a2).
* These should be setup in the following manner:

export MCD_END= 0xab14d3ce3f733cacb76ec2abe7d2fcb00c99f3d5
export MCD_ESM= 0x0581a0abe32aae9b5f0f68defab77c6759100085
export MKR_ADR= <MKR ADDRESS from Etherscan.io>
export MY_ADR= <USER ADDRESS>
    
#example values for depositing into the ESM
export TRIAL_AMOUNT=$(seth --to-uint256 $(seth --to-wei 0.1 eth))
export REMAINING_AMOUNT=$(seth --to-uint256 $(seth --to-wei 50000 eth))

join

dst).

urn

manager

uint

cast

done

Flipper - Detailed Documentation

The Maker Protocol's Collateral Auction House

Contract Name: flip.sol
Type/Category: DSS —> Collateral Auction Module
Associated MCD System Diagram
Etherscan

1. Introduction (Summary)

Summary: Collateral Auctions are used to sell collateral from Vaults that have become undercollateralized in order to preserve the collateralization of the system. The Cat sends bitten collateral to the Flip module to be auctioned off to keepers. The collateral auction has two phases: tend and dent.

2. Contract Details

Flipper (Glossary)

wards [usr: address], rely/deny/auth - Auth mechanisms
Bid - State of a specific Auction {bid, lot, guy

Parameters Set By Governance (through `file`)

beg
ttl
tau

Also, Cat's dunk and chop also inform how Flip works as the dunk becomes the Bid.lot and influences, along with the chop, the Bid.tab.

Parameters Not Set By Governance

vat
ilk

Both of these are set in the constructor and cannot be changed. If the Vat address is changed and each time a new collateral is added to the system, a new Flip will need to be deployed.

Authorizations

The Flipper must be Vat.wish'ed on by the Cat in order to flux during kick.

The End must be rely'ed on by the Flipper to allow for yank.

The Cat must be rely'ed on by the Flipper to allow for kick.

3. Key Mechanisms & Concepts

The Flip auction process begins with Maker Governance voters determining the collateral's minimum collateralization ratio (Spot.Ilk.mat) which is then tested against the Vault's state (collateral price, total debt owed) to determine whether the Vault is safe (See Cat documentation for more information on the bite process). The last step of a bite is to kick a Flip auction for that specific collateral. Note that the liquidation penalty gets added to the tab when the Flip auction gets kicked. This only determines when the auction switches from tend to dent. However, this amount is not added to the total debt amount (only to the part that is being partially liquidated) unless everything has in fact been liquidated.

Governance also determines the size of the lot (where a lot is the quantity of collateral gems up for auction in a flip auction) when a Vault gets bitten. This allows for partial liquidations of large Vaults. Partial liquidations make auctions more flexible and less likely to impact the base collateral price by creating a single large auction. They also allow large Vaults to become safe again if the price recovers before the Vault is fully liquidated. Keepers will want to keep this in mind when biting unsafe Vaults as well since they will have a choice to start one or many partial liquidation auctions.

Starting in the tend-phase, bidders compete for a fixed lot amount of Gem with increasing bid amounts of Dai. Once tab amount of Dai has been raised, the auction moves to the dent-phase. The point of the tend phase is to raise Dai to cover the system's debt.

During the dent-phase bidders compete for decreasing lot amounts of Gem for the fixed tab amount of Dai. Forfeited Gem is returned to the liquidated Urn for the owner to retrieve. The point of the dent phase is to return as much collateral to the Vault holder as the market will allow.

Once the auction's last bid has expired or the auction itself has reached the end anyone can call deal to payout the highest bidder (Bid.guy). This moves Gem's from the Flipper's balance in the Vat to the bidder's balance.

4. Gotchas (Potential Source of User Error)

Keepers

In the context of running a keeper (more info ) to perform bids within an auction, a primary failure mode would occur when a keeper specifies an unprofitable price for the collateral.

This failure mode is due to the fact that there is nothing the system can do to stop a user from paying significantly more than the fair market value for the token in an auction (this goes for all auction types, flip, flop, and flap).
Keepers that are performing badly are primarily at risk during the dent phase since they could return too much collateral to the original Vault and end up overpaying (i.e. pay too much Dai (bid) for too few gems (lot)).

Bidding Requirements during an auction

During tend, bid amounts will increase by a beg percentage with each new tend. The bidder must know the auction's id, specify the right amount of lot for the auction, bid at least beg% more than the last bid but not more than tab and must have a sufficient Vat.dai balance.

During dent, lot amounts will decrease by a beg percentage with each new dent. The bidder must know the auction's id, specify the right amount of bid for the auction and offer to take beg% less lot than the last bid.

Placing Bids

When a tend bid is beaten out by another bidder, the new winner's internal DAI balance is used to refund the previous winning bidder. When a dent bid is beaten out by another bidder, the Flipper's gem balance is used to refund the Vault holder. Once placed, bids cannot be canceled.

Illustration of the bidding flow:

Cat kicks a new Flip Auction. The Cat emits a bite event with the Flipper's address and the auction id. The Flipper emits a kick event with the id and other auction details.

Start tend auction:

Bidder 1 makes a bid that increases the bid size by beg. Bidder 1's DAI balance in the Vat is decreased by bid and the Vow's DAI balance in the Vat is increased by bid.
Bidder 2 makes a bid that increases Bidder 1's bid by at least beg. Bidder 2's DAI balance in the Vat is decreased by bid

Start dent auction:

Note: This phase must start before tic expires and before bid.end is passed.

Bidder 2 (and all the other bidders within the auction) decide it is no longer worth it to continue to increase their bids, so they stop bidding. Once the Bid.tic expires, Bidder 1 calls deal and the gem tokens are sent to their Vat balance.

Note: An auction can also end in the tend phase by not reaching tab before the tic or end are reached. If this happens, then the winning bidder is awarded using the deal function and the difference between the final bid and the tab stays as bad debt in the Vow to be dealt with during a Flop auction.

The End

In the case of Global Settlement, the End is able to call yank on the Flipper. Yank closes a tend-phase auction by returning the guy's Dai bid and moving the Gems from the Flipper to the End. dent-phase auctions can continue to the deal phase as they have already raised the necessary Dai and are in the process of returning Gems to the original Vault holder.

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

Bounds on Operating Conditions

Because Flip.tend compares the bidder's bid with the previous bid * beg, it will compare the two numbers at 10^63 precision (rad * wad). This means that any bid that is greater than 115,792,089,237,316 will cause an overflow. Governance should endeavour to not set beg or lot (via Cat.ilks[ilk].dunk) so that it is likely that an auction keeper would end up bid'ding that much DAI during the tend phase. This is very unlikely so long as the target price of Dai remains 1 USD, but is included here for awareness.

1. 2. Last Minute Auction/Low Keeper Participation Risks

Auction Grinding

Auction grinding allows an attacker to generate debt, allow their Vault to be bitten, win their own auction to get their collateral back at a discount. This type of failure is most possible when the liquidation penalty is set too low.

For the full details about this risk, reference @livnev's Paper .

Vault manager

The vault manager works with vaults that are owned by the CdpManager contract, which is also used by Oasis Borrow. This intermediary contract allows the use of incrementing integer IDs for vaults, familiar to users of Single-Collateral Sai, as well as other conveniences.

In the code, this is called CdpManager.

Instance methods

The methods below are all asynchronous.

getCdpIds()

Return an array describing the vaults owned by the specified address. Note that if the vaults were created in Oasis Borrow, the address of the proxy contract should be used.

getCdp()

Get an existing vault by its numerical ID. Returns a .

open()

Open a new vault with the specified . Will create a if one does not already exist. Returns a . Works with the .

openLockAndDraw()

Open a new vault, then lock and/or draw in a single transaction. Will create a if one does not already exist. Returns a .

Vault instances

In the code, these are called .

Properties

A note on caching: When a vault instance is created, its data is pre-fetched from the blockchain, allowing the properties below to be read synchronously. This data is cached in the instance. To refresh this data, do the following:

collateralAmount

The amount of collateral tokens locked, as a .

collateralValue

The USD value of collateral locked, given the current price according to the price feed, as a .

debtValue

The amount of Dai drawn, as a .

liquidationPrice

The USD price of collateral at which the Vault becomes unsafe.

isSafe

Whether the Vault is currently safe or not.

Instance methods

All of the methods below are asynchronous and work with the . Amount arguments should be , e.g.:

lockCollateral(amount)

Deposit the specified amount of collateral.

drawDai(amount)

Generate the specified amount of Dai.

lockAndDraw(lockAmount, drawAmount)

Deposit some collateral and generate some Dai in a single transaction.

wipeDai(amount)

Pay back the specified amount of Dai.

wipeAll()

Pay back all debt. This method ensures that dust amounts do not remain.

freeCollateral(amount)

Withdraw the specified amount of collateral.

wipeAndFree(wipeAmount, freeAmount)

Pay back some debt and withdraw some collateral in a single transaction.

wipeAllAndFree(freeAmount)

Pay back all debt, ensuring dust amounts do not remain, and withdraw a specified amount of collateral in a single transaction.

give(address)

Transfer ownership of this vault to address. Note that if the new owner plans to use this vault with Oasis Borrow, it should be transferred to their proxy with instead.

giveToProxy(address)

Look up the proxy contract owned by address and transfer ownership of this vault to that proxy.

tic

end

usr

gal

tab

bid

Vow

tic

now

ttl

open(): creates an UrnHandler (cdp) for the address usr (for a specific ilk) and allows the user to manage it via the internal registry of the manager.
give(): transfers the ownership of the cdp to the usr address in the manager registry.
giveToProxy(): transfers the ownership of cdp to the proxy of usr address (via proxyRegistry) in the manager registry.
cdpAllow(): allows/denies usr address to manage the cdp.
urnAllow(): allows/denies usr address to manage the msg.sender address as dst for quit.
flux(): moves wad amount of collateral from cdp address to dst address.
move(): moves rad amount of DAI from cdp address to dst address.
frob(): executes frob to cdp address assigning the collateral freed and/or DAI drawn to the same address.
quit(): moves cdp collateral balance and debt to dst address.
enter(): moves src collateral balance and debt to cdp.
shift(): moves cdpSrc collateral balance and debt to cdpDst.
lockETH(): deposits msg.value amount of ETH in ethJoin adapter and executes frob to cdp increasing the locked value.
safeLockETH(): same than lockETH but requiring owner == cdp owner.
lockGem(): deposits wad amount of collateral in gemJoin adapter and executes frob to cdp increasing the locked value. Gets funds from msg.sender if transferFrom == true.
safeLockGem(): same than lockGem but requiring owner == cdp owner.
freeETH(): executes frob to cdp decreasing locked collateral and withdraws wad amount of ETH from ethJoin adapter.
freeGem(): executes frob to cdp decreasing locked collateral and withdraws wad amount of collateral from gemJoin adapter.
draw(): updates collateral fee rate, executes frob to cdp increasing debt and exits wad amount of DAI token (minting it) from daiJoin adapter.
wipe(): joins wad amount of DAI token to daiJoin adapter (burning it) and executes frob to cdp for decreasing debt.
safeWipe(): same as wipe but requiring owner == cdp owner.
wipeAll(): joins all the necessary amount of DAI token to daiJoin adapter (burning it) and executes frob to cdp setting the debt to zero.
safeWipeAll(): same as wipeAll but requiring owner == cdp owner.
lockETHAndDraw(): combines lockETH and draw.
openLockETHAndDraw(): combines open, lockETH and draw.
lockGemAndDraw(): combines lockGem and draw.
openLockGemAndDraw(): combines open, lockGem and draw.
wipeAndFreeETH(): combines wipe and freeETH.
wipeAllAndFreeETH(): combines wipeAll and freeETH.
wipeAndFreeGem(): combines wipe and freeGem.
wipeAllAndFreeGem(): combines wipeAll and freeGem.

Sin

sump

woe

vat.sin[vow]

vow.Sin

vow.Ash

vat.sin(vow)

vow.Sin

vow.Ash

Flip

Vow

Vat

Cat - Detailed Documentation

The Maker Protocol's Liquidation Agent

Contract Name: cat.sol
Type/Category: DSS
Associated MCD System Diagram

1. Introduction (Summary)

The Cat is the system's liquidation agent, it enables keepers to mark positions as unsafe and sends them to auction.

2. Contract Details

Glossary (Cat)

Math

mul(uint, uint)/rmul(uint, uint) - will revert on overflow or underflow
bite(bytes32, address) will revert if lot or art are larger than or equal to 2^255.

Auth

wards are allowed to call protected functions (Administration and cage())

Storage

ilks stores Ilk structs
- Ilk is the struct with the address of the collateral auction contract (flip), the penalty for that collateral to be liquidated (chop) and the maximum size of collateral that can be auctioned at once (dunk).

The values of all parameters here (except vat) are changeable by an address that is relyed on. For instance, the End module should be authed to allow for it to call cage() and update live from 1 to 0. Governance (through an authed address) should be able to add collateral types to Cat, update their parameters, and change the vow.

Unsafe

bite can be called at anytime but will only succeed if the Vault is unsafe. A Vault is unsafe when its locked collateral (ink) times its collateral's liquidation price (spot) is less than its debt (art times the fee for the collateral rate). Liquidation price is the oracle-reported price scaled by the collateral's liquidation ratio.

Events

Bite: emitted when a bite(bytes32, address) is successfully executed. Contains:
- ilk: Collateral
- urn

3. Key Mechanisms & Concepts

cage()

auth
sets live to 0 (prevents bite). See for further description.
Once live=0 it cannot be set back to 1.

bite(bytes32 ilk, address urn)

bytes32 ilk parameter represents the collateral type that is being bitten.
address urn the address that identifies the Vault being bitten.
returns uint id which is the ID of the new auction in the Flipper.

The following is a line-by-line explanation of what bite does.

Administration

Various file function signatures for administering Cat:

Setting new vow (file(bytes32, address))
Setting new collateral (file(bytes32, bytes32, address))
Setting penalty or dunk size for collateral (file(bytes32, bytes32, uint))

Usage

The primary usage will be for keepers to call bite on a Vault they believe to be unsafe in order to start the auction process.

4. Gotchas (Potential source of user error)

When the Cat is upgraded, there are multiple references to it that must be updated at the same time (End, Vat.rely, Vow.rely). It must also rely on the End, the system's pause.proxy()
A Vat upgrade will require a new Cat

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

Coding Error

A bug in the Cat could lead to loss (or locking) of Dai and Collateral by assigning it to an address that cannot recover it (i.e. a bad Vow address or an incorrectly programmed Flipper). The main coding failure mode of Cat is if it has a bug that causes auctions to cease to function. This would require upgrading the system to a corrected Cat contract. If there is a bug in Cat that reverts on cage then it would cause Shutdown could fail (until a correct Cat is launched).

Feeds

The Cat relies indirectly on the price Feeds as it looks to the Vat's tracking of the collateral prices (spot) to determine Vault safety. If this system breaks down, it could lead to theft of collateral (too low spot) or unbacked Dai (incorrectly high spot).

Governance

Governance can authorize and configure new collaterals for Cat. This could lead to misconfiguration or inefficiencies in the system. Misconfiguration could cause Cat not to operate properly or at all. For instance, if an Ilk.dunk is set to be greater than 2**255 could allow for very, very large Vaults to be un-bite-able.

Inefficiencies in the dunk or chop could affect auctions. For instance, a dunk that is too large or too small could lead to disincentives for keepers to participate in auctions. A chop that is too small would not sufficiently dis-incentivize risky Vaults and too large could lead to it being converted to bad debt. Further discussion of how the parameters could lead to system attacks is described in this .

Flipper

The Cat relies on an external Flipper contract to run the auction and moves the collateral from the Cat to the Flipper contracts in the Vat. A faulty collateral auction contract could result in the loss of collateral or dai or non-functioning auctions.

Simple Arbitrage Keeper

Overview

Typically in the form of an automated bot, Keepers are external actors that participate in market making, auctions, market arbitrage, and system upkeep within the Maker protocol and the greater Ethereum ecosystem. Under a pure economic assumption, they are solely incentivized by profits or a vested interest. However, their activity provides indirect services such as increased liquidity and price consistency across various financial markets. This guide presents a simple arbitrage keeper, and structure thereof, that can be used out of the box to participate in wildly volatile markets. The purpose of the guide is to motivate the user in improving its functionality to participate in less volatile markets, leading to a more efficient financial ecosystem.

Learning objectives

By reading this guide, you’ll gain:

Better understanding of Arbitrage, how it is achieved and the role it plays in financial markets
An overview of the simple arbitrage keeper and common structure across the Maker Keeper framework
Insight into the operation of the simple arbitrage keeper and ways to improve its code

Pre-requisites

At least Python 3.6.2 and some python experience
Linux, macOS, or Cygwin (on Windows)
Some general experience with Ethereum Development (account management, contract interaction, node hosting)

Guide

Introduction to Arbitrage

Arbitrage is the process of simultaneously purchasing an asset on one exchange and selling a similar, if not identical, asset on another exchange at a higher price. Conceptually, this trading strategy can be broken down into two legs, the first buying leg and the second selling leg. As the timestamp of these legs converge, the risk of asset exposure approaches zero. For example, if both trades are not executed in perfect synchrony, there is a chance that the second trade is completed by another actor, forcing the arbitrageur to hold an asset until another opportunity arises.

With advancement in technology, this trading strategy is typically automated and can detect, as well as, profit from price deviations in a matter or seconds. Arbitrage opportunities exist because of , such as a temporary shortage of liquidity. As a result, arbitrage provides a mechanism to ensure prices on one exchange/market do not deviate far from the .

System Process Structure

Operation of the Simple Arbitrage Keeper

The is an arbitrage keeper for OasisDex and Uniswap. Given a minimum profit per trade and maximum trade size, as defined by the user and in units of entry_token, the Keeper will scan for arbitrage opportunities. When running, it monitors the arb_token/entry_token price on both exchanges, and when a discrepancy is detected, it executes an atomic multi-step trade in a single Ethereum transaction. The multi-step trade is made up of two legs: the first leg is the purchasing of arb_token with the entry_token on the start_exchange, while the second leg is the selling of the arb_token with the entry_token on the end_exchange. The type of entry_token and arb_token is typically of a stable and volatile type, respectively; since arbitrage opportunities can be scarce, the Keeper sometimes rests in a default state, holding the

It inherits a system structure that is consistent with other keepers in the Maker Keeper Framework. Apart from libraries typical to python projects, it relies on and , both of which are highly applicable Python APIs for the Maker Protocol Contracts and cryptocurrency exchanges, respectively. As can be seen in the flowchart, the ‘Lifecycle box’ is a that helps define the proper life cycle of a keeper; it consists of keeper startup, timers and/or subscriptions to Web3 events, and a keeper shutdown phase. The ‘Process block’ box is executed when the Keeper's node receives a new block. It generally contains the logic to query the blockchain state, evaluate any profit opportunities, and when applicable, publish a transaction.

The step for each process in simple-arbitrage-keeper is as follows:

Keeper Entry -> enter into SimpleArbitrageKeeper class
Startup -> make all necessary approvals between tokens, exchanges, and tx-manager
Evaluate Market -> pull price data from Oasis REST API and Uniswap exchange contracts
Profitable Opportunity Found? ->check if profit opportunity exists with a given max engagement and min profit

Documentation

General high level information and comments for each class/method are in the .

Startup on Kovan

The usage of the bot can be found in the of the README. Here are some preparation steps in running on Kovan:

To operate the keeper, call the /bin/simple-arbitrage-keeper script with the required arguments. This adds the pyexchange and pymaker modules to the python path and initializes the SimpleArbitrageKeeper class. It's convenient to write a shell script that can be easily rerun after argument changes, but before we begin, let's prepare our Keeper ethereum address, deploy our TxManager, find the Uniswap exchange addresses and MatchingMarket address.

Keeper Installation

This project uses Python 3.6.2. In order to clone the project and install required third-party packages please execute:

For some known Ubuntu and macOS issues see the .

Install the DappHub Toolkit

If you are running Linux or macOS you can take advantage of our all in one installer.

If you're having issues with installation, head over to the

Keeper Ethereum Address

Your Keeper will publish transactions through this address. Your ethereum address needs to be accessible by , in order to deploy TxManager through . Furthermore, when the Keeper is deployed and in operation, this address must contain some ETH for transaction costs as well as an amount of entry-tokens equal to the max-engagement set by the User. Follow to ensure seth can see your keystore and passphrase files.

If you'd like to start from scratch, and use geth account new, to create a new account, set a passphrase, and place the passphrase into a <address>.txt file in the ~/Library/Ethereum/passphrase/ directory; the corresponding keystore file can be found in the ~/Library/Ethereum/keystore/ directory. Both the keystore and passphrase files will later be passed into the Keeper as an argument. Make a note of your Keeper Ethereum Address, its keystore file location and passphrase file location.

Deploy TxManager

A must be deployed and linked with the Keeper ethereum address in order to bundle multiple contract calls in a single ethereum transaction; this is what we call an atomic transaction, where the entire call set is successful, or the state remains unaffected. Once the DappHub Toolkit is installed, execute the following commands to deploy TxManager:

The output of dapp create is the address to your TxManager

Deploy/Find a parity node

You need access to a JSON-RPC host that’s connected to a parity node. Unfortunately, Infura APIs are not connected to parity nodes, so you will need to find access to a remote endpoint (one example is ) or run a node on your local machine. An example of a remote node could be

Uniswap Exchange Addresses

You'll need to find the address to the Uniswap exchange corresponding to the entry-token as well as arb-token. To do that, call the getExchange(TokenAddress) at the Uniswap Factory contract to query the exchange addresses. . For example, you can use the Kovan WETH token address and call getExchange(0xd0A1E359811322d97991E03f863a0C30C2cF029C)

Shell Script

As was mentioned before, let's make a shell script so that it's easy to run this Bot. For example, we're using Kovan Sai for the entry-token since we won't be exposed to the arb token's price exposure in between trades. Moreover, for kovan testing, we will be using the WETH/DAI pair, since liquidity is thin across the Kovan versions of MatchingMarket and Uniswap exchanges. Any NoneType errors are likely due to a lack of liquidity on either exchange and can be resolved once liquidity is added. As mentioned earlier, the min-profit and max-engagement arguments define how the keeper will operate. Maximum engagement refers to the amount of entry-tokens you would like to sell within the first leg of the trade, whereas minimum profit refers to the amount of profit gained from executing the arbitrage; both arguments are denominated in entry-tokens and in units of ether (in the below script, 1 SAI of min-profit would be 1 SAI). For example, the below script will trade with a max-engagement of 10 SAI, but only if the returned value from the trade results in at least 11 SAI.

