Skip to content

feat: emergency withdrawal — admin force-returns user tokens from a frozen market #277

Description

@abayomicornelius

Summary

If a market is paused due to a critical bug or oracle failure, LP and trader funds can be permanently stuck. An emergency withdrawal mechanism lets the admin return tokens to their rightful owners without executing normal protocol logic.

Proposed Design

Add emergency_withdraw(market: Address, recipient: Address, token: Address, amount: u128) to exchange_router, gated behind a special EMERGENCY_ADMIN role (separate from normal admin to require higher multi-sig threshold).

  • Only callable when the market's pause flag is set
  • Bypasses all valuation and fee logic
  • Transfers tokens directly from market pool to recipient
  • Emits EmergencyWithdrawal { market, token, amount, recipient, authorized_by }

Security Requirements

  • EMERGENCY_ADMIN must be a multi-sig with at least 3-of-5 threshold
  • Each emergency withdrawal requires a separate auth call (no batch emergency drain)
  • After use, emit an on-chain explanation event with a reason string

Acceptance Criteria

  • Callable only when market is paused
  • Requires EMERGENCY_ADMIN role
  • Emits structured event with full audit trail
  • Integration test: pause market, emergency withdraw, assert recipient received tokens
  • Non-emergency-admin call reverts

Affected Contracts

exchange_router, role_store

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions