Circuit Breaker

Circuit Breaker

Purpose

The circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time. is a velocity control on outflows. It limits how fast capital can leave through wrapper withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for optional buyback and burn (if configured). paths, protecting against flash-driven extraction.

The circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time. does not permanently lock user exits. Once capacity replenishes, withdrawalsWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for optional buyback and burn (if configured). resume at normal pace.

Dual-Buffer Model

The CircuitBreaker.sol contract uses a dual-bufferDual-Buffer ModelThe circuit breaker's two-part rate limiter: a main replenishing buffer that caps total outflow within a time window, and an elastic buffer that tracks recent inflows and adds proportional outflow capacity. rate limiter:

Main replenishing buffer

Caps total outflow within a configurable time window.

Elastic buffer

Tracks recent inflows and allows proportionalProportional SettlementEach investor receives their proportional share of the reserve pool. Under normal conditions this equals the original deposit; in a shortfall it equals the proportional share of what remains. The last redeemer gets the same rate as the first. additional outflow capacity.

Both buffers are checked via checkAndRecordOutflow on wrapper withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for optional buyback and burn (if configured). calls. If limits are exceeded, the withdrawalWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for optional buyback and burn (if configured). reverts.

Main Buffer Caps total outflow per time window

60% used 40% remaining

Replenishes over time at a fixed rate

Elastic Buffer Tracks recent inflows for extra capacity

30% used 70% remaining

Proportional to recent deposit volume

Withdraw Request

checkAndRecordOutflow

Pass

Within limits, withdrawal succeeds

or

Revert

Exceeds capacity, transaction reverts

Configuration

• Protected-contract registry controls which contracts are subject to rate limits
• Owner-configurable time windows and maximum draw rates
• Parameters are set per circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time. instance

Interaction with exits

Exits via redeemRedeemExercise principal protection and exit to collateral. Implemented by the divest contract function. Permissionless and on-chain. (divestDivestContract function (divest / divestUnderlying) that implements exits via redeem. Returns collateral (or strategy position tokens) to the investor.) and via withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for optional buyback and burn (if configured). (withdrawFT) both flow through the wrapper and are subject to circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time. checks. If limits are exceeded, the call reverts; retry as capacity replenishes.

Pausing

Admin can pause depositsDepositThe action of investing collateral into a raise. The raise contract receives collateral, routes it to the yield strategy, and mints a pFT position NFT. A live oracle price feed determines USD notional for FT allocation via deposit-time conversion.. Exits remain available even when paused, see Roles and Permissions for details.

Pausing is a defensive measure for scenarios like:

• Suspected exploit in progress
• Oracle instability
• Strategy-layer concerns requiring investigation

Liquidity Stress Scenarios

Partial upstream liquidity

Scenario: strategy cannot provide full requested liquidity immediately (e.g., high Aave utilization).

Expected behavior:

• Availability checks reflect constrained withdrawalWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for optional buyback and burn (if configured). capacity
• Calls may partially succeed at lower layers or revert in exact-amount flows
• Users can retry as liquidity conditions improve

The capital still exists, lent out and recoverable as upstream liquidity normalizes.

Mass redemption under circuit breaker

Scenario: a large share of investors attempt exits simultaneously, triggering the circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time..

Expected behavior:

• Early exits within the buffer limits succeed immediately
• Once limits are reached, subsequent exits revert until capacity replenishes
• Processing stretches over time as the buffer refills
• Deterministic conversionProportional SettlementEach investor receives their proportional share of the reserve pool. Under normal conditions this equals the original deposit; in a shortfall it equals the proportional share of what remains. The last redeemer gets the same rate as the first. rules ensure all investors receive the same rate regardless of exit order

Circuit breaker + strategy liquidity combined

When both circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time. limits and strategy liquidity are constrained:

• Circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time. limits dominate when they are tighter than available liquidity
• Yield strategyYield StrategyProtocol used to generate yield on deposited capital. Aave V3 is the only supported strategy at launch. Yield funds the platform fee and the project ecosystem budget. If buyback is enabled, yield surplus can also fund buyback and burn. liquidity limits dominate when available liquidity is less than circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time. capacity
• The effective withdrawalWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for optional buyback and burn (if configured). rate is the minimum of the two constraints
• Both constraints are temporary and resolve independently