Create a file called like below, insert the arguments relevant to your environment, make it executable, then run it!

In your run-simple-keeper-kovan.sh file:

Make your Keeper executable, and run it!

Initial Startup

During the initial startup, several approval transactions will be sent to the tx-manager, and relevant exchanges. When complete, you'll see a “Watching for new blocks” message that indicates that the bot is now looping through the lifecycle.process_block() method; following that message and with every new block is a "Best Trade regardless of profit" message that acts as a "heartbeat" to the Keeper.

Nominal Operation

After the initial approval phase the Keeper's startup will look something like the below output and will continue to print "Best Trade ... " messages with every new block witnessed. When the keeper publishes a transaction, all relevant info will be logged and printed to the console. Finally, when you’d like to shut down the keeper, simply click CTRL-C, and it will gracefully shutdown.

Troubleshooting

During keeper operation, if the following error is shown, just CTRL-C and rerun:

Next steps

Improvements

Here are some suggestions to improve the usability, versatility, and profitability of this keeper. We hope that everyone tinkers with the parameters, runs the keeper for their own benefit, and eventually upgrades the bot to meet their risk tolerance and profit appetite.

Develop unit tests for each method
Use the Uniswap Factory contract to query the uniswap-entry-exchange and uniswap-arb-exchange addresses rather than requiring it as an argument
Rather than the default gas price implement a

Resources

Dai and Collateral Redemption during Emergency Shutdown

Level: Intermediate

Estimated Time: 60minutes

Description

This guide describes how users can interact with the Maker protocol through proxy contracts to redeem Dai and any excess collateral if the Maker system has entered into emergency shutdown. We will define the setup process, including proxy contract setup, followed by seth calls to; redeem collateral as a Dai Holder, and free excess collateral as a Vault Owner.

Learning Objectives

To redeem Dai and/or excess collateral in the event of Emergency Shutdown

Setup Process

Installation
Contract Address Setup

Dai Holders to Redeem Collateral

Check user Dai holdings
Approve a Proxy
Create Calldata
Execute Calldata using the MYPROXY Contract

Vault Owners to Redeem Excess Collateral

Vault Holder State
Redeeming ETH using the freeETH function
2.1. Set Call Data
2.2 Execute this calldata
Redeeming ETH using the freeGEM function

3.1 Set Calldata

3.2 Execute this calldata

Conclusion

Setup process

1. Installation

In order to interface with the Ethereum blockchain, the user needs to install seth, a command line tool as part of the toolset. We also provide further . Once the user has installed and configured [seth](<https://dapp.tools/>) correctly to use the main Ethereum network and the address which holds their MKR, they can query contract balances, approvals and transfers.

2. Contract Address Setup

The user will require the following contract addresses, shown below as mainnet addresses. Rest of mainnet or testnet addresses are accessible at which can be verified on . Similarly, additional information on the commands described below can be found in the and the . These should be setup in the following manner and pasted into the terminal line by line:

Dai holders to Redeem Collateral

There are two functions to be called in order to retrieve the end collateral. The first step is pack and the second step is cashETH or cashGem depending on the leftover amount of each collateral type in the system.

Depositing Dai tokens into the system can be done using the PROXY_ACTIONS_END contract library and the pack function. This function efficiently bundles together three parameters, including three parameters; the Dai(join) adapter, the end contract and the amount of Dai tokens you wish to redeem for allowed collateral in one go.

1. Check user Dai holdings

The user can check their Dai Token balance and subsequently save it in the wad variable so that it can be later used in the proxy function.

2. Approve a Proxy

The user needs to approve MYPROXY in order to withdraw Dai from their wallet by using the following function.

3. Create Calldata

Next it is necessary to bundle together the function definitions and parameters that the user needs to execute. This is done by preparing a function call to MYPROXY, defined as calldata.

4. Execute calldata using the `MYPROXY` contract

The user is able to call the execute function and utilize the PROXY_ACTIONS_END.pack() function within the environment of MYPROXY. This approves the proxy to take Dai tokens from the user's wallet into the proxy address and deposits it into the end contract, where a proportionate amount of collateral can later be claimed. Once the DAI is packed, it cannot be unpacked.

5. Call `cashETH` or `cashGEM` functions

Users will be able to withdraw collateral depending on the collateral that is in the VAT at the time of shutdown. For example 1 Dai will be able to claim a portion of ETH and BAT (and any other accepted collateral) which when combined will be approximately worth 1 USD. This process is completed by calling cashETH or cashGEM.

6. Using `cashETH`

The following function cashETH is referenced as part of the calldata function and should be referenced .

7. Define calldata for our function

Next, we again define the calldata for our function by bundling together the cashETH parameters shown above.

8. Execute `cashETHcalldata`

Finally, executing the cashETHcalldata in the execute function of the user's MYPROXY contract will redeem ETH for DAI, and place this ETH into the user's ETH wallet.

9. Alternative from step (6), Using `cashGEM`

It is also possible to use the cashGEM function in order to redeem different collateral types. In the below example we are referencing gemJoin as it relates to BAT.

10. Define calldata for our function

Similarly, as done in step (7), the user needs to define the calldata to interact with cashGEM

11. Call execute in `MYPROXY`

Finally, executing the cashBATcalldata in the execute function of the user's MYPROXY contract will redeem BAT for DAI, and place this BAT into the user's ETH wallet.

Vault Owners to Redeem Excess Collateral

Likewise, a vault owner can use the freeETH or freeGEM proxy actions function to retrieve any excess collateral they may have locked in the system.

1. Vault Holder State

There are some constraints for vault holders to be aware of. For example, if a user’s Vault is under-collateralised then they will not have any excess collateral to claim. Likewise, if the user’s Vault is currently in a flip auction at the time of emergency shutdown, it will be necessary for the Vault holder to cancel the auction by calling skip(ilk, id) before calling free__().

Similarly, these functions have been completed using Maker proxy contract calls. There may be other scenarios in which 3rd party front ends such as InstaDApp have their own proxies, which will require users to exit from their proxy in order to use the below.

2. Redeeming ETH using the `freeETH` function

2.1. Set calldata

Depending on how many vaults the user has, it will be necessary to repeat this process for each vault ID.

2.2. Execute this calldata

Executing the MYPROXY contract will redeem ETH and place it into the users address.

3. Redeeming ETH using the `freeGEM` function

3.1. Set calldata

Depending on how many vaults the user has, it will be necessary to repeat this process for each vault ID.

3.2. Execute this calldata

Executing the MYPROXY contract will redeem BAT (or other collateral types) and place them into the users address.

Conclusion

The above outlines how to redeem Dai and excess Vault collateral using the command line.

In summary, we showed how to check your Dai holdings, how to approve a proxy to withdraw Dai from your wallet and then to use cashETH/GEM functions to withdraw collateral into the user’s ETH wallet using the MYPROXY contract . For Vault owners, we showed how to redeem collateral by using the MYPROXY contract and the freeGEM function.

In the event of emergency shutdown we envision that it will still be possible to sell Dai on the open market as well as by making use of economically incentivized redemption keepers to meet market needs for both Dai owners and Vaults holders.

Multi Collateral Dai (MCD) CLI

Welcome to the MCD CLI

Installation

First install dapp tools:

Then install the mcd package:

The following list details all of the commands available when interacting with the command-line interface:

Configuration

Mcd is built on and uses the same network configuration options, which just like Seth, can be defined in the ~/sethrc initialisation file.

Similar to Seth, mcd also supports transaction signing with Ledger hardware wallets and can run against both local and remote nodes.

Since mcd will always be used against a known deployment of the system, defaults can be loaded wherever possible. In most cases the only required configuration parameter is the -C, --chain=<chain> (MCD_CHAIN) option and -F, --from=<address> (ETH_FROM) sender account when not using a testnet.

Example ~/.sethrc:

Kovan

Run against the latest Kovan deployment by setting the -C, --chain option to kovan. Specify a sender account when sending transactions using the -F, --from option, or via the ETH_FROM env variable.

Remote testchain

Run agaist remote testchain deployments by setting the -C, --chain option to the remote testchain Id. Mcd will auto-configure account settings via the testchain api so that no further configuration is required. To view a list of available testchains run:

Then set the chain option, or the chain env variable to the appropriate testchain Id.

Local testnet

Run against a locally running instance of where the system has been deployed by setting the C, --chain option to testnet. Mcd will auto-configure account testings for dapp testnet so that no further configuration is required.

By default, Mcd assumes that the output of the testchain deployment script is available at ~/.dapp/testnet/8545/config/addresses.json. Configuration addresses can be loaded from a different location by setting the --config (MCD_CONFIG) option.

Ilk

Ilks are collateral types with corresponding risk parameters which have been approved by system governance. Use the ilks command to view the list off available Ilks.

Each Ilk has its own set of configuration parameters which can be viewed via the ilk command. The I, --ilk=<id> option is used to scope commands to a particular Ilk:

Individial ilk values can be retrieved by adding the parameter name as an argument to the ilk command:

Gem

Gems are collateral tokens. Collateral is added and removed from the via adapters, which abstract away the differences between various token behaviours. Use gem [<subcommand>] to manage collateral balances for any given Ilk.

The join command can add collateral from the sender account to any specified Urn. The exit command can remove collateral from a specified Urn, provided that the sender controls the private key associated with that Urn.

By default, ETH_FROM is used to determine which Urn should be credited with collateral. Use U, --urn=<address> to optionally credit an Urn other than the default.

The exit command can remove collateral from a specified Urn, provided that the sender controls the private key associated with that Urn. The exit command can also withdraw collateral to an account other than ETH_FROM buy passing the destination address as an additional argument:

Urn

Urns represent Cdp state for any given Urn address.

Use the urn command to view Urn state for any given Ilk:

By default, ETH_FROM is used to determine which Urn to query. Use the U, --urn=<address> option to query Urns at other indexes.

Urn management

Urn state (urn.ink and urn.art) is managed via the frob <dink> <dart> command, where dink and dart are delta amounts by which ink (Locked collateral) and art (Outstanding debt) should be changed. For example, to lock 100 WETH and draw 400 Dai on the ETH-A Ilk:

To reduce outstanding debt by 200 Dai whilst keeping the amount of locked collateral constant:

Dai

Similar to Gem adapters, a Dai adapter is used to exchange Vat Dai for ERC20 token Dai which can then be used outside the system. Use dai [<subcommand>] to manage dai balances.

Once Dai has been drawn on an Urn, it can be withdrawn for use outside the system using dai exit. Dai can be returned to repay Urn debt via dai join.

The dai balance command displays the internal system (vat) balance and the external (ext) token balance:

Individial balance values can be retrieved by adding vat or ext as an argument to the balance command:

Cdp

The cdp command provides compatability with CDPs managed via the CDP Portal and uses the same proxy contract and font-end. This allows CDPs to be managed via a unique integer identifier rather than the I, --ilk and U, --urn options.

Examples

Note: examples assume that ETH_FROM is set to an address controlled by the user, and that the MCD_CHAIN env variable has been set to a vaild chain identifier.

1. Native Urn - lock 100 ETH & draw 500 Dai

Note: The system doesn't handle ETH directly but instead uses WETH to represent ETH collateral. For convenience, the wrap and unwrap commands are provided for exchanging ETH to WETH and visa versa.

2. Managed Cdp - lock 100 REP & draw 50 Dai

export DAI=0x6B175474E89094C44Da98b954EedeAC495271d0F
export PROXY_ACTIONS_END=0x069B2fb501b6F16D1F5fE245B16F6993808f1008
export MCD_END=0xaB14d3CE3F733CACB76eC2AbE7d2fcb00c99F3d5
export CDP_MANAGER=0x5ef30b9986345249bc32d8928B7ee64DE9435E39 
export PROXY_REGISTRY=0x4678f0a6958e4D2Bc4F1BAF7Bc52E8F3564f3fE4
export MCD_JOIN_ETH=0x2F0b23f53734252Bda2277357e97e1517d6B042A
export MCD_JOIN_BAT=0x3D0B1912B66114d4096F48A8CEe3A56C231772cA
export MCD_JOIN_DAI=0x9759A6Ac90977b93B58547b4A71c78317f391A28

export MYPROXY=$(seth call $PROXY_REGISTRY 'proxies(address)(address)' $ETH_FROM) 
# This creates a unique proxy address by calling the proxy registry using the users Ethereum address.

export ilk=$(seth --to-bytes32 $(seth --from-ascii ETH-A))
export ilkBAT=$(seth --to-bytes32 $(seth --from-ascii BAT-A))
# Here we have defined two ilk (collateral types) ETH and BAT. 
# The number of ilk types needed will depend on the types of collateral vaults that the user had open.

export ETH_GAS=4000000
export ETH_GAS_PRICE=2500000000
# Typically gas costs are slightly increased when dealing with proxy contracts to prevent failed transactions.

export cdpId=$(seth --to-dec $(seth call $CDP_MANAGER 'last(address)' $MYPROXY))
# This is a call to the CDP Manager responsible for making the users CDP ID. 
# Note, if user created multiple vaults they will have multiple CDP IDs, all of which must be referenced to retrieve collateral.

function pack(
        address daiJoin,
        address end,
        uint wad
    ) public {
        daiJoin_join(daiJoin, address(this), wad);
        VatLike vat = DaiJoinLike(daiJoin).vat();
        // Approves the end to take out DAI from the proxy's balance in the vat
        if (vat.can(address(this), address(end)) == 0) {
            vat.hope(end);
        }
        EndLike(end).pack(wad);
    }

export balance=$(seth --from-wei $(seth --to-dec $(seth call $DAI 'balanceOf(address)' $ETH_FROM)))
export wad=$(seth --to-uint256 $(seth --to-wei 13400 eth))
# in the above, 13400 is an example Dai balance

export calldata=$(seth calldata 'pack(address,address,uint)' $MCD_JOIN_DAI $MCD_END $wad)
.
.
.
# 0x33ef33d6000000000000000000000000fc0b3b61407cdf5f583b5b1e08514e68ecee4a73000000000000000000000000d9026db5ca822d64a6ba18623d0ff2bb07ad162c0000000000000000000000000000000000000000000002d66a5b4bc1da600000

seth send $MYPROXY 'execute(address,bytes memory)' $PROXY_ACTIONS_END $calldata
# [example](<http://ethtx.info/kovan/0x8f4021e46b1a6889ee7045ba3f3fae69dee7ef130dbb447d4cc724771e04bcd6>) transaction showing actions involved in 'packing' the user's Dai.

function cashETH(
        address ethJoin,
        address end,
        bytes32 ilk,
        uint wad
    ) public {
        EndLike(end).cash(ilk, wad);
        uint wadC = mul(wad, EndLike(end).fix(ilk)) / RAY;
        // Exits WETH amount to proxy address as a token
        GemJoinLike(ethJoin).exit(address(this), wadC);
        // Converts WETH to ETH
        GemJoinLike(ethJoin).gem().withdraw(wadC);
        // Sends ETH back to the user's wallet
        msg.sender.transfer(wadC);
    }

seth send $MYPROXY 'execute(address,bytes memory)' $PROXY_ACTIONS_END $cashETHcalldata
# [example](<http://ethtx.info/kovan/0x323ab9cd9817695089aea31eab369fa9f3c9b1a64743ed4c5c1b3ec4d7218cf8>) successful transaction

function cashGem(
        address gemJoin,
        address end,
        bytes32 ilk,
        uint wad
    ) public {
        EndLike(end).cash(ilk, wad);
        // Exits token amount to the user's wallet as a token
        GemJoinLike(gemJoin).exit(msg.sender, mul(wad, EndLike(end).fix(ilk)) / RAY);
    }

function freeETH(
        address manager,
        address ethJoin,
        address end,
        uint cdp
    ) public {
        uint wad = _free(manager, end, cdp);
        // Exits WETH amount to proxy address as a token
        GemJoinLike(ethJoin).exit(address(this), wad);
        // Converts WETH to ETH
        GemJoinLike(ethJoin).gem().withdraw(wad);
        // Sends ETH back to the user's wallet
        msg.sender.transfer(wad);
    }

function freeGem(
        address manager,
        address gemJoin,
        address end,
        uint cdp
    ) public {
        uint wad = _free(manager, end, cdp);
        // Exits token amount to the user's wallet as a token
        GemJoinLike(gemJoin).exit(msg.sender, wad);
    }

MCD - Multi-collateral Dai

Usage: mcd [<options>] <command> [<args>]
   or: mcd help [<command>]

Commands:

   bite            Trigger liquidation of an unsafe Urn
   bites           Recent bites
   cdp             CDP managerment
   dai             Dai management
   debt            Total dai issuance
   drip            Trigger stability fee accumulation
   flap            Trigger a flap auction
   flips           View flips and kick-off auctions
   flog            Release queued bad-debt for auction
   flop            Trigger a flop auction
   frob            Urn management
   frobs           Recent frobs
   gem             Collateral management
   help            Print help about mcd or one of its subcommands
   ilk             Ilk (collateral type) parameters
   line            Total debt ceiling
   live            Liveness flag
   poke            Update the spot price for a given Ilk
   unwrap          Unwrap WETH to ETH
   urn             CDP state
   vice            Total bad debt
   vow             Liquidator balances
   wrap            Wrap ETH to WETH

$ mcd --ilk=ETH-A ilk
Art  40.000000000000000000                      Total debt (DAI)
rate 1.000080370887129123082627939              WETH DAI exchange rate
spot 99.333333333333333333333333333             WETH price with safety mat (USD)
line 1000.0000000000000000000000000000000000000 Debt ceiling (DAI)
dust 0.0000000000000000000000000000000000000000 Debt floor (DAI)
flip 0x9d905effff127a01da3b38124f8da88e766eb8dd Flip auction contract
chop 1.000000000000000000000000000              Liquidation penalty
lump 10000.000000000000000000                   Flip auction lot size
tax  1.000000000782997609082909351              Stability fee
rho  1552802862                                 Last drip timestamp
pip  0x98312e16f5b2c0def872a1f7484a8456e5a67a3b Price feed contract
mat  1.500000000000000000000000000              Liquidation ratio

gem --ilk=<id> symbol             Gem symbol e.g. WETH
gem --ilk=<id> balance            Print balances for a given urn (default: ETH_FROM)
gem --ilk=<id> join <wad>         Add collateral to a given Urn (default: ETH_FROM)
gem --ilk=<id> exit <wad> [<guy>] Remove collateral from an Urn (default: ETH_FROM)

ilk  ETH-A                                      Collateral type
urn  0xC93C178EC17B06bddBa0CC798546161aF9D25e8A Urn handler
ink  45.000000000000000000                      Locked collateral (WETH)
art  120.000000000000000000                     Issued debt (Dai)
tab  120.000244107582797248312544980            Outstanding debt (Dai)
rap  0.000244107582797248312544980              Accumulated stability fee (Dai)
-->  37.24                                      Collateralization ratio

spot 99.333333333333333333333333333             WETH price with safety mat (USD)
rate 1.000002034229856643749638820              WETH DAI exchange rate

Usage: mcd cdp [<id>] [<command>]

Commands: ls [<owner>]     List Cdps
          count [<owner>]  Cdp count
          open             Open a new Cdp
          <id> urn         Cdp state
          <id> lock <wad>  Join & lock collateral
          <id> free <wad>  Free & exit collateral
          <id> draw <wad>  Draw & exit dai
          <id> wipe <wad>  Join & wipe dai

# i) Wrap
$ mcd wrap 100
eth  900.000000000000000000
weth 100.000000000000000000

# ii) Gem join
$ mcd --ilk=ETH-A gem join 100
$ Grant approval to move WETH to the Vat? [Y/n]: Y
vat 100.000000000000000000 Free collateral (WETH)
ink   0.000000000000000000 Locked collateral (WETH)
ext   0.000000000000000000 External account balance (WETH)
ext 900.000000000000000000 External account balance (ETH)

# iii) Lock & Draw
$ mcd --ilk=ETH-A frob 100 500
ilk  ETH-A                                      Collateral type
urn  0xC93C178EC17B06bddBa0CC798546161aF9D25e8A Urn handler
ink  100.000000000000000000                     Locked collateral (WETH)
art  500.000000000000000000                     Issued debt (Dai)
tab  500.000244107582797248312544980            Outstanding debt (Dai)
rap  0.000244107582797248312544980              Accumulated stability fee (Dai)
-->  19.86                                      Collateralization ratio

# iv) Withdraw Dai
$ mcd dai exit 500
vat 0.000060682318362511884962000000000000000000000 Vat balance
ext 500.000000000000000000 ERC20 balance

# i) Open
$ mcd --ilk=REP-A cdp open
mcd-cdp-open: Waiting for transaction receipt...
0x800e5578d3ac4b77b7ada1aba48cf80d0d238d4392d2676d79159eac2c2cdd73
Opened: cdp 19

# ii) Lock
$ mcd --ilk=REP-A cdp 19 lock 100
seth-send: Published transaction with 260 bytes of calldata.
seth-send: 0x4d30cb4863ca997d24ff2346c9a92e86648369ce7b4a86ed004c73b8d4ef299a
seth-send: Waiting for transaction receipt...
seth-send: Transaction included in block 333.
ilk  REP-A                                      Collateral type
urn  0x4518c4709a50C915b7996A0e6Dfb38c67248BBcF Urn handler
ink  100.000000000000000000                     Locked collateral (REP)
art  0.000000000000000000                       Issued debt (Dai)
tab  0                                          Outstanding debt (Dai)
rap  0                                          Accumulated stability fee (Dai)
-->  0                                          Collateralization ratio

# iii) Draw
$ mcd --ilk=REP-A cdp 19 draw 500
seth-send: Published transaction with 260 bytes of calldata.
seth-send: 0xd5fb7ddf94bb910fbba2af118ecde88a03a13129b2e1979238236afe672781c3
seth-send: Waiting for transaction receipt...
seth-send: Transaction included in block 335.
ilk  REP-A                                      Collateral type
urn  0x4518c4709a50C915b7996A0e6Dfb38c67248BBcF Urn handler
ink  100.000000000000000000                     Locked collateral (REP)
art  49.999505439113270178                      Issued debt (Dai)
tab  50.000000000000000000000000000             Outstanding debt (Dai)
rap  0.000494560886729822000020743              Accumulated stability fee (Dai)
-->  16.66                                      Collateralization ratio

bite will not leave a Vault with debt and no collateral.

entry_token

Seth

A powerful command line tool created to interface with the Ethereum blockchain

Introduction to Seth

Seth is a simple, but powerful command line tool created to interface with the Ethereum blockchain. It is part of the Dapp.Tools toolset along with other tools for Ethereum. Its two main functionalities among others are performing calls (queries of the Ethereum blockchain - a “read” operation) and sending transactions (writing into the blockchain, changing its state). It also provides conversion between data of Ethereum’s own specific formats and the more widespread, usual data formats.

