We want to have a security fuse that will be triggered if any onchain attack is detected by a service like Hypernative.

Currently the following contract methods are available to public:

• deposit
• emergencyWithdraw
• cancelWithdrawalRequest
• registerWithdrawal

In case of hight severity security alerts detected by Hypernative we can automatically disable all deposits to all vaults that will make the attack much harder or most likely infeasible.

Implementation overview

We can disable the deposits using stageDepositsLock and commitDepositsLock. The delay between calling two methods is 1 hour. So we do the following actions:

1. Deploy TimelockController by OpenZeppelin with 0 delay https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/governance/TimelockController.sol. We need that for having the audited contract that can do multicalls, have access control and can be easily triggered by external transaction
2. Make our Lido/Mellow multisig as admin and proposer of the Timelock
3. Give Hypernative bot, custom inhouse bot and a new 3/8 Lido/Mellow multisig executor role in Timelock
4. Give Timelock the Operator role in the vault
5. stageDepositsLock for all vaults via Lido/Mellow multisig (in a usual flow, without Timelock OZ)
6. Propose a commitDepositsLock for all Vaults to Timelock OZ using scheduleBatch method
7. Hypernative will trigger executeBatch on security alert

Note as part of the Operator Role TimelockController will also have an access to the following methods:

• Vault
  • externalCall (subject to ManagedValidator role mechanics)
  • delegateCall (subject to ManagedValidator role mechanics)
  • processWithdrawals