TL;DR
-
It is proposed to replace GateSeals with CircuitBreaker, a permanent emergency pause contract. Unlike GateSeals, CircuitBreaker does not expire, does not require redeployment, and allows committees to extend their own authority via periodic heartbeats without a DAO vote.
-
The full design is specified in LIP-34. Source code: github.com/lidofinance/circuit-breaker.
Context
GateSeals were designed as temporary, disposable emergency brakes. Each was deployed with a fixed committee, pause duration, set of pausable contracts, and an expiry of up to one year. Once triggered, the GateSeal expired immediately. If never triggered, it expired naturally. Either way, a new one had to be deployed, verified, voted on via Snapshot, and enacted via an on-chain vote that revokes the pause role from the old instance and grants it to the new one (recent renewal). This recurring burden was intentional, an “inconvenience bomb” to push the DAO toward a permanent solution.
After three years without a single trigger, the tradeoff proved acceptable: a committee that can pause specific contracts once, for a limited duration, is worth having over no fast-response option at all. But the redeployment overhead remains, and with Lido V3, Triggerable Withdrawals, and Dual Governance increasing the number of pausable contracts, it is compounding. CircuitBreaker is proposed as the permanent replacement.
CircuitBreaker
CircuitBreaker is a single, permanent contract that manages all emergency pausing for the protocol. Like an electrical circuit breaker, it trips under fault conditions, protects the system, and is reset by an authorized party. It doesn’t self-destruct after tripping.
A circuit breaker is an electrical safety device designed to protect an electrical circuit from damage caused by current in excess of that which the equipment can safely carry (overcurrent). Its basic function is to interrupt current flow to protect equipment and to prevent fire. Unlike a fuse, which interrupts once and then must be replaced, a circuit breaker can be reset (either manually or automatically) to resume normal operation.
In this analogy, a GateSeal works much like a fuse and CircuitBreaker is, well, a circuit breaker for multiple circuits.
How it works
A single CircuitBreaker is deployed with the DAO Agent as admin, immutable bounds for pause duration and heartbeat interval, and initial values for both. The DAO registers pausable contracts by pairing each one with a committee.
-
Permanent address. The DAO grants the pause role on each pausable contract to the CircuitBreaker address once. Since the address never changes, this grant survives all pause cycles.
-
Single-use pause. In an emergency, the committee triggers a pause on a specific contract. CircuitBreaker verifies the caller, pauses the target, and clears the committee’s authority on that contract. The committee can still pause other contracts assigned to it. DAO can reassign the pauser again.
-
Liveness heartbeat. Committees must periodically send a heartbeat (a drill transaction) to prove they are operational. A committee whose heartbeat has expired cannot pause or refresh; the DAO must replace it with another live committee. Only one heartbeat is required to prove liveness regardless of the number of contracts assigned to the pauser.
See LIP-34 for the full design.
Proposed Pausable Contracts
It is proposed that CircuitBreaker replaces the following GateSeals as emergency pause mechanism for the pausable contracts:
GateSeal 0x8A854C4E750CDf24f138f34A9061b2f556066912:
GateSeal 0xA6BC802fAa064414AA62117B4a53D27fFfF741F1:
GateSeal 0x881dAd714679A6FeaA636446A0499101375A365c:
CS GateSeal 0xE1686C2E90eb41a48356c1cC7FaA17629af3ADB3:
And any new pausable contracts introduced with later upgrades.
Proposed Committees
It is proposed that the existing GateSeal committees remain as pausers for their respective pausable contracts in the CircuitBreaker. It is also proposed to rename the GateSeal committee to CircuitBreaker committee.
Proposed Parameters for Mainnet
| Parameter | Proposed value | Notes |
|---|---|---|
ADMIN |
Lido DAO Agent | Immutable |
MIN_PAUSE_DURATION |
5 days | Immutable lower bound |
MAX_PAUSE_DURATION |
60 days | Immutable upper bound |
MIN_HEARTBEAT_INTERVAL |
30 days | Immutable lower bound |
MAX_HEARTBEAT_INTERVAL |
3 years | Immutable upper bound |
pauseDuration |
21 days | Initial value, tunable by admin |
heartbeatInterval |
365 days | Initial value, tunable by admin |
Pause duration rationale: 21 days. An Aragon vote right now takes 5 days. If it fails to reach quorum, a second vote is needed which is another 5 days. The minimum Dual Governance timelock is 4 days. All that totals to 14 days. The remaining 7 days provide a buffer for the situation analysis, coordination, and vote preparation.
Tentative timeline
April 2026
-
LIP-34: CircuitBreaker is submitted for review
-
CircuitBreaker code is submitted for external audit
-
Hoodi testnet starts
May 2026
-
Snapshot vote
-
Prepare onchain vote
-
Prepare monitoring
June 2026
- Onchain vote: full switch from GateSeals to CircuitBreaker