Getting started

In the following section we will go through the installation and setup of Seth. These steps only work on Unix-based systems (i.e. Linux and macOS), however on Windows, you can try with an emulator, like or , the in Windows 10, a virtual machine or a container.

Installation

Seth can be installed as a part of the Dapp Tools suite, which is a collection of blockchain tools created with the Unix philosophy in mind. The most convenient way to do this, is to install Dapp Tools with the one line script provided on the . Here is how to do it:

From the Dapp Tools page:

If you are running GNU/Linux or macOS you can take advantage of our all in one installer.

$ curl https://dapp.tools/install | sh

This script downloads the Nix package manager, setups binary cache with Cachix and installs our most used tools.

Manual install

If you have issues using the script above, you can try the manual installation on the aforementioned website. A this point in time you can do a manual installation by running the following scripts:

In order to test if the tools have been installed correctly, check the current version of Seth with the following command:

$ seth --version

If Seth has been installed correctly, the command should produce the following output:

seth 0.7.0

At the time of writing, seth 0.7.0 is thus the latest version, however in the future the output might have a different versioning number.

Errors and a note on macOSX Mojave

If the above command does not work, or you had trouble installing it may be due to Mac OSX Mojave, as we have experienced various issues with the tools nix and cachix not working correctly on this OS, specifically due to a multi-user bug. If you happen to have more user accounts on your Mac, and experience errors running this guide, might help you resolve the issue. If this does not resolve the issue, you are more than welcome to ask for help on in the #help channel.

Set up and configuring variables

Configuring Seth can be done with environment variables or command line options. Environment variables can be generally used in two ways: you can save them in a configuration file named .sethrc in specific locations, like your home folder, or just set them only for the current terminal session. In this guide we will use environment variables with the latter approach for simplicity’s sake, however for ease-of-use in the future, we strongly encourage to save the variables in your project folder. Follow to do so.

Using a local private network

You can quickly set up a local private network with the Dapp tool, which will also create accounts and their keystore files with empty strings for passwords by default. Setting up a local network can be handy when developing dapps for a quick an easy and way to deploy and test functionality without the need of acquiring test-net Ether for contract deployment.

Open a new terminal and execute the following command, and keep it running in the background during the tutorial:

$ dapp testnet

Copy your account address from the output.

Then in a separate terminal let’s create an empty password file:

$ touch pass

And let’s create our environment variables:

Using Kovan

Seth can connect to the Kovan Ethereum testnet through a default remote node provided by Infura. This is the most convenient way to do so. You can either create a new account or use the existing one created by the testnet. If you decide to use the existing one, you only need to change the chain parameter:

$ export SETH_CHAIN=kovan

If you decide to create a new account, an easy method is using the "create new wallet" option in MEW: . It is also possible to use Parity or Geth to create a new account or you can use an existing keystore file for a Parity or Geth account. You are also going to need to save the password of your keystore file in a plain text file (Never use this keystore file for real ETH - saving the password for your keystore file in plain text would be very unsafe for a real account! This also goes for the testnet account!).

Then you have to set up the same variables:

You will need Kovan ETH for gas, you can get some by following the guide here:

Seth operations

For the first two operations you can use either your own testnet or the Kovan testnet - try both if you want to!

seth balance - Checking ETH balance

Checking ETH balances is pretty straight forward. It can be done with the balance subcommand, then specifying the address as a parameter:

$ seth balance $ETH_FROM

seth send - Sending ETH

Let’s send Kovan or private net ETH to an address. You can choose any valid address - in this example I am going to use :

$ seth send --value 0.1

Upon execution you should see something like the following:

This indicates that the transaction was successful.

seth call - Reading contract storage

Since we don't have any contracts deployed to our private network, let's use Kovan from now on. Let’s use one of the simplest contracts possible: an ERC-20 token contract. In this example, we are going to use a test collateral token (COL1). You can save its address in a variable with the following command:

$ export COL1=0x911eb92e02477a4e0698790f4d858e09dc39468a

You can read the output of a public function of a contract using the call subcommand, the contract’s address, and the name of the function.

Let's check out the number of decimals of this token:

seth call $COL1 'decimals()'

The output is:

0x0000000000000000000000000000000000000000000000000000000000000012

Now don't let this fool you. Seth queries contract data in a low level manner, and returns the value in hexadecimal, as it is represented in the contract, but you can convert it using:

$ seth --to-dec $(seth call $COL1 'decimals()')

The output is:

18

Sending contract transaction with seth send

You can send a transaction to a contract with the same send command, by adding a couple of extra parameters. Just like with call, you need to specify the contract address and the function we are calling. Let’s get some COL1 tokens from a previously set up faucet:

$ export FAUCET=0xe8121d250973229e7988ffa1e9330b420666113a

$ seth send $FAUCET ‘gulp(address)’ $COL1

Using function parameters

Now you can check your COL1 balance. This time you will need to present a parameter for the ‘balanceOf’ method of the ERC-20 contract. You can do this by first defining the type, the function takes in its parentheses, and then putting the input parameter after the method:

$ seth --to-dec $(seth call $COL1 'balanceOf(address)' $ETH_FROM)

The output is:

500000000000000000000

Now, that's a rather large value we got. The reason for this is that the contract stores the balances in wei unit (10^-18), which is why we have to convert it to get the actual number of COL1 we own:

$ seth --from-wei $(seth --to-dec $(seth call $COL1 'balanceOf(address)' $ETH_FROM)) eth

The output is:

50.000000000000000000

seth block - Retrieving block information

With seth block, we are capable of querying any information about an Ethereum block. Here is the usage from the help option $ seth block --help:

Like any other Seth command, this command depends on Ethereum JSON RPC calls, which are part of the interface of any Ethereum client. You can dive into the corresponding documentation () to learn more about it.

What can come in handy is the fact that in place of a block number, we can also use earliest, latest or pending. So if we would like to query the current block gas limit (I have tried this with seth configured for the kovan testnet) we can do the following:

$ seth block latest gasLimit

Output:

8000000

seth estimate - Estimating gas cost of a transaction

seth estimate can give an estimation for the gas usage of a transaction. The syntax is pretty much the same as for seth send, but seth estimate will not actually send the transaction.

When you want to send a transaction to a contract function with Seth, you have to provide the function signature and the parameters in order after the signature. The ERC-20 transfer function signature looks like the following in Solidity:

transfer(address _to, uint256 _value) public returns (bool success)

The signature part that Seth needs from this is 'transfer(address, uint)' and the parameters are the recipient address and the amount. The contract needs to receive the amount in hexadecimal representation of the number in wei unit, which is why we need those conversions.

Now, to estimate the gas usage of an ERC-20 token transfer let’s execute the following:

$ seth estimate $COL1 'transfer(address, uint)' $(seth --to-uint256 $(seth --to-wei 0.1 ether))

Output:

37240

seth receipt and seth tx

With seth receipt and seth tx, we can query every single detail imaginable about a transaction. They both take a transaction (tx) hash as an input parameter. The main difference between the two, is that the receipt, which contains the results of the transaction, is only constructed after the transaction gets mined, while the output of seth tx only contains the basic parameters of the transaction before it takes effect.

You can try them for example by first executing a transaction to have a transaction hash:

$ seth send $COL1 'transfer(address, uint)' $(seth --to-uint256 $(seth --to-wei 0.1 ether))

Output:

Now you can try the discussed commands (use your own tx hash from the previous tx):

$ seth receipt 0x58ba3980775741aecaf8435646a003bff3395d7d4e00c8f7a32ad1fa0ce64e01

$ seth tx 0x58ba3980775741aecaf8435646a003bff3395d7d4e00c8f7a32ad1fa0ce64e01

These both generate a pretty long output, but we can filter each query with an optional extra parameter. For example let's see, how accurate was our previous estimation for the gas consumption (it was perfectly accurate):

$ seth receipt 0x58ba3980775741aecaf8435646a003bff3395d7d4e00c8f7a32ad1fa0ce64e01 gasUsed

Output: 37240

Additional Resources

This guide was written based on the official documentation in the Github repository of Seth. You can find additional information over there:

Known Issues

Issues with MacOS Mojave

function bite(bytes32 ilk, address urn) public returns (uint id) {
  // Get the rate, spot, and dust from the ilk in the vat.
  (,uint256 rate,uint256 spot,,uint256 dust) = vat.ilks(ilk);
  // get the ink and art from the urn from the Vat.
  (uint256 ink, uint256 art) = vat.urns(ilk, urn);

  // ensure End has not happened
  require(live == 1);
  // require the Vault to be unsafe (see definition above).
  require(spot > 0 && mul(ink, spot) < mul(art, rate), "Cat/not-unsafe");

	// Loads the `ilk` data into memory as an optimization.
  Ilk memory milk = ilks[ilk];
  // Declares a variable that will be assigned in the following scope.
  uint256 dart;

	// Defines a new scope, this prevents a stack too deep error in solidity
  {
		// Calculate the available space in the box
    uint256 room = sub(box, litter);

    // test whether the remaining space in the litterbox is dusty
    require(litter < box && room >= dust, "Cat/liquidation-limit-hit");

		// Sets the amount of debt to be covered by the auction.
    // (smaller of either the amount of normalized debt, maximum debt chunk size, or space in the box)
    // divided by the rate, divided by the penalty fee.
    dart = min(art, mul(min(milk.dunk, room), WAD) / rate / milk.chop);
  }

	// Takes the minimum of the collateral balance or the
  // amount of collateral represented by the debt to be covered
  uint256 dink = min(ink, mul(ink, dart) / art);

	// Prevents no-collateral auctions
  require(dart >  0      && dink >  0     , "Cat/null-auction");
  // Protects against int overflow when converting from uint to int
  require(dart <= 2**255 && dink <= 2**255, "Cat/overflow"    );

	// Called in this way, vat.grab will:
  // - Remove the dink and the dart from the bitten Vault (urn)
  // - Adds the collateral (dink) to the Cat's gem
  // - Adds the debt (dart) to the Vow's debt (vat.sin[vow])
  // - Increases the total unbacked dai (vice) in the system
  // This may leave the CDP in a dusty state
  vat.grab(
    ilk, urn, address(this), address(vow), -int256(dink), -int256(dart)
  );
  // Adds the debt to the debt-queue in Vow (Vow.Sin and Vow.sin[now])
  vow.fess(mul(dart, rate));

  { // Avoid stack too deep
    // This calcuation will overflow if dart*rate exceeds ~10^14,
    // i.e. the maximum dunk is roughly 100 trillion DAI.
    // Multiplies the accumulated rate by the normalized debt to be covered 
    // to get the total debt tab (debt + stability fee + liquidation penalty) for the auction.
    uint256 tab = mul(mul(dart, rate), milk.chop) / WAD;
    // Updates the amount of litter in the box
    litter = add(litter, tab);

		// Calls kick on the collateral's Flipper contract.
    // tab is the total debt to be sent to auction
    // gal: address(vow) sets up the Vow as the recipient of the Dai income for this auction
    // bid: 0 indicates that this is the opening bid
    // This moves the collateral from the Cat's gem to the Flipper's gem in the Vat
    id = Kicker(milk.flip).kick({
        urn: urn,
        gal: address(vow),
        tab: tab,
        lot: dink,
        bid: 0
    });
  }

  // Emits an event about the bite to notify actors (for instance keepers) about the new auction
  emit Bite(ilk, urn, dink, dart, mul(dart, rate), milk.flip, id);
}

$ git clone https://github.com/makerdao/tx-manager.git
$ cd tx-manager
$ dapp update
$ dapp --use solc:0.4.25 build --extract

$ export SETH_CHAIN=kovan
$ export ETH_FROM=<your Keeper Ethereum Address e.g. 0xABC>
$ export ETH_GAS=2000000
$ dapp create TxManager --password /path/to/passphraseOfAddress.txt

#!/bin/bash
/full/path/to/githubClone/simple-arbitrage-keeper/bin/simple-arbitrage-keeper \
	--rpc-host 'kovan.sampleparitynode.com' \
	--eth-from '0xABC' \
	--eth-key 'key_file=/path/to/keystore.file,pass_file=/path/to/passphrase.txt' \
	--uniswap-entry-exchange '0x47D4Af3BBaEC0dE4dba5F44ae8Ed2761977D32d6' \
	--uniswap-arb-exchange '0x1D79BcC198281C5F9B52bf24F671437BaDd3a688' \
	--oasis-address '0x4A6bC4e803c62081ffEbCc8d227B5a87a58f1F8F' \
	--oasis-api-endpoint 'https://kovan-api.oasisdex.com' \
	--tx-manager '0xABC' \
	--entry-token '0xC4375B7De8af5a38a93548eb8453a498222C4fF2' \
	--arb-token '0xd0A1E359811322d97991E03f863a0C30C2cF029C' \
	--arb-token-name 'WETH' \
	--min-profit 1 \
	--max-engagement 10 \

Kentons-Macbook:scripts kentonprescott$ ./run-simple-arbitrage-keeper-mainnet-XYZ-XYZ.sh
2019-10-19 17:21:57,463 INFO     Keeper connected to RPC connection https://...
2019-10-19 17:21:57,463 INFO     Keeper operating as 0xABCD
2019-10-19 17:21:58,523 INFO     Executing keeper startup logic
2019-10-19 17:22:04,820 INFO     Watching for new blocks
2019-10-19 17:22:13,983 INFO     Best trade regardless of profit/min-profit: -1.243077085275947008 DAI from Uniswap to Oasis

$ curl https://nixos.org/nix/install | sh
$ . "$HOME/.nix-profile/etc/profile.d/nix.sh"
$ nix-env -if https://github.com/cachix/cachix/tarball/master --substituters https://cachix.cachix.org --trusted-public-keys cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=  
$ cachix use dapp  
$ git clone --recursive [https://github.com/dapphub/dapptools](https://github.com/dapphub/dapptools) $HOME/.dapp/dapptools  
$ nix-env -f $HOME/.dapp/dapptools -iA dapp seth solc hevm ethsign

$ export ETH_KEYSTORE=<path to your keystore folder>
$ export ETH_PASSWORD=<path and filename to the text file containing the password for your account e.g: /home/one1up/MakerDAO/415pass >
$ export ETH_FROM=<your ethereum account address> 
$ export SETH_CHAIN=kovan

seth-send: warning: `ETH_GAS' not set; using default gas amount
seth-send: Published transaction with 0 bytes of calldata.
seth-send: 0x000000…
seth-send: Waiting for transaction receipt.......
seth-send: Transaction included in block xxxxxx.

seth-send: Published transaction with 68 bytes of calldata.
seth-send: 0x58ba3980775741aecaf8435646a003bff3395d7d4e00c8f7a32ad1fa0ce64e01
seth-send: Waiting for transaction receipt....
seth-send: Transaction included in block 9704345.

Pymaker

A Python API for the Maker Smart Contracts

Introduction

The Maker Protocol incentivizes external agents, called keepers, to automate certain operations around the Ethereum blockchain. In order to ease their development, an API around most of the Maker contracts has been created. It can be used not only by keepers, but may also be found useful by authors of some other, unrelated utilities aiming to interact with these contracts.

Based on the Pymaker API, a set of reference Maker keepers is being developed. They all used to reside in this repository, but now each of them has an individual one: bite-keeper (SCD only), arbitrage-keeper, auction-keeper (MCD only), cdp-keeper (SCD only), market-maker-keeper.

You only need to install this project directly if you want to build your own keepers, or if you want to play with this API library itself. If you just want to install one of reference keepers, go to one of the repositories linked above and start from there. Each of these keepers references some version of pymaker via a Git submodule.

Installation

This project uses Python 3.6.6.

In order to clone the project and install required third-party packages please execute:

Known Ubuntu issues

In order for the secp256k Python dependency to compile properly, following packages will need to be installed:

(for Ubuntu 18.04 Server)

Known macOS issues

In order for the Python requirements to install correctly on macOS, please install openssl, libtool, pkg-config and automake using :

and set the LDFLAGS environment variable before you run pip3 install -r requirements.txt:

Available APIs

The current version provides APIs around:

ERC20Token,
Tub, Tap,Top and Vox (),

APIs around the following functionality have not been implemented:

Global Settlement (End)
Governance (DSAuth, DSChief, DSGuard, DSSpell, Mom)

Contributions from the community are much appreciated!

Code samples

Below you can find some code snippets demonstrating how the API can be used both for developing your own keepers and for creating some other utilities interacting with the Maker Protocol ecosystem contracts.

Token transfer

This snippet demonstrates how to transfer some SAI from our default address. The SAI token address is discovered by querying the Tub, so all we need as a Tub address:

Updating a DSValue

This snippet demonstrates how to update a DSValue with the ETH/USD rate pulled from CryptoCompare:

SAI introspection

This snippet demonstrates how to fetch data from Tub and Tap contracts:

Multi-collateral Dai

This snippet demonstrates how to create a CDP and draw Dai.

Asynchronous invocation of Ethereum transactions

This snippet demonstrates how multiple token transfers can be executed asynchronously:

Multiple invocations in one Ethereum transaction

This snippet demonstrates how multiple token transfers can be executed in one Ethereum transaction. A TxManager instance has to be deployed and owned by the caller.

Ad-hoc increasing of gas price for asynchronous transactions

Testing

Prerequisites:

6.2.5 (using npm, sudo npm install -g [email protected])

This project uses for unit testing. Testing of Multi-collateral Dai is performed on a Dockerized local testchain included in tests\config.

In order to be able to run tests, please install development dependencies first by executing:

You can then run all tests with:

If you have questions regarding Pymaker, please reach out to us on the channel on .

Vat, Cat, Vow, Jug, Flipper, Flapper, Flopper (https://github.com/makerdao/dss)

from web3 import HTTPProvider, Web3

from pymaker import Address
from pymaker.token import ERC20Token
from pymaker.numeric import Wad
from pymaker.sai import Tub


web3 = Web3(HTTPProvider(endpoint_uri="http://localhost:8545"))

tub = Tub(web3=web3, address=Address(' 0xb7ae5ccabd002b5eebafe6a8fad5499394f67980'))
sai = ERC20Token(web3=web3, address=tub.sai())

sai.transfer(address=Address(' 0x0000000000111111111100000000001111111111'),
             value=Wad.from_number(10)).transact()

import json
import urllib.request

from web3 import HTTPProvider, Web3

from pymaker import Address
from pymaker.feed import DSValue
from pymaker.numeric import Wad


def cryptocompare_rate() -> Wad:
    with urllib.request.urlopen("https://min-api.cryptocompare.com/data/price?fsym=ETH&tsyms=USD") as url:
        data = json.loads(url.read().decode())
        return Wad.from_number(data['USD'])


web3 = Web3(HTTPProvider(endpoint_uri="http://localhost:8545"))

dsvalue = DSValue(web3=web3, address=Address(' 0x038b3d8288df582d57db9be2106a27be796b0daf'))
dsvalue.poke_with_int(cryptocompare_rate().value).transact()

from web3 import HTTPProvider, Web3

from pymaker import Address
from pymaker.token import ERC20Token
from pymaker.numeric import Ray
from pymaker.sai import Tub, Tap


web3 = Web3(HTTPProvider(endpoint_uri="http://localhost:8545"))

tub = Tub(web3=web3, address=Address(' 0x448a5065aebb8e423f0896e6c5d525c040f59af3'))
tap = Tap(web3=web3, address=Address(' 0xbda109309f9fafa6dd6a9cb9f1df4085b27ee8ef'))
sai = ERC20Token(web3=web3, address=tub.sai())
skr = ERC20Token(web3=web3, address=tub.skr())
gem = ERC20Token(web3=web3, address=tub.gem())

print(f"")
print(f"Token summary")
print(f"-------------")
print(f"SAI total supply       : {sai.total_supply()} SAI")
print(f"SKR total supply       : {skr.total_supply()} SKR")
print(f"GEM total supply       : {gem.total_supply()} GEM")
print(f"")
print(f"Collateral summary")
print(f"------------------")
print(f"GEM collateral         : {tub.pie()} GEM")
print(f"SKR collateral         : {tub.air()} SKR")
print(f"SKR pending liquidation: {tap.fog()} SKR")
print(f"")
print(f"Debt summary")
print(f"------------")
print(f"Debt ceiling           : {tub.cap()} SAI")
print(f"Good debt              : {tub.din()} SAI")
print(f"Bad debt               : {tap.woe()} SAI")
print(f"Surplus                : {tap.joy()} SAI")
print(f"")
print(f"Feed summary")
print(f"------------")
print(f"REF per GEM feed       : {tub.pip()}")
print(f"REF per SKR price      : {tub.tag()}")
print(f"GEM per SKR price      : {tub.per()}")
print(f"")
print(f"Tub parameters")
print(f"--------------")
print(f"Liquidation ratio      : {tub.mat()*100} %")
print(f"Liquidation penalty    : {tub.axe()*100 - Ray.from_number(100)} %")
print(f"Stability fee          : {tub.tax()} %")
print(f"")
print(f"All cups")
print(f"--------")
for cup_id in range(1, tub.cupi()+1):
    cup = tub.cups(cup_id)
    print(f"Cup #{cup_id}, lad={cup.lad}, ink={cup.ink} SKR, tab={tub.tab(cup_id)} SAI, safe={tub.safe(cup_id)}")

import sys
from web3 import Web3, HTTPProvider

from pymaker import Address
from pymaker.deployment import DssDeployment
from pymaker.keys import register_keys
from pymaker.numeric import Wad


web3 = Web3(HTTPProvider(endpoint_uri="https://localhost:8545",
                         request_kwargs={"timeout": 10}))
web3.eth.defaultAccount = sys.argv[1]   # ex:  0x0000000000000000000000000000000aBcdef123
register_keys(web3, [sys.argv[2]])      # ex: key_file=~keys/default-account.json,pass_file=~keys/default-account.pass

mcd = DssDeployment.from_json(web3=web3, conf=open("tests/config/kovan-addresses.json", "r").read())
our_address = Address(web3.eth.defaultAccount)


# Choose the desired collateral; in this case we'll wrap some Eth
collateral = mcd.collaterals['ETH-A']
ilk = collateral.ilk
collateral.gem.deposit(Wad.from_number(3)).transact()

# Add collateral and allocate the desired amount of Dai
collateral.approve(our_address)
collateral.adapter.join(our_address, Wad.from_number(3)).transact()
mcd.vat.frob(ilk, our_address, dink=Wad.from_number(3), dart=Wad.from_number(153)).transact()
print(f"CDP Dai balance before withdrawal: {mcd.vat.dai(our_address)}")

# Mint and withdraw our Dai
mcd.approve_dai(our_address)
mcd.dai_adapter.exit(our_address, Wad.from_number(153)).transact()
print(f"CDP Dai balance after withdrawal:  {mcd.vat.dai(our_address)}")

# Repay (and burn) our Dai
assert mcd.dai_adapter.join(our_address, Wad.from_number(153)).transact()
print(f"CDP Dai balance after repayment:   {mcd.vat.dai(our_address)}")

# Withdraw our collateral
mcd.vat.frob(ilk, our_address, dink=Wad(0), dart=Wad.from_number(-153)).transact()
mcd.vat.frob(ilk, our_address, dink=Wad.from_number(-3), dart=Wad(0)).transact()
collateral.adapter.exit(our_address, Wad.from_number(3)).transact()
print(f"CDP Dai balance w/o collateral:    {mcd.vat.dai(our_address)}")

from web3 import HTTPProvider
from web3 import Web3

from pymaker import Address, synchronize
from pymaker.numeric import Wad
from pymaker.sai import Tub
from pymaker.token import ERC20Token


web3 = Web3(HTTPProvider(endpoint_uri="http://localhost:8545"))

tub = Tub(web3=web3, address=Address(' 0x448a5065aebb8e423f0896e6c5d525c040f59af3'))
sai = ERC20Token(web3=web3, address=tub.sai())
skr = ERC20Token(web3=web3, address=tub.skr())

synchronize([sai.transfer(Address(' 0x0101010101020202020203030303030404040404'), Wad.from_number(1.5)).transact_async(),
             skr.transfer(Address(' 0x0303030303040404040405050505050606060606'), Wad.from_number(2.5)).transact_async()])

from web3 import HTTPProvider
from web3 import Web3

from pymaker import Address
from pymaker.approval import directly
from pymaker.numeric import Wad
from pymaker.sai import Tub
from pymaker.token import ERC20Token
from pymaker.transactional import TxManager


web3 = Web3(HTTPProvider(endpoint_uri="http://localhost:8545"))

tub = Tub(web3=web3, address=Address(' 0x448a5065aebb8e423f0896e6c5d525c040f59af3'))
sai = ERC20Token(web3=web3, address=tub.sai())
skr = ERC20Token(web3=web3, address=tub.skr())

tx = TxManager(web3=web3, address=Address(' 0x57bFE16ae8fcDbD46eDa9786B2eC1067cd7A8f48'))
tx.approve([sai, skr], directly())

tx.execute([sai.address, skr.address],
           [sai.transfer(Address(' 0x0101010101020202020203030303030404040404'), Wad.from_number(1.5)).invocation(),
            skr.transfer(Address(' 0x0303030303040404040405050505050606060606'), Wad.from_number(2.5)).invocation()]).transact()

import asyncio
from random import randint

from web3 import Web3, HTTPProvider

from pymaker import Address
from pymaker.gas import FixedGasPrice
from pymaker.oasis import SimpleMarket


web3 = Web3(HTTPProvider(endpoint_uri=f"http://localhost:8545"))
otc = SimpleMarket(web3=web3, address=Address(' 0x375d52588c3f39ee7710290237a95C691d8432E7'))


async def bump_with_increasing_gas_price(order_id):
    gas_price = FixedGasPrice(gas_price=1000000000)
    task = asyncio.ensure_future(otc.bump(order_id).transact_async(gas_price=gas_price))

    while not task.done():
        await asyncio.sleep(1)
        gas_price.update_gas_price(gas_price.gas_price + randint(0, gas_price.gas_price))

    return task.result()


bump_task = asyncio.ensure_future(bump_with_increasing_gas_price(otc.get_orders()[-1].order_id))
event_loop = asyncio.get_event_loop()
bump_result = event_loop.run_until_complete(bump_task)

print(bump_result)
print(bump_result.transaction_hash)

The Emergency Shutdown Process for Multi-Collateral Dai (MCD)

Introduction to the Emergency Shutdown Process

The Maker Protocol, which powers Multi-Collateral Dai (Dai), backs and stabilizes the value of Dai to a Target Price of 1 US Dollar, translating to a 1:1 US Dollar soft peg. The stabilization mechanism is handled through an autonomous system of smart contracts, a dynamic combination of Vaults, and appropriately incentivized external actors, such as Keepers.

Keepers play a critical role in maintaining the health of the system and Dai stability. In March 2020, the Maker Foundation underlined the need for a more developed Keeper ecosystem. An increase in Keeper participation would ultimately improve the health and function of the Maker Protocol. For more information on how to get a Keeper up and running, see this guide.

The Maker Protocol has an Emergency Shutdown (ES) procedure that can be triggered as a last resort to protect the system and its users against a serious threat or to facilitate a Protocol upgrade.

Overview of the Emergency Shutdown Process

Summary

Emergency Shutdown is intended to be triggered in the case of a system upgrade or serious emergencies, such as long-term market irrationality, a hack, or a security breach. When triggered, ES stops and shuts down the Maker Protocol while ensuring that all users, both Dai holders, and Vault users, receive the net value of assets they are entitled to under the Protocol’s smart contract logic. However, the value of Collateral that Dai holders can redeem may vary, depending on the system surplus or deficit at the time of ES. It is, therefore, possible that Dai holders will receive less or more than 1 USD worth of Collateral for 1 Dai.

The process of initiating ES is decentralized and controlled by MKR voters, who can trigger it by depositing MKR into the, a contract with the ability to call or by an Executive Vote. In the case of the ESM method, 50,000 MKR must be deposited into the ESM to trigger ES. Additionally, once users deposit MKR into the ESM, it is immediately burned. Whether through the ESM or Executive Vote method, when Cage is called, it must alter the behavior of almost every component of the system, as well as perform under a variety of possible undercollateralization scenarios.

The Implementation Properties of Emergency Shutdown

Dai no-race condition: Every Dai holder will be able to redeem the same relative quantity of collateral proportional to their Dai holdings, regardless of when they interact with the contract.
Vault Parity: Vault Owners are prioritized, allowing them to withdraw their excess Collateral before Dai holders are able to access Collateral.
- At the time of ES, individual Vaults, entire collateral types, or the Maker Protocol can be undercollateralized, which is when the value of debt exceeds the value of the Collateral ("negative equity"). Thus, the value of Collateral that Dai holders can redeem may vary, depending on the system surplus or deficit at the time of ES. It is, therefore, possible that Dai holders will receive less or more than 1 USD worth of Collateral for 1 Dai.

Dai and Collateral Redemption During Emergency Shutdown

Emergency Shutdown Process for Vault Owners

Vault owners can retrieve excess Collateral from their Vaults immediately after the initialization of ES. They can do this via Vault frontends, such as , that have ES support implemented, or via command-line tools.

Emergency Shutdown Process for Dai Holders

Dai holders can, after a waiting period (for processing) determined by MKR voters, barter their Dai for a relative pro-rata share of all types of Collateral in the system. The amount of Collateral that can be claimed during this period is determined by the Maker Oracles at the time ES is triggered. It's important to note that Dai holders will always receive the same relative pro-rata amount of Collateral from the system, whether their claims are among the first or last to be processed. The Maker Foundation will initially offer a web page for this purpose to make the process easier for Dai holders.

Why Emergency Shutdown Prioritizes Vault Owners Over Dai Holders

The prioritization of Vault Owners over Dai Holders during ES can be broken down into three main points:

Overcollateralized Vaults do not subsidize the Maker Protocol for undercollateralized Vaults during the current operation of the system, so it's consistent for ES to have the same behavior. The main difference is that a potential haircut is transferred from MKR holders to DAI holders, as no assumptions can be made about the value of MKR after a shutdown.
Giving priority to Vault owners to recover their excess Collateral (if their Vault is not undercollateralized) incentivizes them to maintain overcollateralization. This is important because the incentive remains even if an ES seems likely, which ultimately makes the Protocol more resilient.
Stability fees accrued pre-ES are not waived by ES. Vault owners may accept higher fees if they know they are protected from the collateralization levels of others, potentially resulting in a higher surplus during ES scenarios as well as allowing for a higher DSR during normal operation.

Auction Settlement During Emergency Shutdown

There is a time delay in the Emergency Shutdown that is determined by governance. The delay must expire before any exchange of Dai for Collateral can take place. The general guidance is that the delay should be long enough to ensure all auctions either finish or get skipped; but, there is no guarantee of this in the code. Importantly, anyone can cancel a collateral (Flip) auction at any time, whereas Surplus (Flap) and Debt (Flop) auctions are frozen by the initial calling of Cage. Both Flap and Flop auctions can be called to return the bids to the last bidder.

Note also that auction cancellation is not an immediate process, as ecosystem participants must cancel all ongoing collateral auctions to appropriate the Collateral and return it to the collateral pool. This allows for faster processing of the auctions at the expense of more processing calls. As for the surplus and debt auctions, they must also be called. If no one calls these functions, the auctions will not be canceled.

Emergency Shutdown Intentions

Emergency Shutdown may take two main forms. For one, ES may be triggered, and the system is terminated without a future plan for redeployment. This allows users to claim excess Collateral or claim Collateral from their Dai.

On the other hand, Emergency Shutdown may be initiated with a Redeployment Scenario. This situation may arise when the system has been triggered into a shutdown event. Still, MKR token holders, or a third party, have decided to redeploy the system with necessary changes to rerun the system. This will allow users to open new Vaults and have a new Dai token while claiming Collateral from the old system.

How Emergency Shutdown Affects Users

During an Emergency Shutdown, each of the various Maker Ecosystem Stakeholders should act accordingly:

Dai Holders

If your wallet has the viable interface to claim Collateral or migrate your Dai, or it has a Dapp browser built into it, you may use the to claim Collateral and/or migrate. If your wallet does not support the above functionality, you must transfer your Dai to a new wallet that enables the functionality before proceeding to use the .

Vault Owners

If you use to manage your Vault, proceed to the and follow the outlined emergency redemption process.

If you are a user of a third-party interface, such as or , verify that they have Emergency Shutdown Interfaces built-in before proceeding. If so, use their interface to claim the excess Collateral or migrate to a newly deployed system. If the third-party provider does not have the redemption process built-in, transfer to the if possible.

MKR Holders

MKR holders may vote on polls and executive votes as it relates to the Emergency Shutdown triggering process. This is done in the Emergency Shutdown Module (ESM) frontend or directly through the . Additionally, MKR holders may also vote as it relates to a future redeployment of the Maker Protocol on the .

Centralized Exchange or Custodial Wallet

In the case of Emergency Shutdown, service providers may follow the actions recommended below.

Recommended Procedure

Alert users to the current situation and provide guidance on the right action(s) to take. Depending on the ES scenario, Shutdown, or redeployment, advise them to act accordingly.
Give users options to withdraw their Dai/MKR from the exchange, or inform them that the exchange/wallet will handle the Emergency Shutdown process on their behalf.

Scenario: Shutdown

Choose one of the following options:
- Option 1: Let users withdraw Dai and MKR from the platform, and then guide them to the for the redemption process.
- Option 2: Claim Dai equivalent in Collateral on behalf of users using the .

Scenario: Redeployment

Migrate Dai holdings to new Dai token on behalf of users using the .
Alternatively, carry out-migration by interacting directly with the migration contracts using CLI tools. See .
If applicable, migrate MKR token holdings on behalf of users using the

Non-Custodial Wallet

In case of Emergency Shutdown, non-custodial wallet providers should alert your user base about ES and provide public links for more information. You may follow the recommended procedures listed below in the case of Emergency Shutdown.

Recommended Procedure

Scenario: Shutdown
- Redirect users to the to claim their Dai equivalent in Collateral, or create an interface to handle the process locally.
Scenario: Redeployment

Decentralized Exchanges (DEXs)

As a decentralized exchange, you can inform users with a banner about the current status of the Maker Protocol and direct them toward relevant communication channels to find out more. You may choose one of the two following options to allow your users to carry out the ES redemption process:

Direct them to the , where they can start the claiming process for their Dai.
Build an interface to handle the ES process on your platform, inform your users, and have them act accordingly.

Recommended Procedure:

Scenario: Shutdown
- Inform users to claim equivalent value of Dai in Collateral on the or create an interface to handle the process locally.
Scenario: Redeployment

Dapp Browsers

As a dapp browser, please make sure to alert your user base about ES and provide links to more information (e.g., or). In case of either an emergency system shutdown or system redeployment after ES is triggered, redirect your users to the to claim their Collateral.

Vault Integrators

As a Vault integrator, it is very important that you integrate with Maker Protocol contracts (more specifically, end.sol). This crucial integration will allow you to quickly create a reactive logic that will handle the post-ES process for your users. If you are a custodial service, such as a centralized exchange, please inform your users in advance about your plan on handling the Emergency Shutdown event. You may follow the recommended procedures listed below in the case of Emergency Shutdown.

Recommended Procedure

Scenario: Shutdown
- Claim users’ funds through the or by direct interaction with the migration contracts, and make them available in their accounts.
Scenario: Redeployment

As a non-custodial Vault integrator, please make sure to integrate with the Maker Protocol contracts (end.sol). This allows you to be notified at the exact moment the Shutdown has been triggered. Otherwise, it is suggested that you inform your users on how they can free Collateral in Vaults. This can either be done in the non-custodial Vault integrator’s UI or you can direct them to if the users need to migrate their Vault. If you do decide to use your own services, you will need a UI that allows users to withdraw their Vaults from a proxy contract so it shows up on the . Direct your users there. Alternatively, you may create an interface that will help users migrate their Dai in case of a new redeployment, or allow users to claim their Collateral in case of an only shutdown scenario.

Decentralized Applications (Dapps)

Dapps are suggested to integrate with Maker Protocol contracts (end.sol), which effectively provides a notification system that shows if Emergency Shutdown has been triggered. In terms of preparation, when ES has been triggered, have the following ready for your users:

A UI interface that alerts and informs users about the event.
If your Dapp uses a proxy, you will need to enable users to exit from the proxy in order to use the migration app/portal.
Provide official communication channels for more information as well as a link to the for Dai and Vault redemption.

Custodial Services

If you control access to the smart contracts backing your Dapp, it is suggested to allow your users to retrieve Dai or access their Vaults from their personal wallet as well as direct them to the for the ES redemption process. Alternatively, you may claim Dai collateral or claim excess Collateral from Vaults on behalf of your users at the, and proceed to distribute it to your users, ensuring that they successfully retrieve it.

Non-Custodial Services

If you don’t control the smart contracts backing your Dapp directly, then you may direct your users to the for Dai and Vault redemption. Alternatively, you may create an interface that allows your users to claim a Dai equivalent in Collateral, or claim excess Collateral from Vaults in case of a system shutdown. Additionally, if there's a redeployment of the system, migrate Dai to the new redeployed system and/or claim excess Collateral from Vaults.

Market Makers

As a market maker during ES, you may provide liquidity in the market so that Dai holders can exchange their Dai for other assets. After there is no market to cover, you can act as a Dai holder and start migrating Dai to new Dai in case of system redeployment or claim equivalent Dai collateral in case of a system-wide shutdown.

Detailed Description of the Emergency Shutdown Mechanism for MCD

This is an involved and stateful process that involves the following 9 steps.

1. Locking the System and Initiating Shutdown of the Maker Protocol (aka Caging the System)

Locking the prices down for each collateral type is done by freezing the following user entry points:

Vault creation
Surplus/Debt Auctions
Dai Savings Rate (DSR)
Governance entry points

Next, the system will stop all of the current debt/surplus auctions, allowing individual auctions to be canceled by calling a function that moves the first phase of a collateral auction to the End. This process is completed by retrieving the Collateral and repaying Dai to the highest bidder of the respective auction contract. One reason these auctions are frozen and canceled is that the Emergency Shutdown process is designed to pass along the system surplus or system debt to Dai holders. In general, there are no guarantees regarding the value of MKR during a Shutdown and the mechanisms that typically rely on MKR's market value cannot be relied upon, ultimately resulting in there being no reason to keep running the auctions that impact MKR supply. More specifically, the reasons debt and surplus auctions get canceled are as follows:

Surplus auctions no longer serve their purpose. This is because, after a shutdown, the surplus is designed to be allocated to Dai holders. Thus, canceling surplus auctions during Shutdown allows the system to return the surplus Dai back to the Settlement engines balance and ultimately back to Dai holders.
Debt auctions also stop serving their purpose. This is because the bad debt is passed as a haircut (lower-than-market-value placed on an asset being used as Collateral in a Vault) back to Dai holders if there is no other system surplus available.

As for collateral auctions, they are not immediately canceled (but can be canceled by any user) because they are still tied to the valuable Collateral in the system. Collateral auctions continue to run, and Keepers can continue to bid on them. If there are no bidders, the live auctions can also be canceled.

Despite the fact that auctions can continue to run, this does not guarantee that all of the remaining Vaults are overcollateralized. There is also nothing to prevent the undercollateralized and unbitten Vaults from existing at the moment cage is called.

During this time, the function that adds the debt (total Dai wanted from the auction) cannot be called, as the function requires the system to be running normally, disabling liquidations after Shutdown. Additionally, after the End begins, all Vaults must be settled at the tagged price, and then the remaining Collateral from a settled Vault must be removed.

Overall, this results in collateral auctions being able to continue during Shutdown or by having them reversed by a user by canceling live auctions (similar logic to the surplus auctions). If an auction is canceled, the bids are returned to bidders, and Collateral is returned to the original Vault (with the liquidation penalty applied in the form of increased debt).

Notes regarding collateral auctions:

End moves the first phase of collateral auctions to the End by retrieving the Collateral and repaying Dai to the highest bidder.
The second phase of auctions allows bids to be made, while decreasing the quantity up for auction. During this phase, completed auctions are settled as they have already raised the necessary Dai and are already in the process of returning the Collateral to the original Vault holder.

Other Notes:

MKR could still have value if the current MKR token is tied to another deployment of the system. Note that the system makes no assumptions about the economic value of MKR post-Shutdown.
It is important to note that on-auction debt and surplus are canceled, and balances are transferred to the End contract. The last step in this process is to begin the cooldown period.

2. Setting the Final Prices for the Collateral Types in the Maker Protocol

This process is completed by setting the system shutdown price for each collateral type. The final prices are determined by reading the price feeds from the Maker Oracles. This is required, as the system must first process the system state before it is possible to calculate the final Dai/collateral price. In particular, we need to determine two things:

(a) The shortfall per collateral type considering undercollateralized Vaults.

(b) The total quantity of Dai issued (total debt), which is the outstanding Dai supply after including the system surplus/deficit.

Firstly, this is determined (a) by processing all Vaults with a function that cancels owed Dai from the Vault (described below). Next, (b) unfolds as described below.

3. Settling Vaults at the Final Price by Canceling Owed Dai

Next, the system will allow for the canceling of all the owed Dai from the Vault(s) in the system. Any excess collateral remains within the Vault(s) for the owner(s) to claim. Then, the backing collateral is taken.

Next, the debt is determined (b) by processing the ongoing Dai generation operations of the auctions. Processing the ongoing Dai generation ensures that the auctions will not generate any further Dai income. This guarantees that ongoing auctions will not change the total debt of the system, which also includes the two-way auction (collateral auction) model not allowing for any more Dai to be generated. Due to this, the Dai generation comes from the first phase of collateral auctions. Thus, if everything is in the second phase of an auction (bidding on the decreasing quantity up for auction), we know the generation is over. Generation is over when all auctions are in the reverse/second phase. In addition to ensuring that the auctions will not generate any further Dai, the Dai Savings Rate (DSR) must also be shut off during the End so that the total debt does not change.

Example:

In terms of user scenarios, the process begins with users bidding more and more Dai until the debt is covered. Next, they start offering less and less Collateral.

The auctions that are in the second phase (reverse auctions) no longer affect any more of the total debt, as the Dai was already recovered. Lastly, for the auctions in the first phase, they can be canceled, and the Collateral and debt returned to the Vault.

One of two methods can ensure that Collateral and debt are returned to the Vault:

The processing cooldown duration (length of the debt queue); or
By canceling live auctions.

4. Using the Cooldown Period or Canceling Live Auctions

Set the cooldown period. The duration of the cooldown period only needs to be long enough to cancel owed Dai from the undercollateralized Vaults, and cancel the live first phase auctions. This means that it can, in fact, be quite short (i.e., 5 minutes). However, due to the possibility of scenarios such as network congestion occurring, it may be set longer.
Canceling a live auction will cancel all ongoing auctions and seize the Collateral. This allows for faster processing of the auctions at the expense of more processing calls. This option allows Dai holders to retrieve their Collateral much faster. The next procedure is to cancel each of the individual Collateral (Flip) auctions in the forward first phase auctions and retrieve all of the Collateral and return Dai to the bidder. After this occurs, the second phase—reverse auctions—can continue as they usually would, by setting the cooldown period or canceling the live auctions.

Note that both of these options are available in this implementation, with the canceling of the live auctions being enabled on a per-auction basis. When a Vault has been processed and has no debt remaining, the remaining Collateral can be removed.

