Emergency exit mechanism

[kadenzipfel]

One of the primary security risks with this is system in my opinion is DoS. This can happen due to things like under/overflow, insufficient liquidity, divide by zero error, etc. and it's concerning because it's probably the hardest thing for us to be certain that we can prevent.

To combat this, it may be worth adding an emergency override mechanism that allows us to end early and provide pro-rata clearing of tokens. Although this is similar to an existing mechanism that we intend on adding where if we have not sold enough tokens then we will do a pro-rata clearing of tokens regardless: #112. So IMO we have two options:

• Only support the pro-rata clearing of tokens if not enough tokens have been sold
  • In the case of a DoS before we've sold enough tokens, we refund the numeraire regardless
  • In the case of a DoS after we've sold enough tokens, we don't refund, but at least we've sold enough tokens
• Also include an emergency exit whereby if x amount of epochs go by without any swaps, the admin/owner can trigger an emergency exit wherein we do a pro-rata clearing of tokens
  • It's kinda hard to decide at what point it's highly likely that a DoS actually occurred
    • Maybe there's a good way of proving it, e.g. by having a test swap which must revert even under reasonable conditions
  • We have to consider that a DoS could occur either in purchasing tokens or selling tokens back into the curve, so probably has to support both possible outcomes

Ideally we go with the former and make sure that our testing is rock solid but the DoS risk is always present

It may also be better to just withdraw all the tokens rather than placing a liquidity position which users can sell into. This is a more wide ranging protection because placing the position for users to sell into could potentially cause a DoS itself. I think it may make sense to have the option for owner/admin to withdraw all tokens x amount of time after the endingTime in case we can't even migrate