Circuit Breaker, Pausing, and Liquidity Stress

Circuit Breaker

Purpose

The circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. is a velocity control on outflows. It limits how fast capital can leave through wrapper withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. paths, protecting against exploit-velocity drains and flash-driven extraction.

The circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. is not a permanent lock on user exits. Once capacity replenishes, withdrawalsWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. resume at normal pace.

Dual-Buffer Model

The CircuitBreaker.sol contract uses a dual-bufferDual-Buffer ModelThe circuit breaker's two-part rate limiter: a main replenishing buffer that caps total outflow within a time window, and an elastic buffer that tracks recent inflows and allows proportional additional outflow capacity. rate limiter:

• Main replenishing buffer: caps total outflow within a configurable time window. Replenishes over time.
• Elastic buffer: tracks recent inflows and allows proportionalProportional SettlementEach investor receives their proportional share of the reserve pool. In normal operation, this equals the original deposit. In a reserve shortfall, it equals the proportional share of what remains. The last person to redeem gets the same rate as the first. additional outflow capacity.

Both buffers are checked via checkAndRecordOutflow on wrapper withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. calls. If limits are exceeded, the withdrawalWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. reverts.

Configuration

• Protected-contract registry controls which contracts are subject to rate limits
• Owner-configurable time windows and maximum draw rates
• Parameters are set per circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. instance

Interaction with exits

Both exits via redeemRedeemExercise principal protection and exit to collateral. Implemented by the divest contract function. Always available, permissionless, and on-chain. (divestDivestContract function (divest / divestUnderlying) implementing exits via redeem. Returns collateral (or strategy position tokens) to the investor.) and exits via withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. (withdrawFT) flow through the wrapper and are subject to circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. checks. If limits are exceeded, the call reverts and can be retried as capacity replenishes.

Pausing

Admin can pause depositsDepositThe action of investing collateral into a raise. Collateral is received by the raise contract, routed to the yield strategy, and a pFT position NFT is minted. At deposit time, a live oracle price feed determines USD notional for FT allocation via deposit-time conversion.. Exits remain available even when paused, see Roles and Permissions for details.

Pausing is a defensive measure for scenarios like:

• Suspected exploit in progress
• Oracle instability
• Strategy-layer concerns requiring investigation

Liquidity Stress Scenarios

Partial upstream liquidity

Scenario: strategy cannot provide full requested liquidity immediately (e.g., high Aave utilization).

Expected behavior:

• Availability checks reflect constrained withdrawalWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. capacity
• Calls may partially succeed at lower layers or revert in exact-amount flows
• Users can retry as liquidity conditions improve

The capital still exists, it’s lent out and recoverable as upstream liquidity normalizes.

Mass redemption under circuit breaker

Scenario: large share of investors attempt exits simultaneously, triggering circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. limits.

Expected behavior:

• Early exits within the buffer limits succeed immediately
• Once limits are reached, subsequent exits revert until capacity replenishes
• Processing stretches over time as the buffer refills
• Deterministic conversionProportional SettlementEach investor receives their proportional share of the reserve pool. In normal operation, this equals the original deposit. In a reserve shortfall, it equals the proportional share of what remains. The last person to redeem gets the same rate as the first. rules ensure all investors receive the same rate regardless of exit order

Circuit breaker + strategy liquidity combined

In a scenario where both circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. limits and strategy liquidity are constrained:

• Circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. limits dominate when they are tighter than available liquidity
• Yield strategyYield StrategyProtocol used to generate yield on deposited capital. Aave V3 is the only supported strategy at launch. Yield funds the platform fee, project ecosystem budget, and buyback and burn. liquidity limits dominate when available liquidity is less than circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. capacity
• The effective withdrawalWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. rate is the minimum of the two constraints
• Both constraints are temporary and resolve independently