5. Removing the Remaining Collateral from a Settled Vault (Only After There is no Debt in the Vault)

Next, the system will remove the Collateral from the Vault. After the Vaults have been settled at the set final price and the owed Dai from the Vault has been canceled, the Vault owner can call this process as needed. It will remove all of the Collateral remaining after step 3—basically, all of the Collateral that was not backing the debt. If the user did not have debt in a Vault at the time of the End, he can bypass steps 3 and 4 and can proceed directly to this step to free his Collateral.

6. Stabilizing the Total Outstanding Supply of Dai

After the processing period has elapsed, the calculation of the final price for each collateral type is possible using the thaw function. The assumption is that all under-collateralized Vaults are processed, and all auctions have unwound. The purpose of this function is to stabilize the total outstanding supply of Dai. Note that it may also require extra Vault processing to cover the system's surplus. Checking that the amount of Dai surplus in the core Vault engine is 0 is a requirement during this phase. This requirement is what guarantees that the system surplus has been taken into account. Furthermore, this means that before you can stabilize the total outstanding supply of Dai, you must cancel the owed Dai from as many Vaults as needed to cancel any Dai surplus in the Vow. Canceling Dai surplus is done by canceling out the surplus and debt in the system's balance sheet before you can stabilize the total outstanding supply of Dai.

7. Calculating the Fixed Price for a Collateral Type, Possibly Adjusting the Final Collateral Price with Surplus/Deficit

In this step, the calculation of the exchange price for a given collateral type is determined, as well as the potential adjustment of that final exchange price in the case of deficit/surplus. At this point in the mechanism, the final price for each collateral type has been computed; Dai holders can now turn their Dai into Collateral. Each unit of Dai can claim a fixed basket of Collateral. Dai holders must first lock their Dai so that they can be ready to exchange it for Collateral. Once the Dai is locked, it cannot be unlocked and is not transferable. More Dai can be locked later, as well.

8. Locking Dai and Exchanging it for Collateral

This step is when Collateral is dispensed to the Dai holders who have already locked their Dai in to be exchanged. The larger the amount of Dai locked in, the more Collateral can be released to the Dai holders.

9. Exchanging the Locked Dai for Collateral (Proportional to the Amount Locked)

Lastly, the system will allow the exchange of some of the Dai that has been locked for specific collateral types. Note that the number of collateral tokens will be limited by how much locked Dai users have.

Getting Support

Rocket Chat Channels

. Support channels include but are not limited to:
- #general
- #dev

MCD Glossaries

A list of words, terms, variables, functions and more relating to the Maker Protocol

1. MCD General Glossary of Terms

2. MCD Core Smart Contracts Glossary:

General

guy, usr: some address
wad: some quantity of tokens, usually as a fixed point integer with 18 decimal places.
ray: a fixed point integer, with 27 decimal places.

Auth

auth: check whether an address can call this method
ward: an address that is allowed to call auth'ed methods
rely: allow an address to call auth'ed methods

Vat (Vault Engine)

gem: collateral tokens.
dai: stablecoin tokens.
sin: unbacked stablecoin (system debt, not belonging to any urn).

Note: art and Art represent normalized debt, i.e. a value that when multiplied by the correct rate gives the up-to-date, current stablecoin debt.

Accounting

debt: the sum of all dai (the total quantity of dai issued).
vice: the sum of all sin (the total quantity of system debt).
ilk.Art

Collateral

gem: can always be transferred to any address by it's owner.

Dai

dai: can only move with the consent of it's owner / can always be transferred to any address by it's owner.

Other

LogNote: a general purpose log that can be added to any function from a contract.

Jug (Stability Fees)

Structs

Ilk: contains two uint256 values—duty, the collateral-specific risk premium, and rho, the timestamp of the last fee update

VatLike: mock contract to make Vat interfaces callable from code without an explicit dependency on the Vat contract itself

Storage

wards: mapping(address => uint) that indicates which addresses may call administrative functions

ilks: mapping (bytes32 => Ilk) that stores an Ilk struct for each collateral type

vat: a VatLike that points the the system's contract

vow: the address of the Vow contract

base: a uint256 that specifies a fee applying to all collateral types

Administrative

These methods require wards[msg.sender] == 1 (i.e. only authorized users may call them).

rely/deny: add or remove authorized users (via modifications to the wards mapping)

init(bytes32): start stability fee collection for a particular collateral type

file(bytes32, bytes32, uint): set duty for a particular collateral type

file(bytes32, data): set the base value

file(bytes32, address): set the vow value

Fee Collection Methods

drip(bytes32): collect stability fees for a given collateral type

Cat (Liquidations)

mat: the liquidation ratio
chop: the liquidation penalty
lump: the liquidation quantity, i.e. the fixed debt quantity to be covered by any one liquidation event

Vow (Settlement)

sin: the system debt queue.
Sin: the total amount of debt in the queue.
Ash: the total amount of on-auction debt.

Other terms included in Vow documentation:

move: transfers stablecoin between users.
kick: starts an auction.
woe: indicates specifically bad debt, or be used as a variable name for any amount of debt.

Flipper (Collateral Auctions)

wards [usr: address], rely/deny/auth: Auth mechanisms
Bid: State of a specific Auction {bid, lot, guy

Flapper (Surplus Auctions)

Flap: surplus auction (selling stablecoins for MKR) [contract]
wards [usr: address]: rely/deny/auth Auth Mechanisms [uint]

Flopper (Debt Auctions)

flop: debt auction (covering debt by inflating MKR and selling for stablecoins)
lot: quantity up for auction / gems for sale (MKR)
guy: high bidder (address)

End (Global Settlement / Shutdown)

cage: Locks the system and initiates shutdown. This is done by freezing the user-facing actions, canceling flap and flop auctions, locking the rest of the system's contracts, disabling certain governance actions that could interfere with the settlement process, and starting the cool-down period.

cage(ilk): Tags the Ilk prices / Sets the final price for an ilk (tag).

skim: Settles a Vault at the tagged price / Cancels owed Dai from the Vault

free: Remove (remaining) collateral from a settled Vault. This occurs only after there is no debt in the Vault.

thaw: Fixes the Dai supply after all Skims / Fixes the total outstanding supply of stablecoin.

flow: Calculates the fixed price for an ilk, possibly adjusting the cage price with surplus/deficit.

pack: Locks Dai ahead of Cash / Puts some stablecoin into a bag in preparation for cash.

cash: Exchange packed Dai for collateral / Exchange some Dai from bag for a given gem, share proportional to bag size.

file: The Governance configuration—sets various parameter values.

skip: optionally cancel live auctions.

Other

wards(usr: address): Auth Mechanism

vat: Vat contract

cat: Cat contract

vow: Vow contract

spot: Spotter contract

live: Cage flag

"Live" contracts have live = 1, indicating the system is running normally. Thus, when cage() is invoked, it sets the flag to 0. This includes the End contract, which means that cage() can only be invoked once and the subsequent functions cannot be invoked until we are "dead" and in the End process

ilk: A collateral type

when: Time of cage / the time of settlement.

wait: Processing cooldown duration / the length of processing cooldown.

debt: Outstanding Dai after processing / outstanding stablecoin supply, after system surplus/deficit has been absorbed.

tag: Cage price / price per collateral type at time of settlement.

gap: Collateral shortfall / shortfall per collateral considering undercollateralised Vaults.

Art: Total debt per Ilk/outstanding stablecoin debt.

fix: Final cash price / the cash price for an ilk (amount per stablecoin).

bag(usr: address): Dai packed for cash / nontransferable stablecoins ready to exchange for collateral.

out: Cash out / the amount of already exchanged stablecoin for a given address.

skip: Optionally cancel live auctions.

wad: Some quantity of tokens, usually as a fixed point integer with 10^18 decimal places.

urn: A specific Vault.

tend: To make a bid, increasing the bid size.

bid: The quantity being offered for the lot.

lot: The quantity up for auction.

dent: To make a bid, decreasing the lot size.

Join (Token Adapters)

vat: storage of the Vat’s address.
ilk: id of the Ilk for which a GemJoin is created for.
gem

Cat (Liquidations)

mul(uint, uint)/rmul(uint, uint): will revert on overflow or underflow
bite(bytes32, address): will revert if lot or art are larger than or equal to 2^255.

Events

Bite: emitted when a bite(bytes32, address) is successfully executed. Contains:
- ilk: Collateral
- urn

Spot (Oracles and Contracts Liaison)

ilk: a given collateral type
ilk.pip: the contract which holds the current price of a given ilk
ilk.mat: the liquidation ratio for a given ilk

Collateral

Only authorized users can update any variables in contract

Pot (Savings Dai)

Math

mul(uint, uint), rmul(uint, uint), add(uint, uint)& sub(uint, uint): will revert on overflow or underflow
rpow(uint x, uint n, uint base): used for exponentiation in drip, is a fixed-point arithmetic function that raises x to the power n

Auth

wards: are allowed to call protected functions (Administration)

Storage

pie: stores the address' Pot balance.
Pie: stores the total balance in the Pot.
dsr

Dai (Stablecoin)

name: Dai Stablecoin

symbol: DAI

version: 1

decimals: 18

wad: fixed point decimal with 18 decimals (for basic quantities, e.g. balances).

totalSupply: Total DAI Supply

balanceOf(usr: address): User balance

allowance(src: address, dst: address): Approvals

nonces(usr: address): Permit nonce

Auction Keeper Bot Setup Guide

Walkthrough how to set up your own Auction Keeper

Level: Intermediate

Estimated Time: 60 minutes

Audience: Developers

Overview

Seeking out opportunities and starting new auctions
Detect auctions started by other participants
Bid on auctions by converting token prices into bids

More specifically, Keepers participate as bidders in the Debt and Collateral Auctions when Vaults are liquidated and auction-keeper enables the automatic interaction with these MCD auctions. This process is automated by specifying bidding models that define the decision making process, such as what situations to bid in, how often to bid, how high to bid etc. Note that bidding models are created based on individually determined strategies.

Learning Objectives

This guide's purpose is to provide a walkthrough of how to use auction-keeper and interact with a Kovan deployment of the Multi Collateral Dai (MCD) smart contracts. More specifically, the guide will showcase how to set up and run an Auction Keeper bot for yourself. After going through this guide, you will achieve the following:

Learn about Auction Keepers and how they interact with the Maker Protocol
Understand bidding models
Get your own auction keeper bot running on the Kovan testnet

Guide Agenda

This guide will show how to use the auction-keeper to interact with the Kovan deployment of the MCD smart contracts. More specifically, the guide will showcase how to go through the following stages of setting up and running an Auction Keeper bot:

Introduction
Bidding Models
- Starting and stopping bidding models
- Communicating with bidding models

We are proud to say that since the Maker Protocol is an open-source platform, all of the code we have created to run the Keeper bot is free and accessible to all.

1. Introduction

Auction Keepers participate in auctions as a result of liquidation events and thereby acquire collateral at attractive prices. An auction-keeper can participate in three different types of auctions:

Auction Keepers have the unique ability to plug in external bidding models, which communicate information to the Keeper on when and how high to bid (these types of Keepers can be left safely running in the background). Shortly after an Auction Keeper notices or starts a new auction, it will spawn a new instance of a bidding model and act according to its specified instructions. Bidding models will be automatically terminated by the Auction Keeper the moment the auction expires.

Note:

Auction Keepers will automatically call deal (claiming a winning bid / settling a completed auction) if the Keeper's address won the auction.

Auction Keeper Architecture

As mentioned above, Auction Keepers directly interact with Flipper, Flapper and Flopper auction contracts deployed to the Ethereum mainnet. All decisions which involve pricing details are delegated to the bidding models. The Bidding models are simply executable strategies, external to the main auction-keeper process. This means that the bidding models themselves do not have to know anything about the Ethereum blockchain and its smart contracts, as they can be implemented in basically any programming language. However, they do need to have the ability to read and write JSON documents, as this is how they communicate/exchange with auction-keeper. It's important to note that as a developer running an Auction Keeper, it is required that you have basic knowledge on how to properly start and configure the auction-keeper. For example, providing startup parameters as keystore / password are required to setup and run a Keeper. Additionally, you should be familiar with the MCD system, as the model will receive auction details from auction-keeper in the form of a JSON message containing keys such as lot, beg, guy, etc.

Simple Bidding Model Example:

A simple bidding model could be a shell script which echoes a fixed price (further details below).

The Purpose of Auction Keepers

The main purpose of Auction Keepers are:

To discover new opportunities and start new auctions.
To constantly monitor all ongoing auctions.
To detect auctions started by other participants.
To Bid on auctions by converting token prices into bids.

The auction discovery and monitoring mechanisms work by operating as a loop, which initiates on every new block and enumerates all auctions from 1 to kicks. When this occurs, even when the bidding model decides to send a bid, it will not be processed by the Keeper until the next iteration of that loop. It's important to note that the auction-keeper not only monitors existing auctions and discovers new ones, but it also identifies and takes opportunities to create new auctions.

2. Bidding Models

Starting and Stopping Bidding Models

Auction Keeper maintains a collection of child processes, as each bidding model is its own dedicated process. New processes (new bidding model instances) are spawned by executing a command according to the --model command-line parameter. These processes are automatically terminated (via SIGKILL) by the keeper shortly after their associated auction expires. Whenever the bidding model process dies, it gets automatically re-spawned by the Keeper.

Example:

Communicating with bidding models

Auction Keepers communicate with bidding models via their standard input/standard output. Once the process has started and every time the auction state changes, the Keeper sends a one-line JSON document to the standard input of the bidding model.

A sample JSON message sent from the keeper to the model looks like the:

Glossary (Bidding Models):

id - auction identifier.
flipper - Ethereum address of the Flipper contract (only for flip auctions).
flapper

Bidding models should never make an assumption that messages will be sent only when auction state changes. It is perfectly fine for the auction-keeper to periodically send the same message(s) to bidding models.

At the same time, the auction-keeper reads one-line messages from the standard output of the bidding model process and tries to parse them as JSON documents. It will then extract the two following fields from that document:

price - the maximum (for flip and flop auctions) or the minimum (for flap auctions) price the model is willing to bid.
gasPrice (optional) - gas price in Wei to use when sending a bid.

An example of a message sent from the Bidding Model to the Auction Keeper may look like:

In the case of when Auction Keepers and Bidding Models communicate in terms of prices, it is the MKR/DAI price (for flap and flop auctions) or the collateral price expressed in DAI for flip auctions (for example, OMG/DAI).

Any messages written by a Bidding Model to stderr (standard error) will be passed through by the Auction Keeper to its logs. This is the most convenient way of implementing logging from Bidding Models.

3. Setting up the Auction Keeper Bot (Installation)

Prerequisite

Git
- This project requires

Getting Started

Installation from source:

Clone the auction-keeper repository:

Switch into the auction-keeper directory:

Install required third-party packages:

Set up the virtual env and activate it:

5. Install requirements:

Potential Errors:

Needing to upgrade pip version to 19.2.2:
- Fix by running pip install --upgrade pip.

For other known Ubuntu and macOS issues please visit the README.

4. Running your Keeper Bot

The Kovan version runs on the

To change to your chosen version of the kovan release, copy/paste your preferred contract addresses in kovan-addresses.json in lib/pymaker/config/kovan-addresses.json

1. Creating your bidding model (an example detailing the simplest possible bidding model)

The stdout (standard output) provides a price for the collateral (for flip auctions) or MKR (for flap and flop auctions). The sleep locks the price in place for a minute, after which the keeper will restart the price model and read a new price (consider this your price update interval).

The simplest possible bidding model you can set up is when you use a fixed price for each auction. For example:

Once you have created your bidding model, save it as model-eth.sh (or whatever name you feel seems appropriate).

2. Setting up an Auction Keeper for a Collateral (Flip) Auction

Collateral Auctions will be the most common type of auction that the community will want to create and operate Auction keepers for. This is due to the fact that Collateral auctions will occur much more frequently than Flap and Flop auctions.

Example (Flip Auction Keeper):

This example/process assumes that the user has an already existing shell script that manages their environment and connects to the Ethereum blockchain and that you have some Dai and Kovan ETH in your wallet. If you don't have any balance, check the section below on how to get some.

An example on how to set up your environment: as my_environment.sh

SERVER_ETH_RPC_HOST - Should not be an infura node, as it doesn't provide all the functionality that the python script needs ACCOUNT_KEY - Should have the absolute path to the keystore and password file. Define the path as shown above, as the python script will parse through both the keystore and password files.

Once finalized, you should save your script to run your Auction Keeper as flip-eth-a.sh (or something similar to identify that this Auction Keeper is for a Flip Auction). In addition, make sure to verify the above copy+pasted script doesn't create extra spaces or characters on pasting+saving in your editor. You will notice an error when running it later below otherwise.

Important Note about Running Auction Keepers on the Ethereum Mainnet!

If you get to the point where the auction keeper bot is not accepting mainnet as a valid argument, this is because there is no network parameter. To fix this, just omit that parameter.

Other Notes:

All Collateral types (ilk's) combine the name of the token and a letter corresponding to a set of risk parameters. For example, as you can see above, the example uses ETH-A. Note that ETH-A and ETH-B are two different collateral types for the same underlying token (WETH) but have different risk parameters.
For the MCD addresses, we simply pass --network mainnet|kovan in and it will load the required JSON files bundled within auction-keeper (or pymaker).

3. Passing the bidding the model as an argument to the Keeper script

Confirm that both your bidding model (model-eth.sh) and your script (flip-eth-a.sh) to run your Auction Keeper are saved.
The next step is to chmod +x both of them.
Lastly, run flip-eth-a.sh model-eth.sh to pass your bidding model into your Auction Keeper script.

Example of a working keeper: After running the ./flip-eth-a.sh model-eth.sh command you will see an output like this:

Now the keeper is actively listening for any action. If it sees an undercollateralized position, then it will try to bid for it.

Auction Keeper Arguments Explained

To participate in all auctions, a separate keeper must be configured for flip of each collateral type, as well as one for flap and another for flop.

--type - the type of auction the keeper is used for. In this particular scenario, it will be set to flip.
--ilk - the type of collateral.
--addresses - .json of all of the addresses of the MCD contracts as well as the collateral types allowed/used in the system.

Call bin/auction-keeper --help for a complete list of arguments.

Auction Keeper Limitations

If an auction starts before the auction Keeper has started, the Keeper will not participate in the auction until the next block has been mined.
Keepers do not explicitly handle global settlement (End). If global settlement occurs while a winning bid is outstanding, the Keeper will not request a yank to refund the bid. The workaround is to call yank directly using seth.

5. Accounting

The Auction contracts exclusively interact with DAI (for all auctions types) and collateral (for flip auctions) in the Vat. More explicitly speaking:

The DAI that is used to bid on auctions is withdrawn from the Vat.
The Collateral and surplus DAI won at auction end is placed in the Vat.

By default, all the DAI and collateral within your eth-from account is exit'ed from the Vat and added to your account token balance when the Keeper is shut down. Note that this feature may be disabled using the keep-dai-in-vat-on-exit and keep-gem-in-vat-on-exit switches, respectively. The use of an eth-from account with an open CDP is discouraged, as debt will hinder the auction contracts' ability to access your DAI, and the auction-keeper's ability to exit DAI from the Vat.

When running multiple Auction Keepers using the same account, the balance of DAI in the Vat will be shared across all of the Keepers. If using this feature, you should set --vat-dai-target to the same value for each Keeper, as well as sufficiently high in order to cover total desired exposure.

Note:

MKR used to bid on flap auctions is directly withdrawn from your token balance. The MKR won at flop auctions is directly deposited to your token balance.

Getting Kovan MCD DAI, MKR and other Collateral tokens

1. Getting MCD K-DAI (K-MCD 0.2.12 Release)

Contract address: 0xb64964e9c0b658aa7b448cdbddfcdccab26cc584

Log into your MetaMask account from the browser extension. Add or confirm that the custom MCD K-DAI token is added to your list of tokens.
- This done by selecting "Add Token" and then by adding in the details under the "Custom token" option.
Head to Oasis Borrow .

After all of these steps have been completed, you will have the generated MCD K-DAI and it will be present within your wallet. You can easily payback your DAI or generate more.

2. Getting MCD K-MKR (K-MCD 1.0.2 Release)

Contract address: 0xaaf64bfcc32d0f15873a02163e7e500671a4ffcd

This requires familiarity with Seth as well as having the tool set up on your local machine. If unfamiliar, use guide to install and set it up.

Run the following command in Seth:

Address information:

The 0x94598157fcf0715c3bc9b4a35450cce82ac57b20 address is the faucet that issues 1 MKR per request.
The 0xaaf64bfcc32d0f15873a02163e7e500671a4ffcd address is that of the MCD K-MKR token. It will issue 1 MKR.

Important Note: The faucet address and token addresses often change with each dss deployment. The current addresses displayed above are from the 0.2.12 Release. Please visit for the most updated release version.

Please refer to this to obtain collateral test tokens for Kovan.

3. Getting MCD Collateral Tokens

6. Testing your Keeper

To help with the testing of your Auction Keeper, we have created a collection of python and shell scripts herein that may be used to test auction-keeper, pymaker's auction facilities, and relevant smart contracts in dss. For more information about testing your Auction Keeper with your own testchain visit .

