Summary
If a market is paused due to a critical bug or oracle failure, LP and trader funds can be permanently stuck. An emergency withdrawal mechanism lets the admin return tokens to their rightful owners without executing normal protocol logic.
Proposed Design
Add emergency_withdraw(market: Address, recipient: Address, token: Address, amount: u128) to exchange_router, gated behind a special EMERGENCY_ADMIN role (separate from normal admin to require higher multi-sig threshold).
- Only callable when the market's pause flag is set
- Bypasses all valuation and fee logic
- Transfers tokens directly from market pool to recipient
- Emits
EmergencyWithdrawal { market, token, amount, recipient, authorized_by }
Security Requirements
EMERGENCY_ADMIN must be a multi-sig with at least 3-of-5 threshold- Each emergency withdrawal requires a separate auth call (no batch emergency drain)
- After use, emit an on-chain explanation event with a reason string
Acceptance Criteria
Affected Contracts
exchange_router, role_store
Summary
If a market is paused due to a critical bug or oracle failure, LP and trader funds can be permanently stuck. An emergency withdrawal mechanism lets the admin return tokens to their rightful owners without executing normal protocol logic.
Proposed Design
Add
emergency_withdraw(market: Address, recipient: Address, token: Address, amount: u128)toexchange_router, gated behind a specialEMERGENCY_ADMINrole (separate from normal admin to require higher multi-sig threshold).EmergencyWithdrawal { market, token, amount, recipient, authorized_by }Security Requirements
EMERGENCY_ADMINmust be a multi-sig with at least 3-of-5 thresholdAcceptance Criteria
EMERGENCY_ADMINroleAffected Contracts
exchange_router,role_store