Withdrawal Caps

Withdrawal caps are protocol-level limits on the amount of an asset that can leave Granite over a defined rolling time window. This protects users by limiting potential damage from an exploit, as attackers are prevented from draining an asset since they can only access a subset of protocol capital in a given time period.

Withdrawal caps apply to all ways that an asset can leave the protocol, including:

• Debt Cap: the amount of an asset that can be borrowed

• Collateral Withdrawal Cap: the amount of collateral that can leave the system (this does not affect liquidations)

• Liquidity Provider (LP) Cap: how much liquidity providers can remove

If hit, withdrawal caps will linearly refill over the next 24 hours. They can also be refilled by depositing more of an asset.

Withdrawals at or near the cap are monitored actively by protocol guardians, who can then pause the protocol if suspicious behavior is detected.

Caps are manged by protocol governance.

Example:

• Cap is set to 10% for BTC collateral, and there is $10M of BTC collateral in the protocol

• An individual user with a $100K deposit withdraws $100K - nothing happens, as the protocol-level cap has not been hit

• $900K of BTC collateral is then withdrawn - the cap is hit (10% of $10M), and guardians are notified to review the withdrawal behavior for any suspicious activities

• The next attempted withdrawal of BTC collateral will fail since the cap has been hit

• Withdrawal capacity will increase linearly over the next 24 hours, back to the new capacity of $900K (10% of the remaining $9M).

  • By waiting for 20 minutes, the next borrower can withdraw their $1000 of BTC collateral since the cap has partially refilled.

• If somebody then deposits another $1M, the cap is refilled by the deposit.