7. Support

We welcome any questions or concerns about the Auction Keepers in the channel in the Maker Chat.

art

urn

ilk

tic

end

usr

gal

tab

Bid: State of a specific Auction[Bid]

ilk

bite: will not leave a Vault with debt and no collateral.

dai savings rate

1

ONE = 10^27

Flapper

flap

{"id": "6", "flapper": " 0xf0afc3108bb8f196cf8d076c8c4877a4c53d4e7c ", "bid": "7.142857142857142857", "lot": "10000.000000000000000000", "beg": "1.050000000000000000", "guy": " 0x00531a10c4fbd906313768d277585292aa7c923a ", "era": 1530530620, "tic": 1530541420, "end": 1531135256, "price": "1400.000000000000000028"}

SERVER_ETH_RPC_HOST=https://your-ethereum-node
SERVER_ETH_RPC_PORT=8545
ACCOUNT_ADDRESS=0x16Fb96a5f-your-eth-address-70231c8154saf
ACCOUNT_KEY="key_file=/Users/username/Documents/Keeper/accounts/keystore,pass_file=/Users/username/Documents/keeper/accounts/pass"

#!/bin/bash
dir="$(dirname "$0")"

source my_environment.sh  # Set the RPC host, account address, and keys.
source _virtualenv/bin/activate # Run virtual environment

# Allows keepers to bid different prices
MODEL=$1

bin/auction-keeper \
    --rpc-host ${SERVER_ETH_RPC_HOST:?} \
    --rpc-port ${SERVER_ETH_RPC_PORT?:} \
    --rpc-timeout 30 \
    --eth-from ${ACCOUNT_ADDRESS?:} \
    --eth-key ${ACCOUNT_KEY?:} \
    --type flip \
    --ilk ETH-A \
    --from-block 14764534 \
    --vat-dai-target 1000 \
    --model ${dir}/${MODEL} \
    2> >(tee -a -i auction-keeper-flip-ETH-A.log >&2)

019-10-31 13:33:08,703 INFO     Keeper connected to RPC connection https://parity0.kovan.makerfoundation.com:8545
2019-10-31 13:33:08,703 INFO     Keeper operating as 0x16Fb96a5fa0427Af0C8F7cF1eB4870231c8154B6
2019-10-31 13:33:09,044 INFO     Executing keeper startup logic
2019-10-31 13:33:09,923 INFO     Sent transaction DSToken('0x1D7e3a1A65a367db1D1D3F51A54aC01a2c4C92ff').approve(address,uint256)('0x9E0d5a6a836a6C323Cf45Eb07Cb40CFc81664eec', 115792089237316195423570985008687907853269984665640564039457584007913129639935) with nonce=1257, gas=125158, gas_price=default (tx_hash=0xc935e3a95e5d0839e703dd69b6cb2d8f9a9d3d5cd34571259e36e771ce2201b7)
2019-10-31 13:33:12,964 INFO     Transaction DSToken('0x1D7e3a1A65a367db1D1D3F51A54aC01a2c4C92ff').approve(address,uint256)('0x9E0d5a6a836a6C323Cf45Eb07Cb40CFc81664eec', 115792089237316195423570985008687907853269984665640564039457584007913129639935) was successful (tx_hash=0xc935e3a95e5d0839e703dd69b6cb2d8f9a9d3d5cd34571259e36e771ce2201b7)
2019-10-31 13:33:13,152 WARNING  Insufficient balance to maintain Dai target; joining 91.319080635247876480 Dai to the Vat
2019-10-31 13:33:13,751 INFO     Sent transaction <pymaker.dss.DaiJoin object at 0x7fa6e91baf28>.join('0x16Fb96a5fa0427Af0C8F7cF1eB4870231c8154B6', 91319080635247876480) with nonce=1258, gas=165404, gas_price=default (tx_hash=0xcce12af8d27f9d6185db4b359b8f3216ee783250a1f3b3921256efabb63e22b0)
2019-10-31 13:33:16,491 INFO     Transaction <pymaker.dss.DaiJoin object at 0x7fa6e91baf28>.join('0x16Fb96a5fa0427Af0C8F7cF1eB4870231c8154B6', 91319080635247876480) was successful (tx_hash=0xcce12af8d27f9d6185db4b359b8f3216ee783250a1f3b3921256efabb63e22b0)
2019-10-31 13:33:16,585 INFO     Dai token balance: 0.000000000000000000, Vat balance: 91.319080635247876480133691494546726938904901298
2019-10-31 13:33:16,586 INFO     Watching for new blocks
2019-10-31 13:33:16,587 INFO     Started 1 timer(s)

Market Maker Keeper Bot Setup Guide

A Marketing Making Bot Set up Guide

Level: Intermediate

Estimated Time: 60 minutes

Audience: Developers

Guide Agenda

Introduction
Prerequisites
Installation
Testing
Bands and Bands Configuration
1. Example
Order Rate Limitation
Data Templating Language
Price Feed Configuration
1. Example
Running Keepers
1. Example (Oasis Market Maker Keeper)
Support Information

1. Introduction

This guide is dedicated to showing you how to create your very own Market Maker Keeper Bot as well as educate the community about Market Maker Keeper bots and help both users and developers understand the value of this incredible software. We are proud to say that all of the code needed to get a Market Maker Keeper bot up and running is open-sourced.

List of current exchanges that Market Maker Keeper Bots can be built for

OasisDEX (oasis-market-maker-keeper)
EtherDelta (etherdelta-market-maker-keeper)
RadarRelay and ERCdEX (0x-market-maker-keeper)

2. Prerequisite

Git
- This project requires

3. Getting Started (Installation)

1. Clone the market-maker-keeper repository and switch into its directory:

2. Initializing the git submodules that will bring in both the pymaker and the pyexchange library:

3. Set up the virtual env and activate it:

4. Check to make sure you have the correct version (Python 3.6.6) of Python by running:

5. Install Requirements:

Note: This command is (used in place of pip install -r requirements.txt) for iterating through all the dependencies in the lib directory to grab all of the requirements needed.

Potential errors that could arise:

Needing to upgrade to pip version 19.2.2.
- Run: pip install --upgrade pip to fix.
Installing jsonnet (if running macOS Mojave)
To fix, run the following:

Other Potential Installation Issues:

Read the following document for other known Ubuntu and macOS issues ().

4. Testing

There is quite a lot of value in running all the unit tests to make sure market-maker keeper has been installed properly. After the repository has been cloned and the installation has been completed, you can run unit tests by executing the following commands.

Firstly, the following command will install the libraries required to run unit tests:

To run the unit tests (py.test, etc..), use the following script:

Example output:

5. Understanding Bands Configuration

The Bands configuration file is directly related to how your Market Maker Keeper will work. As mentioned in the introduction, these Keepers continuously monitor and adjust their positions in the order book, maintaining open buy and sell orders in multiple bands at the same time. For each buy and sell band, the Keepers aim to have open orders for at least the minAmount. In both cases, they will ensure the price of open orders stay within the <minMargin, maxMargin> range from the current price. When running, Keepers place orders for the average amounts (avgAmount) in each band by using use avgMargin to calculate the order price.

As long as the price of orders stays within the set band(s) (i.e. it is in between the <minMargin,maxMargin> range from the current price), the Keepers keep them open/running. If some orders leave the band, they either enter another adjacent band or fall outside all bands. In the case of the latter, they would get immediately canceled. In case of the former, Keepers can keep these orders open as long as their amount is within the <minAmount,maxAmount> ranges for the band they just entered. If it is above the maximum, some of the open orders will get canceled and potentially a new one will be created to bring the total amount back within the range. If it is below the minimum, a new order gets created for the remaining amount so that the total amount of orders in this band is equal to avgAmount. The same process will happen if the total amount of open orders in a band falls below the minAmount as a result of other market participants taking these orders. In this case, a new order gets created for the remaining amount so the total amount of orders in this band is equal to avgAmount. There are some Keepers that will constantly use gas to cancel orders (ex: OasisDEX, EtherDelta and 0x) and create new ones (OasisDEX) as the price changes. Gas usage can be limited by setting the margin and amount ranges wide enough but also by making sure that the bands are always adjacent to each other and that their <min,max> amount ranges overlap.

File format

The bands configuration file consists of two main sections:

buyBands
sellBands

Note: Each section is an array containing one object per each band.

The minMargin and maxMargin fields in each band object represent the margin (spread) range of that band. These ranges may not overlap for bands of the same type (buy or sell), and should be adjacent to each other for better Keeper performance (where fewer orders will get canceled if the bands are adjacent to each other). The avgMargin represents the margin (spread) of newly created orders within a band.

Glossary

minAmount - the minimum amount for keeper engagement for a band.
avgAmount - the target amount for keeper engagement for a band.
maxAmount - the maximum amount for keeper engagement for a band.

Setting up your own Bands Configuration File:

1. Creating your bands.json file

To start, take the sample configuration file below and copy-paste it to a .json file within the root directory of your market-maker-keeper folder. For ease of use, we sugges to name it bands.json. This bands file will get configured as a command-line argument when we start up the Market Maker Keeper.

A Sample bands.json file containing two Bands:

This example shows bands for the ETH-DAI pair, where ETH represents the base currency and DAI as the quote currency:

This bands.json file should be adequate enough for you to paste and run it as is. Of course, you are free to configure it however you would like.

Note: Since this example will be focused on getting a Market Maker Keeper set up on Kovan, you need to make certain that you have enough Kovan ETH (K-Eth) to get your Keeper up and running. To receive Kovan ETH, join the following Gitter Channel: and post your ETH address from your MetaMask account to the main chat. The Kovan faucet will then populate your wallet with the test funds (note that this could take a couple of minutes or a couple of hours as it is done manually by the channel’s administrator).

2. Setting Amounts

You will need to set this up if you are going to be trading small amounts to start. This will need to be set up such that those amounts are sufficiently meaningful on the exchange you want to work with (based on the rules of the exchanges that you want to work. For example, their specificly set dust limits).

As mentioned above, there is one parameter in the configuration file (dustCutoff) that will be used to determine the minAmount of trade quantity. The dustCutoff will need to be set higher than/or at the minAmount trade quantity of the specific exchange. This is to make sure you don't create trades that are less than an exchanges' minimum trade requirements. Note that in your configuration file, you can also lower the required quantities to make it easier on yourself. Reducing the K-ETH amounts will be helpful in reducing wait times as you likely won't want to wait long periods to get enough K-ETH to run your Keeper).

Bands Example

Here, we will be going over some example interactions using the described above. These examples assume that it is denominated in DAI and the price of 10 DAI is 1 ETH.

Using Band 1

If we look at the first buy band, the initial buy order will be 30 DAI (avgAmount) with the price of -> price - (price * avgMargin) -> 0.1 - (0.1 * 0.01) -> 0.099 ETH per Dai.
If the buy order listed above (30 DAI @ 0.099 ETH) gets partially filled (15 DAI are purchased), then we will have (15 DAI remaining in the order). However, this amount is below the band's minAmount (20 DAI), therefore, another whole order of 15 DAI will be placed on the exchange at the same price of 0.099 ETH.

Using Band 2

For ease of explanation, let's assume we are selling ETH priced at 100.00 DAI (5 ETH @ 101 DAI and 6 ETH @ 102.5 DAI).
Now imagine a situation where the price of ETH suddenly drops to 97.50 DAI, pushing the bands down. In this scenario, the second band will start working and will become responsible for both of the sell orders, as they fit in between the second band's minMargin and maxMargin.

The Market Maker Keeper will now reset it's bands by performing the following:

Creating an order in Band 1 (5 ETH @ 98.475 DAI) using avgMargin and avgAmount.
Cancelling the second order (5 ETH @ 102.5 DAI) (which is now in Band 2) becuase maxMargin has been breached (when price + (price * maxMargin) = orderPrice -> 97.5 + (97.5 * 0.05) -> 102.375 > 102.5).

This results in a total of 3 orders:

Band 1 -> (5 ETH @ 98.475 DAI)
Band 2 -> (5 ETH @ 101 DAI)
Band 2 -> (1 ETH @ 99.837 DAI)

6. Order Rate Limitation

Next, we will want to add the Rate Limitation to the configurations file. This will make sure that we don't constantly churn out old orders as well as help manage gas consumption. We do this because we want the period and the amount to be set to a low amount when we start out. This is done because we don't want new users' Market Maker Keeper bots to be frantically trading all of the time. The goal here is that we want to set up our initial states such that it is only placing an order every 5 min or so (or whatever time amount you decide on).

There are two (optional) limit sections (buyLimits and sendLimits) that can be used for limiting the maximum rate of orders created by Market Maker Keepers. They both use the same format.

Example of order rate limits:

The period defines the amount of time that the limit should be applied over.
The amount is the maximum amount of orders that should be placed during the set period amount.

In the example above, the periods are set to 1-hour and 1-day and the amounts are set to 50.0 orders and 200.0 orders. This means that over the course of 1-hour, only 50.0 orders can be placed and over the course of 1-day, only 200.0 orders can be placed. The amounts will be expressed either in terms of the buy or the sell token, this will depend on the section. Note that the above snippet imposes a limit of 50.0 buy token within each 60-minute window. Additionally, a maximum of 200.0 buy tokens within each 24-hour window. Note that the supported time units are s, m, h, d, and w

7. Data Templating Language

The data templating language that can be used for the configuration file.

In the case of the data templating language, think of this like a pre-processing language for parsing the file. The whole purpose of the jsonnet is to set up a configuration file such that you can have it increment based on a price. Therefore, in addition to the price feed, you can also base percentages away from the market price. As you can see below, there is a hardcoded amount/price and then the amounts below it which are dependent on the price.

Note: If you are working with a token that's price does not fluctuate wildly, you do not need to incorporate relative qualities for your amount. This is typically for people who want Market Maker Keepers open for months at a time and don't want to worry about having to change any of their configurations.

Another thing to note about these files is that the Market Maker Keeper reloads the configuration files automatically when it detects a change in them. This makes it easier as you don't have to constantly restart your Keeper bot when you change your band configurations. In short, this works by periodically taking a hash of the configuration file and comparing that hash with the current version. When it sees a change in that hash of the file, it will reload the configuration file and cancel orders as necessary to maintain the newly updated bands.

8. Price Feed Configuration

The price feed is one of the most important determining factors of success in a Market Maker Keeper. If you have the bands set up the way you want, the price feed will help make sure your bands are set at meaningful levels relative to the inside market. If you have wide bands and your strategy is to add liquidity to handle market imbalances, then the price feed is not as important. However, as you tighten up the spreads, the price feed is a crucial component to ensure that you are going to profit in the market.

Below, we list some of the existing public feeds. You can also use web sockets if you have your own price feed that you want to use. In short, it works by each Market Maker Keeper taking in a --price-feed command-line argument which then determines the price used for market-making.

As of today, these are the possible values of this argument that we list some of the existing public feeds:

fixed:200 - uses a fixed price, (1.56 in this example). See below for a more in-depth example. When on mainnet, you typically won't use a fixed amount but it is an ideal example for this walkthrough as there aren't price feeds for Kovan.
eth_dai - uses the price from the GDAX WebSocket ETH/USD price feed.
eth_dai-setzer

Additionally, we have a Uniswap price feed that can be used by Market Maker Keepers: .

Note: The --price-feed command line argument can also contain a comma-separated list of several different price feeds. In this case, if one of them becomes unavailable, the next one in the list will be used instead. All listed price feeds will be constantly running in the background, the second one and following ones ready to take over when the first one becomes unavailable. In the example below (in the Running Keepers section), you can see an example of how to use a fixed price amount.

9. Running Market Maker Keepers

Each Market Maker Keeper is a command-line tool which takes in generic command-line arguments (such as --config, --price-feed, --price-feed-expiry, --debug, etc.) as well as some arguments which are specific to that particular Keeper (such as Ethereum node parameters, addresses, exchange API keys, etc.). All accepted command-line arguments are listed in the example section below. They can also be discovered by trying to start a Market Maker Keeper with the --help argument.

Example (Oasis Market Maker Keeper)

In order to run oasis-market-maker-keeper, you will need to go through the following process:

Firstly, you would deploy an Ethereum node (we recommend Parity).
Generate an account in it.
Permanently unlock that account.
Transfer some tokens to it.

The below file should be copy and pasted into a new file within the root directory of the repository (market-maker-keeper). This should be placed within the same folder where you put the bands.json file.

Make sure that you retrieve and paste the correct contract addresses when using the above snippet.
--eth-key ${ACCOUNT_KEY} - includes both the .json file (account.json) of your account and a .pass file (ex: account.pass) that contains your password in plaintext.
If you do not have an account, you can use on Kovan and export the account details (by means of the Keystore file method). Make sure that you download the .json file to your local machine as this is what you will need to set up the account.

List of required Kovan Addresses for the above :

General Notes:

The OASIS_SERVER1_KEY is simply your Kovan account private key (point this to your ETH accounts key file) and password file. If you do not have this, please set up a file with your password (in plain text).
ETH From is the address location where the market-maker-keeper is going to get the tokens that it uses to participate and place orders.
- Example: Since Oasis is a decentralized exchange (dex), it is on-chain, so you need to provide all of the relevant addresses to the dex. Most DEX's are like this because when you are configuring with a dex you need to pass many addresses in, whereas, with a centralized exchange you are generally giving an API key, and username and password (see below for an example of how the process differs for centralized exchanges differ versus decentralized exchanges).

Once completed, you can now run your Market Maker Keeper! Follow the next steps to get it running:

Open up your terminal
Run chmod +x <the file name of your version of the above bin/oasis-market-maker-keeper snippet>
Run ./<the file name of your version of the above bin/oasis-market-maker-keeper snippet>

Market Maker Keepers on Centralized Exchanges versus Decentralized Exchanges

In the situation where you want to use a centralized exchange vs. a decentralized exchange, the process differs a little:

You would need to have an existing account or create an account (on the exchange itself).
Get the set of API keys with trading permissions (will usually need to be generated as well).
Deposit tokens in your account on the exchange (as the keepers do not handle deposits and withdrawals themselves).
Run the Market Maker Keeper.

10. Support

We are here to help! We welcome any questions about market making in the channel in the Maker Chat.

===================================== test session starts =====================================
platform darwin -- Python 3.6.6, pytest-3.3.0, py-1.8.0, pluggy-0.6.0
rootdir: /Users/charlesst.louis/market-maker-keeper, inifile:
plugins: timeout-1.2.1, mock-1.6.3, cov-2.5.1, asyncio-0.8.0
collected 97 items                                                                            

tests/test_airswap_market_maker_keeper.py ................                              [ 16%]
tests/test_band.py ......                                                               [ 22%]
tests/test_etherdelta_market_maker_keeper.py ..........................                 [ 49%]
tests/test_feed.py .                                                                    [ 50%]
tests/test_limit.py .......                                                             [ 57%]
tests/test_oasis_market_maker_cancel.py ...                                             [ 60%]
tests/test_oasis_market_maker_keeper.py ...................                             [ 80%]
tests/test_price_feed.py ............                                                   [ 92%]
tests/test_reloadable_config.py .......                                                 [100%]

---------- coverage: platform darwin, python 3.6.6-final-0 -----------
Name                                                    Stmts   Miss  Cover
---------------------------------------------------------------------------
market_maker_keeper/__init__.py                             0      0   100%
market_maker_keeper/airswap_market_maker_keeper.py        252    142    44%
market_maker_keeper/band.py                               260     37    86%
market_maker_keeper/bibox_market_maker_keeper.py           93     93     0%
market_maker_keeper/bitinka_market_maker_keeper.py         96     96     0%
market_maker_keeper/bittrex_market_maker_keeper.py         96     96     0%
market_maker_keeper/coinbase_market_maker_keeper.py       103    103     0%
market_maker_keeper/coinbene_market_maker_keeper.py        95     95     0%
market_maker_keeper/control_feed.py                         7      5    29%
market_maker_keeper/ddex_market_maker_keeper.py           126    126     0%
market_maker_keeper/ercdex_market_maker_keeper.py          12     12     0%
market_maker_keeper/etherdelta_market_maker_keeper.py     193    142    26%
market_maker_keeper/ethfinex_market_maker_keeper.py        94     94     0%
market_maker_keeper/feed.py                                84     46    45%
market_maker_keeper/gas.py                                 20     10    50%
market_maker_keeper/gateio_market_maker_keeper.py         106    106     0%
market_maker_keeper/gopax_market_maker_keeper.py           99     99     0%
market_maker_keeper/hitbtc_market_maker_keeper.py          98     98     0%
market_maker_keeper/idex_market_maker_keeper.py           193    193     0%
market_maker_keeper/imtoken_pricing_server.py              51     51     0%
market_maker_keeper/imtoken_utils.py                       97     97     0%
market_maker_keeper/kucoin_market_maker_keeper.py         108    108     0%
market_maker_keeper/limit.py                               46      0   100%
market_maker_keeper/liquid_market_maker_keeper.py          97     97     0%
market_maker_keeper/mpx_market_maker_keeper.py            137    137     0%
market_maker_keeper/oasis_market_maker_cancel.py           38     22    42%
market_maker_keeper/oasis_market_maker_keeper.py          133     94    29%
market_maker_keeper/okex_market_maker_keeper.py            92     92     0%
market_maker_keeper/order_book.py                         219    188    14%
market_maker_keeper/order_history_reporter.py              38     26    32%
market_maker_keeper/paradex_market_maker_keeper.py        131    131     0%
market_maker_keeper/price_feed.py                         187     86    54%
market_maker_keeper/reloadable_config.py                   67      3    96%
market_maker_keeper/setzer.py                              24     17    29%
market_maker_keeper/spread_feed.py                          7      5    29%
market_maker_keeper/tethfinex_market_maker_keeper.py      149    149     0%
market_maker_keeper/theocean_market_maker_keeper.py       129    129     0%
market_maker_keeper/util.py                                 8      4    50%
market_maker_keeper/zrx_market_maker_keeper.py            177    177     0%
market_maker_keeper/zrxv2_market_maker_keeper.py           26     26     0%
---------------------------------------------------------------------------
TOTAL                                                    3988   3232    19%


================================== 97 passed in 4.04 seconds ==================================

{
    "_buyToken": "DAI",
    "buyBands": [
        {
            "minMargin": 0.005,
            "avgMargin": 0.01,
            "maxMargin": 0.02,
            "minAmount": 20.0,
            "avgAmount": 30.0,
            "maxAmount": 40.0,
            "dustCutoff": 0.0
        },
        {
            "minMargin": 0.02,
            "avgMargin": 0.025,
            "maxMargin": 0.03,
            "minAmount": 40.0,
            "avgAmount": 60.0,
            "maxAmount": 80.0,
            "dustCutoff": 0.0
        }
    ],
    "buyLimits": [],

    "_sellToken": "ETH",
    "sellBands": [
        {
            "minMargin": 0.005,
            "avgMargin": 0.01,
            "maxMargin": 0.02,
            "minAmount": 2.5,
            "avgAmount": 5.0,
            "maxAmount": 7.5,
            "dustCutoff": 0.0
        },
        {
            "minMargin": 0.02,
            "avgMargin": 0.025,
            "maxMargin": 0.05,
            "minAmount": 4.0,
            "avgAmount": 6.0,
            "maxAmount": 8.0,
            "dustCutoff": 0.0
        }
    ],
    "sellLimits": []
}

{
  "_price": 10,

  "_buyToken": "DAI",
  "buyBands": [
    {
      "minMargin": 0.020,
      "avgMargin": 0.050,
      "maxMargin": 0.075,
      "minAmount": 0.05 * $._price,
      "avgAmount": 0.25 * $._price,
      "maxAmount": 0.35 * $._price,
      "dustCutoff": 0.1
    }
  ],

  "_sellToken": "ETH",
  "sellBands": []
}

#!/bin/bash

bin/oasis-market-maker-keeper \
    --rpc-host 127.0.0.1 \
    --rpc-port  \
    --rpc-timeout 10 \
    --eth-from [address of your generated Ethereum account] \
		--eth-key ${ACCOUNT_KEY} \
    --tub-address  0x448a5065aebb8e423f0896e6c5d525c040f59af3 \
    --oasis-address  0x14fbca95be7e99c15cc2996c6c9d841e54b79425 \
    --price-feed fixed:200 \
    --buy-token-address [address of the quote token, could be DAI] \
    --sell-token-address [address of the base token, could be WETH] \
    --config [path to the json bands configuration file, e.g bands.json] \
    --smart-gas-price \
    --min-eth-balance 0.001

V2_OASIS_SERVER1_ADDRESS= 
V2_OASIS_SERVER1_KEY="key_file=/home/ed/Projects/member-account.json,pass_file=/home/ed/Projects/member-account.pass"
TUB_ADDRESS=0xa71937147b55deb8a530c7229c442fd3f31b7db2 # tub-address
SAI_ADDRESS=0xc4375b7de8af5a38a93548eb8453a498222c4ff2 # buy-token-address
WETH_ADDRESS=0xd0a1e359811322d97991e03f863a0c30c2cf029c # sell-token-address
OASIS_ADDRESS_NEW=0x4a6bc4e803c62081ffebcc8d227b5a87a58f1f8f # oasis-address

Upgrading to Multi-Collateral Dai Guide

Summary

Level: Intermediate

Estimated Time: 30 minutes

Audience: Technical and commercial teams with partners and Dai holders

Introduction

The upcoming version of the Maker system, Multi-Collateral Dai, brings a lot of new and exciting features, such as support for new Vault collateral types and Dai Savings Rate. In order to support the new functionality, the whole Maker core of smart contracts has been rewritten. The new smart contracts addresses and ABIs can be found here:

Therefore, users and partners interacting with Single-Collateral Dai (SCD) must migrate their existing Single Collateral Dai tokens (Sai) to Multi Collateral Dai tokens (Dai) and CDPs to the new system. Additionally, companies or projects integrated with Sai and CDPs must update their codebases to point to the new smart contracts, and refactor their code to support the updated functions.

This guide will focus on the Dai and CDP migration with a high level overview of the upgrade process for different actors in the Maker ecosystem.

The steps necessary to migrate from Single-Collateral Dai (SCD) to Multi-Collateral Dai (MCD) differ depending on your platform and use case for Dai, so the guide is split into sections for different user and partner types.

Important note on naming conventions

In this guide we refer to the Single Collateral Dai system as SCD, and the Multi-Collateral Dai system as MCD. We refer to the Single Collateral Dai token (the old, currently existing Dai) as Sai, and the new Multi-Collateral Dai token as Dai.

Learning Objective

Knowledge on how migration to MCD will work
Best practices for migration for different users and partners
Where to find guides on specific migration scenarios

Pre-requisites

Basic knowledge of the MakerDAO: Dai and/or Vault system.

Sections

User and Partner Migration Scenarios

The following section will outline a recommended migration process for different actors in the Maker ecosystem.

As a Sai Holder

You control your private key

If you hold your Sai in a wallet where you control your private keys, then head to (available at MCD launch) and follow the instructions to upgrade your Sai to Dai and optionally activate the Dai Savings Rate smart contract, which allows you to earn savings.

The following figure outlines the migration flow:

You don’t control your private key

If your Sai is deposited in an exchange or centralized wallet or locked in a dApp smart contract, you can follow the instructions these platforms are providing or withdraw the Sai and complete the upgrade yourself at

With MCD you can deposit your Dai into the Dai Savings Rate smart contract which will earn you accrued annual savings. Find more info at makerdao.com at launch.

As a SCD CDP Owner

As a SCD CDP owner you can move your CDP to the MCD CDP core through the Migration App at at launch. The following diagram shows the flow for CDP migration.

You can also choose to manually close your CDP by paying back your debt and redeeming your Ether, and use your redeemed collateral to open a new MCD CDP.

If you have a large SCD CDP, the migration contract might not have enough Sai liquidity to carry out the migration. In that case, feel free to contact for assistance. You can read more about migration in the section later in this guide.

Notes on Instadapp

If you have created your CDP through the Instadapp service, you need to withdraw ownership of the CDP from the service back to you. To do this, you need to navigate to the and click “Withdraw” on your CDP in the tab “Debt Positions”. This will give you custody of the CDP, which will make it visible at where you will be able to carry out CDP migration.

Notes on MyEtherWallet

If you have created your CDP on MyEtherWallet then you can migrate your CDP using the Migration App at . (However, if the private key used with MyEtherWallet is stored in a local file or another unsupported format, you must first import your key to a wallet with Web3 support.)

Once upgraded, you can start using Dai Savings Rate by locking your Dai into the Dai Savings Rate smart contract and receive accrued savings. Find more info on makerdao.com at launch.

As a Centralized Exchange or Custodial Wallet

We recommend you take the following steps for upgrading to MCD:

On November 18: Rename Single-Collateral Dai to “Sai”. This is being coordinated with all Maker partners and serves to avoid users depositing the wrong token into your system.
On December 2: Perform upgrade of user balances.
Inform your users as soon as possible about the dates. For users wanting to delay their upgrade, this allows them to opt-out by withdrawing Sai from your exchange before the date.

This approach will result in the following user journey for the exchange/wallet user:

As a Decentralized Exchange

We recommend you take the following steps for upgrading to MCD:

On November 18: Rename Single-Collateral Dai to “Sai” and ticker "SAI". This is being coordinated with all Maker partners and serves to avoid users attempting to deposit the wrong token into your system.
Select a date between November 18-25 to list Multi-Collateral Dai. The new token is deployed at - use the for the new Dai token. Logo for Sai should remain the yellow diamond.
On the date of your own Dai listing: Add support for the new Dai token on your platform. The new Dai token should be named Dai and have the ticker "DAI". Deactivate Sai trading in your frontend UI, but allow users to cancel orders and withdraw balances.

As a Non-Custodial Wallet

If you are a creator of a wallet that allows users to be in control of their private keys we recommend you do the following:

On November 18: Rename Single-Collateral Dai to “Sai”
Select a future date between November 18-25 to execute the upgrade to support Multi-Collateral Dai, which should be listed as "Dai". The new token is deployed at - use the for the new Dai token. Logo for Sai should remain the yellow diamond.
Inform your users as soon as possible about the timeline for your own upgrade to MCD.

As a Keeper

Get acquainted with the updates to Keepers and Auctions in MCD with .
Upgrading
We expect to release a Python library for working with Auctions before MCD launch. This will be the recommended way to bid in Auctions.

Alternatively, if you’re willing to do some additional work and work with a lower level interface, you can interact with Auction contracts directly (, , ). Note that future collateral types may come with custom auction formats. More documentation will be available before launch.

As a Market Maker

We encourage you to market make on Multi-Collateral Dai as soon as your exchange partners add support for it.
If your exchange partners keep their Sai listing concurrently with their Dai listing, we encourage you to market make on both tokens for the remaining lifetime of Sai.
If your exchange partners will use a different ticker for Dai than Sai, you should update your tools accordingly.

As a CDP Integrator

Custodial CDP service

On November 18: Rename Single-Collateral Dai to “Sai”
Select a future date between November 18-25 to execute the upgrade to MCD.
Inform your users as soon as possible about the date.
On the chosen date:

Non-Custodial CDP service

On November 18: Rename Single-Collateral Dai to “Sai”
Select a future date between November 18-25 to execute the upgrade to MCD.
Inform your users as soon as possible about the timeline for your own upgrade to MCD.
Inform your users about MCD and the migration process of CDPs.

Upgrading your CDP integration implementation

Using Dai.js

If you have integrated CDPs using the , ensure you have updated the library to the latest version.
Update your codebase to support the functionality of the . At launch this plugin will be bundled into the Dai.js library as default.
Optional: Help your users migrate their CDP to MCD

Direct integration with smart contracts

If you have integrated directly with the smart contracts, you must add support for the new Maker core smart contracts. Since the smart contracts have been completely rewritten, most function calls have been changed.
Get acquainted with the

As a Lending Protocol

Custodial Service

On November 18: Rename Single-Collateral Dai to “Sai”
Select a future date between November 18-25 to execute the upgrade to MCD.
Inform your users as soon as possible about the date.
On the chosen date:

Non-Custodial Service

On November 18: Rename Single-Collateral Dai to “Sai”
Select a future date between November 18-25 to execute the upgrade to MCD.
Inform your users as soon as possible about the timeline for your own upgrade to MCD.
Inform users about potential cutoff dates for shutdown of SCD.

As a Dapp

On November 18: Rename Single-Collateral Dai to “Sai”
Select a future date between November 18-25 to execute the upgrade to MCD.
Inform your users as soon as possible about the timeline for your own upgrade to MCD.
On the chosen date:

As another partner type not mentioned above

Please reach out to and we are happy to discuss your migration scenario.

Migration App

Upon release of MCD, the Migration App at will allow you to carry out Dai and CDP migration through an intuitive web UI in just a few clicks. By logging in with your favourite wallet solution, the app will scan your wallet for any recommended migrations and showcase them in the UI (seen in picture below). This migration scan feature is planned to be continually supported going forward, ensuring that users are always using an up-to-date version of the Maker platform.

Landing Page that will show you possible migrations for the connected wallet.

Wizard for migrating Sai to Dai.

Wizard for migrating an SCD CDP to MCD CDP.

The Migration App uses a proxy contract to carry out the CDP migration. Consequently, the app can also only be used for CDPs that have been created through a Maker proxy contract. This happens automatically if you have opened your CDP at .

If you have created CDPs using third party services that do not use Maker proxies to interact with the CDP core, the migration contract might not work. Instead, you can perform your own manual migration by simply closing down your SCD CDP and moving the ETH to an MCD CDP.

Migration Contract

The functionality of the Migration App outlined in the above section is handled by a Migration Contract that will be deployed at MCD launch in order to support a smooth transition from Single Collateral Dai to Multi Collateral Dai. The contract will make the redemption of Single Collateral Dai tokens (Sai) for Multi Collateral Dai tokens (Dai), and the migration of CDPs to the new CDP engine of MCD, an easy task. This section will outline how the migration contract works in order to help super users and partners prepare for MCD migration.

Functionality

The migration smart contracts are open source and can be found here:

In the src folder, the smart contract source code can be found. The main contract is the ScdMcdMigration.sol which contains the migration functionality that you will interact with.

It contains three main functions:

swapSaiToDai - a function that upgrades Sai to Dai
swapDaiToSai - a function that allows you to exchange your Dai back to Sai
migrate - a function that allows you to migrate your SCD CDP to MCD.

The following sections will go deeper into these function calls. The Migration App will present this functionality in an easy to use UI, so a regular user will not have to deal with these function calls directly. We will however dive into them in the following sections to dissect how migration works, and outline the process for power users or partners, who want to carry out migration themselves.

Upgrading Dai

In order to upgrade your Dai to MCD, you must use the function in the migration contract. First you must approve that the migration contract can transfer Sai tokens from your account. Then you are ready to invoke the swap by calling the function specifying the amount of Sai you want to upgrade to Dai. After the function call is mined, the upgraded Dai is sent to the Ethereum address initiating the upgrade. A detailed walk-through using CLI tools to carry out these functions can .

From the user perspective, this function simply upgrades a specified amount of Sai to Dai.

Behind the scenes, deposited Sai tokens are used to create a collective CDP in MCD for all migrating users which Dai is minted from. The migration contract will thus take the Sai tokens from your account, and deposit them into the Sai token adapter, which allows the CDP engine Vat to utilize the tokens for CDP actions. The migration contract will then invoke Vat to lock Sai and issue Dai to the Dai adapter. The migration contract will then exit the Dai tokens from the Dai adapter, which is carried out by invoking a mint function on the Dai token contract which will generate new Dai for the originator’s Ethereum address. The reason Sai to Dai migration is carried out using the CDP core (vat) of the new system, is that this is the only component that has the authority to mint new Dai. The process and function calls are outlined in the diagram below.

The following diagram outlines what happens when migrating 10 Sai to 10 Dai.

Swapping back to Sai

The migration contract also allows users to “go back” by swapping Dai for Sai, using the function . In this case, the CDP operation is reversed, as Dai is paid back to the system and Sai is released, just like the repayment of a normal CDP, except with no stability fee cost.

However, this operation requires a surplus of Sai already deposited in the migration contract. Therefore there must be at least an equivalent amount of Sai deposited in the contract, to the amount of Dai you want to redeem.

This function call is very similar to the former, except this time Dai is deposited to the CDP, and Sai collateral released. This requires you to approve that the migration contract can transfer Dai from your wallet, and then you invoke the swapDaiToSai function with the specified amount of Dai you want to redeem. You can check out for a more detailed look into how you call the functions.

Migration of CDP

The migration contract also allows users to migrate their CDPs from the SCD core to the MCD core. This is done through the function . The function essentially tries to close your CDP, using excess Sai deposited in the migration contract (by other users who have been upgrading Sai to Dai) to pay your outstanding CDP debt. In order to do so, you need to transfer the control of the CDP to the migration contract. The migration contract will then pay back the debt using Sai deposited in the contract, redeem the ETH collateral, create a new CDP in the MCD system, lock in the ETH collateral, and payback the debt using the generated Dai, resulting in an equivalent CDP debt in MCD.

However, in order to close down the CDP, a stability fee in MKR must be paid, so you need to grant the migration contract approval to spend MKR from you account to carry out the migration.

The migration contract uses a proxy contract to carry out all the above steps in one go. Consequently, the contract can also only be used for CDPs that have been created through a Maker proxy contract. This happens automatically if you have opened your CDP at . Therefore, you must utilize the contract to carry out the .

To migrate your CDP, your are also dependant on excess liquidity of Sai in the migration contract to be used to close your CDP. If you have a 10,000 Sai debt CDP you want to migrate, there must be at least 10,000 Sai deposited in the Sai MCD CDP owned by the migration contract (from users upgrading Sai to Dai), to carry out the CDP migration. The migration cannot be carried out partially, why the whole debt of the CDP must be covered by Sai liquidity in the contract to carry out the migration. If you have a large CDP and are concerned about migration, feel free to reach out to the Integrations Team at

In Summary

In this guide, we introduced you to the steps of how to upgrade to Multi-Collateral Dai. We have provided you with guidelines for different types of platforms using Dai and for regular Dai holders. As we approach the launch of Multi-Collateral Dai, more details will be made available.

Troubleshooting

If you encounter any issues with your upgrade process, don’t hesitate to contact us.

Contact integrations team -
Rocket chat - #dev channel

Next Steps

After finishing this guide we think you’ll enjoy these next guides:

Learn about our progress towards the launch of .

Resources

Information:

Other Guides:

Source code/wiki:

Liquidation 2.0 Module

The Maker Protocol's Collateral Auction House (Liquidation System 2.0)

Contract Source(s): clip.sol, dog.sol, abacus.sol
Type/Category: DSS —> Liquidation 2.0 Module
Etherscan

1. Introduction

Summary: In the context of the Maker protocol, a liquidation is the automatic transfer of collateral from an insufficiently collateralized Vault, along with the transfer of that Vault’s debt to the protocol. In the liquidation contract (the Dog), an auction is started promptly to sell the transferred collateral for DAI in an attempt to cancel out the debt now assigned to the protocol.

2. Features

Instant Settlement

Unlike the old Liquidation 1.2 system which utilized English auctions, in which DAI bids are placed, with a participant's capital remaining locked until they are outbid or until the auction terminates, Liquidation 2.0 uses Dutch auctions which settle instantly. They do so according to a price calculated from the initial price and the time elapsed since the auction began. Price versus time curves are discussed more later. The lack of a lock-up period mitigates much of the price volatility risk for auction participants and allows for faster capital recycling.

Flash Lending of Collateral

This feature, enabled by instant settlement, eliminates any capital requirement for bidders (excepting gas)—in the sense that even a participant with zero DAI (and nothing to trade for DAI) could still purchase from an auction by directing the sale of the auction's collateral into other protocols in exchange for DAI. Thus, all DAI liquidity available across DeFi can be used by any participant to purchase collateral, subject only to gas requirements. The exact mechanics are discussed above, but essentially a participant needs to specify a contract who (which conforms to a particular interface), and calldata to supply to it, and the auction contract will automatically invoke whatever logic is in the external contract.

Price as a Function of Time

Price-versus-time curves are specified through an interface that treats price at the current time as a function of the initial price of an auction and the time at which that price was set. How to determine the most effective price curve for a given collateral is still an active area of research; some initial options (linear, step-wise exponential, and continuous exponential) have been implemented for research purposes and initial deployment. Other candidates besides these include a piecewise linear curve and a piecewise exponential curve. This module is configurable and can be replaced in the course of innovation.

It is important for bidders to take into account that while the price almost always decreases with time, there are infrequent occasions on which the price of an active auction may increase, and this could potentially result in collateral being purchased at a higher price than intended. The most obvious event that would increase the price in a running auction is if that auction is reset (via redo), but changes to the configurable parameters of a price decrease calculator (or even the switching out of one calculator for another) by governance can also increase the price. It is recommended that bidders (or bidding UIs that abstract this detail away from the user) choose the maximum acceptable price (max) argument to take carefully to ensure a desirable outcome if the price should unexpectedly increase.

Resetting an Auction

As mentioned above, auctions can reach a defunct state that requires resetting for two reasons:

too much time has elapsed since the auction started (controlled by the tail governance parameter)
the ratio of the current price to the initial price has fallen below a certain level (specified by the cusp governance parameter).

The reset function, when called, first ensures that at least one of these conditions holds. Then it adjusts the starting time of the auction to the current time, and sets the starting price in exactly the same way as is done in the initialization function (i.e. the current OSM price increased percentage-wise by the buf parameter). This process will repeat until all collateral has been sold or the whole debt has been collected (unless the auction is canceled via yank, e.g. during Emergency Shutdown); contrast this behavior with the current auctions, which reset until at least one bid is received.

Improved Keeper Wallet Security

If keepers decide to use the clipperCallee pattern, then they need not store DAI or collateral on that account. This means a keeper need only hold enough ETH to execute transactions that can orchestrate the Clipper.take call, sending collateral to a contract that returns DAI to the msg.sender to pay for the collateral all in one transaction. The contract implementing the clipperCallee interface can send any remaining collateral or DAI beyond owe to a cold wallet address inaccessible to the keeper. NOTE: If the keeper chooses to behave as an EOA address, then the DAI and collateral would be exposed just as in LIQ-1.2 unless special care is taken to create a proxy contract.

3. Contract Details

Parameters Set By Governance (through `file`)

`Abacus/LinearDecrease` -- tau [seconds]

Seconds after auction start when the price reaches zero.

`Abacus/StairstepExponentialDecrease` -- cut [ray]

Per-step multiplicative factor. cut = 0.99 * RAY specifies a 1% drop every step seconds.

`Abacus/StairstepExponentialDecrease` -- step [seconds]

Length of time between price drops.

`Abacus/ExponentialDecrease` -- cut [ray]

Per-second multiplicative factor. cut = 0.99 * RAY specifies a 1% drop every second.

`Clipper` -- buf [ray]

The multiplicative factor to increase the starting price of an auction. E.g. if the current OSM price of an asset is 1,000 and buf = 1.2 * RAY (20% above), then the initial price of that auction will be 1,200.

`Clipper` -- calc [address]

The contract address of the price calculator function. Adheres to Abacus interface. Some examples of price functions are found in abaci.sol file.

`Clipper` -- chip [wad]

Percentage of tab to suck from vow to incentivize keepers when liquidating a vault or resetting an already existing auction. chip = 0.02 * WAD is 2%.

`Clipper` -- cusp [ray]

Percentage price drop that can occur before an auction must be reset. Together with tail, this parameter determines when an auction needs to be reset. E.g. if the initial price of an auction (top) is set to 1,200 and cusp = 0.6 * RAY (60% of the starting price), then the auction will need to be reset when reaching just below the price of 720.

`Clipper` -- dog [address]

The address of the liquidation module contract.

`Clipper` -- spotter [address]

The Collateral price module contract address.

`Clipper` -- tail [seconds]

Seconds that can elapse before an auction must be reset. Together with cusp, this parameter determines when an auction needs to be reset. E.g. if tail is 1800 seconds, then if an auction is not complete after 30 minutes have elapsed, it will need to be reset.

`Clipper` -- tip [rad]

Flat fee to suck from vow to incentivize keepers when liquidating a vault or resetting an already existing auction. tip = 100 * RAD is 100 DAI.

`Clipper` -- vow [address]

The address of the accounting system contract. The recipient of DAI raised in auctions.

`Dog` -- Hole [rad]

Max DAI needed to cover debt + liquidation penalty of active auctions. Hole = 10,000,000 * RAD is 10M DAI.

`Dog` -- ilk.chop [wad]

Liquidation Penalty per collateral (ilk). E.g. if there is a vault ready to be liquidated that has a debt of 1,000 DAI and chop = 1.13 * WAD (13% above), then the max amount to be raised by the auction will be 1,130 DAI.

`Dog` -- ilk.clip [address]

The address of the auction module contract. One clip per collateral (ilk).

`Dog` -- ilk.hole [rad]

Max DAI needed to cover debt + liquidation penalty of active auctions per collateral (ilk). hole = 10,000,000 * RAD is 10M DAI.

`Dog` -- vow [address]

The address of the accounting system contract. The recipient of the bad debt coming from a vault when it's liquidated.

Vault Liquidation

The Vault liquidation function (`Dog.bark`) takes three caller supplied arguments:

ilk: the collateral ilk
urn: the Vault to be liquidated
kpr: the address where DAI incentives will be sent

`Dog.bark` performs several actions:

confiscates the given Vault urn if it's undercollateralized and
- sends the collateral to the ilk's Clipper
- increments the vow

In the context of the Maker protocol, a "liquidation" is the automatic transfer of collateral from an insufficiently collateralized Vault, along with the transfer of that Vault's debt to the protocol. In both the Liquidation 1.2 version (the Cat) and the Liquidation 2.0 version (the Dog), an auction is started promptly to sell the transferred collateral for DAI in an attempt to cancel out the debt now assigned to the protocol. This makes the behavior of the new contract very similar to that of the old one, but there are some important differences, explained below.

Partial vs. Total Liquidations

In the current system, in each call to the liquidation function (Cat.bite) transfers a fixed amount of debt (the dunk) from the affected Vault, along with a proportional amount of the Vault's collateral to the protocol. For example, if 50% of a Vault's debt is taken by the protocol, then half of its collateral is taken as well. If the Vault's debt is less than the dunk, then all debt and collateral is taken. In 2.0, all debt is taken when the liquidation function (Dog.bark) is called, and no analogue of the dunk parameter exists. The reasoning behind this change is that because the new auctions allow partial purchases of collateral, the liquidity available to a participant no longer limits their ability to participate in auctions, so instead the total number of auctions should be minimized. Just to emphasize, there is no longer a minimum DAI liquidity requirement for the sale of collateral on a per-participant basis.

Limits on DAI Needed to Cover Debt and Fees of Active Auctions

In situations involving large amounts of collateral at auction, the current and new designs modify the behavior described in the previous section. Both liquidations 1.2 and 2.0 implement a limit on the total amount of DAI needed to cover the summed debt and liquidation penalty associated with all active auctions. In LIQ-1.2 this is called the box, and in LIQ-2.0 we call this the Hole. Whenever the maximum possible addition to this value is less than the amount of debt+fees that would otherwise be sent to auction, a partial liquidation is performed so as not to exceed this amount. In the current system there is only a global limit; in 2.0, in addition to the global limit, there is also a per-collateral limit. Similar to how there is an ilk.line for a collateral's debt ceiling and a Line for the overall system debt ceiling, there is now an ilk.hole to correspond with the Hole. This ensures that typical market depth against DAI can be taken into account on a per-collateral basis by those determining risk parameters. The Dirt accumulator tracks the total DAI needed to cover the debt and penalty fees of all active auctions, and must be less than

Auction Initiation

The auction initiation function (`Clipper.kick`) takes four caller supplied arguments:

tab: the target DAI to raise from the auction (debt + stability fees + liquidation penalty) [rad]
lot: the amount of collateral available for purchase [wad]

`Clipper.kick` performs several checks and actions:

checks that the caller is authorized (only the Dog or governance may call Clipper.kick)
checks that liquidations are enabled in the four-stage circuit breaker
increments a counter and assigns a unique numerical id to the new auction

The initial price is set by reading the current price in the corresponding (OSM) and multiplying by a configurable percentage (the buf parameter). Note that the current OSM price is between one and two hours delayed relative to the actual market price. A keeper doesn't make a call to Clipper.kick directly, but rather makes a call to Dog.bark which in turn calls Clipper.kick.

Liquidation Incentive Mechanism

In this design, there is less incentive to quickly liquidate Vaults than in the current system, because there is no inherent advantage obtained by doing so. In contrast, the current auction system grants the account triggering a liquidation the privilege of making the first bid in the resulting auction. It is unclear whether this matters significantly in practice, or whether some stronger incentive should be added (for example, a small DAI reward paid to liquidators).

To ensure there was a remedy for this potential issue, an incentive mechanism was added for liquidators. The form of the incentive is, on a per-collateral type basis, a constant amount of DAI plus an amount of DAI that scales linearly with the amount of debt associated with the liquidation. Either contribution can be set to zero. Such a structure is justified by the following:

The reward is set per-collateral to give maximum flexibility to include not just per-collateral risk parameters like mat (collateralization ratio) and chop (liquidation penalty) in its setting, but also to allow for unique market conditions that might only apply to one or a few collateral types.
The component of the reward that increases linearly with the total Vault debt is intended to be used to reward liquidators for reducing risk to the system, as risk itself scales with the size of undercollateralized Vaults—a Vault that is twice as big as another represents twice the risk of bad debt accrual. Or viewed another way, liquidating two vaults of size X represents the same risk reduction as liquidating one Vault of size 2X—thus the reward to a liquidator ought to be similar. Further, the system can afford to pay more for larger liquidations, because the liquidation penalty is also proportional to the amount of debt outstanding for a given Vault.

These parameters must be set extremely carefully, lest it be possible to exploit the system by "farming" liquidation rewards (e.g. creating Vaults with the intention of liquidating them and profiting from the too-high rewards). Generally, the liquidation reward should remain less than the minimum liquidation penalty by some margin of safety so that the system is unlikely to accrue a deficit. This doesn't necessarily prevent farming, it just helps ensure the system remains solvent. For example, incentives can be farmed in a capital-efficient way when Dirt is close to Hole or when ilk.dirt is close to ilk.hole for some collateral type. An attacker would purchase a small amount of collateral from a running auction, freeing up a small amount of room relative to either Hole or ilk.hole, then liquidate a small portion of an existing Vault to collect the reward, and repeat the process. This can be done over and over in the same transaction, and the activation of EIP 2929 (scheduled for the Berlin hard fork at the time of writing) will significantly reduce the associated gas costs (due to warm storage reads and writes). Note that since the attacker does not need to create their own Vaults, the size of the liquidation penalty in relation to the incentive value is not a deterrent; only gas costs matter to the attacker. The fact that the Dog prevents partial liquidations that remove less than ilk.dust debt from a Vault helps to mitigate this scenario--so long as the liquidation penalty exceeds the total reward for this minimal liquidation size,

Four-Stage Liquidation Circuit Breaker

In this section, we'll cover the four stages of the liquidation circuit breaker. In contrast to LIQ-1.2, Liquidations 2.0 comes with a four-stage circuit breaker built into the Clipper contract. The stages are:

liquidations enabled(0): This means the breaker is not tripped and the protocol can liquidate new Vaults as well as service old liquidations.
new liquidations disabled(1): This means no new liquidations (Clipper.kick).
new liquidations and resets disabled

Just like in LIQ-1.2, the circuit breaker will be available through a ClipperMom contract giving governance the ability to bypass the GSM delay for circuit breaker actions.

Bidding (Purchasing)

The purchasing function (`Clipper.take`) takes five caller supplied arguments:

id: the numerical id of the auction to bid on
amt: the maximum amount of collateral to buy (amt) — a purchase behaves like a limit order [wad]
max: the maximum acceptable price in DAI per unit collateral (

`Clipper.take` performs several initial checks:

a reentrancy check to ensure the function is not being recursively invoked
that the four-stage circuit breaker is not tripped
that the auction id corresponds to a valid auction
that the auction does not need to be reset, either due to having experienced too large a percentage decrease in price, or having existed for too long of a time duration

Then, the amount of collateral to attempt to purchase is computed as the minimum of the collateral left in the auction (lot) and the caller's specified quantity (amt)—the resulting value is the slice. This value is then multiplied by the current price of the auction to compute the DAI owed in exchange (owe). If owe exceeds the DAI collection target of the auction (tab), then owe is adjusted to be equal to tab, and slice is set to tab / price (i.e. the auction will not sell more collateral than is needed to cover debt+fees from the liquidated Vault).

To make it less likely that auctions are left in a state that is unattractive to bid on, further logic is applied if there will be both left over DAI target and collateral based on the initial determinations for slice and owe. If the remaining tab in such a case would be less than chost (a value stored by the contract, asynchronously set to ilk.dust * ilk.chop / WAD by the upchost() function), then: 1) If the overall DAI target is less than chost, the function reverts. Callers should be aware of this possibility and account for it when necessary. 2) Otherwise, owe is set to tab - chost, and slice is set to (tab - chost) / price.

This heuristic for preventing a too-small remaining collateral amount and/or DAI target is imperfect and may fail in some situations; if this occurs, there is no serious harm to the protocol; the auction will simply remain uncompleted. However, governance may wish to fully clear such "lost" auctions via take or yank to avoid cluttering the list of active auctions each Clipper maintains, which could impair the performance of DEX and aggregator integrations (and possibly off-chain bots too, depending on how they are written).

Next, collateral is transferred (within the protocol's ) to the who address provided by the caller. If the caller provided a bytestring with greater than zero length, an external call is made to the who address, assuming it exposes a function, follow Solidity conventions, with the following signature:

The first argument is the recipient of DAI. That is, this is the address the clipperCallee must return DAI to. The second argument is DAI owed (as a 45 decimal digit fixed-precision integer, or rad), the third argument is the collateral being purchased (as an 18 decimal digit fixed-precision integer, or wad), regardless of the precision of the external token contract, and the last argument is identical to what bytestring the caller originally supplied to the purchase function. As mentioned earlier, a locking mechanism prevents reentry into the purchase function during this external call, and the Clipper.redo call, for security reasons. Example implementations of the ClipperCallee interface can be found in the repository.

After the external call completes (or immediately following the transfer of collateral, if no external call was executed), DAI is transferred (internally, within the core ) from msg.sender to the protocol.

Lastly, various values are updated to record the changed state of the auction: the DAI needed to cover debt and fees for outstanding auctions, and outstanding auctions of the given collateral type, are reduced (via a callback to the liquidator contract) is reduced by owe, and the tab (DAI collection target) and lot (collateral for sale) of the auction are adjusted as well. If all collateral has been drained from an auction, all its data is cleared and it is removed from the active auctions list. If collateral remains, but the DAI collection target has been reached, the same is done and excess collateral is returned to the liquidated Vault.

Example Liquidation

Figure 1: NOTE: in the above figure, tau is tail.

In this example we can see a linear decrease function (calc), with an ETH-A OSM price of 200 DAI, a buf of 20%, a tail (tau) of 21600 seconds, a tab of *60,000 DAI with a lot of 347.32 ETH. There are two bidders, Alice and Bob. Alice calls take first and is willing to give *50,000 DAI in return for 256.41 ETH collateral, a price of 195 DAI per ETH. The price of ETH continues to fall over time, and Bob picks up the remaining 90.91 ETH for

Incentive to call `redo()`

The auction initiation function (`Clipper.redo`) takes two caller supplied arguments:

id: the current auction id
kpr: the address where DAI incentives will be sent

`Clipper.redo` performs several checks and actions:

a reentrancy check to ensure the function is not being recursively invoked
that the four-stage circuit breaker is not tripped
that the auction id corresponds to a valid auction
that the auction needs to be reset, either due to having experienced too large a percentage decrease in price, or having existed for too long of a time duration

An auction that has expired or which is currently offered at a value higher than the oracle threshold will likely not complete at favorable values. The system therefore provides a direct incentive to Clipper.redo the auction, resetting it's expiration and setting the starting price to match the current oracle price + buf. The redo includes the same Dai incentive to the keeper as the Clipper.kick, which is based on the flat fee plus the governance-defined percentage of collateral. There is one exception to this incentive. If the tab or lot * price remaining is under the Clipper.chost limit, then there will be no incentive paid to redo the auction. This is to help prevent incentive farming attacks where no keepers bid on dusty lots, and Clipper.redo is called repeatedly. If auctions in this state build up, governance may choose to pay a keeper to clean them up.

Emergency Shutdown

A started auction can be reverted via the auth function called yank in Clipper contract. This function requires that the auction exists and executes the following actions:

calls dog.digs in order to decrease its Dirt and ilk.dirt values by the remaining auction tab
sends the remaining collateral to its msg.sender

This function might be thought of as a general purpose operation to migrate existing auctions to a new contract; however, the only use-case now is in the End module, which takes care of system shutdown.

The End module will be upgraded together with the auction contracts as a new function End.snip is required.

This function End.snip is responsible for calling Clipper.yank for any running auction when shutdown is triggered. It will receive the collateral from Clipper.yank and will send it back to the vault owner together with the remaining debt to recover. One consideration to note is that the debt that the vault owner will receive includes the liquidation penalty part already charged.

Interfaces

`Dog` Interface

Standard MakerDAO authorization structure.

DSS core address introspection.

Returns values configured for a given ilk (ex. ETH-A).

Returns 1 if the system is active.

Getters for the global Hole and Dirt configuration. Both return a rad-precision value.

(Authenticated) Parameter modification functions, available to governance. The precision for a numeric argument should match the parameter being set.

Getter for the chop value of a given ilk. chop has wad precision.

The main liquidation function. Initiates an auction. A keeper calls this function to begin the auction of urn for a particular ilk. kpr is the address where the keeper incentive is sent, allowing keepers to have liquidation rewards sent to a different address than the caller.

(Authenticated) Removes collateral from the accumulator. Called by the Clipper. The rad argument has rad precision.

(Authenticated) Deactivates the Dog and sets live to 0.

`Clipper` Interface

Standard MakerDAO authorization structure.

The ilk that this Clipper is associated with.

DSS core address introspection.

The address of the pricing function used by this Clipper.

Getters for governance-configured auction parameters.

Getter for the stored product of Vat.ilk.dust and Dog.ilk.chop. This value is used as a heuristic for whether a partial purchase will leave an auction with too little collateral and whether incentives should be given out when redo is called.

Auction counter. Increments each time an auction is initiated.

Returns the id of the auction at index pos in the list of active auctions.

Returns information on a particular auction. Completed auctions are removed from the mapping.

Returns the current circuit breaker status. 0 for all functions allowed, 1 if kick cannot be called, 2 if kick and redo cannot be called, and 3 if kick, redo and take cannot be called.

(Authenticated) Parameter modification functions, available to governance. Numeric arguments should match the precision of the parameter being set.

(Authenticated) Initiates the auction. Called by the Dog. tab is rad-precion, lot is wad-precision.

Called to reset an auction due to expiry or price deviation.

Called to purchase collateral.

Helpers for iterating the list of active auctions. Use list() to get the unsorted array of auctions. Get the number of active auctions with count(). The function active(uint256 pos) (see above) can be used to access individual entries without needing to call list().

Returns a bool if the auction is eligible for redo and the current price.

Updates the chost value stored in the contract to equal the product of Vat.ilk.dust and Dog.ilk.chop (the precision of the final value is rad). This allows take and redo to obtain chost with a single SLOAD (reading dust from the Vat requires 5 SLOAD operations due to how the API is structured, and reading chop is an additional SLOAD).

(Authenticated) Allows an auction to be removed during Emergency Shutdown or via a goveranance action.

4. Known Risks

This section covers some of the known risks with Liquidations 2.0

Incentive Farming

Periodically, governance may increase the ilk.dust amount. When this happens, it's usually because gas has become so expensive it impacts the efficiency of liquidations. That is, the cost of calling Dog.bark(), Clipper.take(), or Clipper.redo() may exceed the collateral offered. Incentives may be used as a remedy to this potential issue and possibly a way for the protocol to keep ilk.dust lower; however, governance must take care when increasing the ilks dust, tip, or chip not to incentivize the creation of many Vaults to farm this incentive. An example of an exploit is as follows:

governance decides to increment dust by 1500 DAI at the same time they scale ilk.tip to subsidize auctions.
an attacker realizes it would be profitable between gas and the chop to shard (fork) their existing Vault into many Vaults or create many new Vaults.

In order to thwart this attack governance must be careful when setting ilk.tip and ilk.chip so as not to create this perverse incentive.

Price Decreases Too Quickly

If the price decreases too quickly it can have the following consequences:

the auction ends without any bid, then it needs to be reset and possibly this will keep happening
bidders end up having reverts due the auction ended before tx confirmation
bidders end up paying much less than what they were willing to pay (possibly generating permanent bad debt)

Price Decreases Too Slowly

If the price decreases too slowly it can have the following consequences:

Auction price never catches up with the market price, eventually being reset
- After the reset the price catches up, but is less than an optimal market price
- After the reset the price catches up, but still leaves bad debt

Front-Running

In LIQ-1.2 there is limited front-running risk as it requires capital to participate in auctions; however, in liquidations 2.0 if a keeper chooses to participate with no capital, there is substantial front-running risk from generalized front-running bots. The easier it is to replace the from address of the transaction with one's own, the greater the risk. To mitigate this risk keepers are encouraged to used authorized proxy contracts to interact with liquidations 2.0 and provide some amount of their own capital when bidding. More aggressive gas prices may also work. Unfortunately, we found no great way to prevent generalized front-running that preserves single-block composability.

OSM Risk for Start Price

Because Clipper.kick and Clipper.redo consult the OSM for the collateral price, we are vulnerable to an oracle attack that can only be mitigated by the oracle delay, Dog.Hole, and ilk.hole. We must rely on the number of guards in place to prevent price manipulation and oracle attacks. The fact that the price is delayed by one hour, however, prseents a risk of its own: since the price is out-of-date relative to the market, it may be either too high or too low to allow for efficient settlement given other parameters like 'buf' and the price decrease function. The consequences of either case are effectively covered by the sections on the risk of the price decreasing either too quickly or too slowly.

Setting Hole or ilk.hole Too High

While Dog.Hole and ilk.hole can be set much higher in liquidations 2.0, there are still risks to setting this too high. A value for Dog.Hole that's set too high could result in far too much DAI demand, breaking the peg high. This is somewhat mitigated by the PSM and stablecoin collateral types, but should still factor in to how this parameter is set. An ilk.hole that is set too high, may have the additional result of causing a downward spiral as the liquidations push the asset price lower. In addition, if there is an oracle attack, this parameter can be thought of as our maximum exposure.

Setting Hole or ilk.hole Too Low

If we set either Dog.Hole or ilk.hole too low, we run the risk of not being able to liquidate enough collateral at once. This could lead to a buildup of undercollateralized positions in the system, eventually causing the accrual of bad debt.

Auction Parameter Changes Affect Running Auctions

Parameters, e.g. tail, cusp, or the price decrease function or any of its parameters, can be changed at any time by governance and will affect the behavior of running auctions. Integrators should take this possibility into account, reasoning through how sudden changes in parameters would impact their bidding strategies. Governance should endeavor to change parameters infrequently and if possible, only when there are not any auctions that will be affected.

5. Invariants

These invariants have not yet been formally proven, and thus should only be considered intended behavior for now.

`Dog` Invariants

`Clipper` Invariants

The above is an inequality (and not an equality) because it is impossible to prevent a user or contract from choosing to send collateral to a Clipper, even though it only makes sense for the Dog to do so. Governance (or a new module) could create a violation of this property by calling kick without transferring appropriate collateral to the Clipper. Thus this is actually a pseudo-invariant that only holds if callers of kick respect the requirement to send collateral to the Clipper, but it should hold for the live system if deployment and authorization is done correctly. It should hold if only active auctions are summed over as well.

Invariants involving quantities from both the `Dog` and `Clipper`

The above should hold if only active auctions are summed over as well.

Note that (c28.1) and (c28.2) together imply (c26.1).

Hole

bark

ilk.dirt

ilk

ilk.hole

bark

ilk

usr: the address to return any excess collateral to

2

Clipper.kick

Clipper.redo

max

tail

cusp

top

Clipper.take

Clipper.redo

function file(bytes32 what, address data) external;
function file(bytes32 what, uint256 data) external;
function file(bytes32 ilk, bytes32 what, address data) external;
function file(bytes32 ilk, bytes32 what, uint256 data) external;

function buf() external view returns (uint256);   // ray
function tail() external view returns (uint256);  // seconds
function cusp() external view returns (uint256);  // ray
function chip() external view returns (uint256);  // wad
function tip() external view returns (uint256);   // rad

function sales(uint256) external view returns (
        uint256 pos,
        uint256 tab,   // rad
        uint256 lot,   // wad
        address usr,
        uint96  tic,   // Unix epoch
        uint256 top);  // ray

Maker Protocol Technical Docs

MakerDAO Technical Docs

MakerDAO Documentation Overview

Introduction

The Maker Protocol Smart Contract Modules System

Getting Started

Maker Protocol 101

For a fully comprehensive overview of the smart contracts within the Maker Protocol, please download the Maker Protocol 101 Slide Deck (PDF) below or visit the view-only link here.

Smart Contract Modules

Dai Module

1. Introduction (Summary)

2. Module Details

Glossary (DAI)

Glossary (Join)

Core Module Components Documentation

3. Key Mechanism and Concepts

Why are these components important to the Multi-Collateral Dai (MCD) System?

4. Gotchas (Potential sources of user error)

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

Core Module

1. Introduction (Summary)

2. Module Details

Core Module Components Documentation

3. Key Mechanism and Concepts

4. Gotchas (Potential sources of user error)

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

Coding Errors

Feeds

Governance

Spot - Detailed Documentation

Collateral Module

1. Introduction (Summary)

2. Module Details

The Collateral Module is built up of the following components:

3. Key Mechanism and Concepts

Summary of the Collateral Module Components

How exactly do the Join contracts help the MCD system operate?

4. Gotchas (Potential sources of user error)

5. Failure Modes

Join - Detailed Documentation

1. Introduction (Summary)

2. Contract Details:

Glossary (Join)

3. Key Mechanisms & Concepts

4. Gotchas (Potential source of user error)

5. Failure Modes (Bounds on Operating Conditions & External Risk Factors)

Maker Protocol Emergency Shutdown

Introduction

Overview of the Shutdown Process

Emergency Shutdown for Partners

For a quick overview of Emergency Shutdown within the Maker Protocol and the process to follow as an integration partner, please download and read the ES Partner Integration Slide Deck (PDF) below.

Glossary

Deployment Addresses

Maker Protocol Deployments

Find all Maker Protocol contract addresses and ABIs at chainlog.makerdao.com

Onchain Contract Address Directory

Security

Security for the Maker Protocol

Introduction

Building on top of the Maker Protocol

The Dai Javascript Library of the Maker Protocol

Introduction

Plugins

Available Plugins

Building your own plugin

Dai Savings Rate

Instance methods

join(amount)

exit(amount)

exitAll()

balance()

balanceOf(address)

getTotalDai()

getYearlyRate()

Currency units

System data

Instance methods

getAnnualBaseRate()

getSystemWideDebtCeiling()

isGlobalSettlementInvoked()

How exactly do the `Join` contracts help the MCD system operate?

How exactly do the `Join` contracts help the MCD system operate?