🏧Withdrawal Limits

Overview

WithdrawRateLimit is a safety mechanism that limits the global rate of fund withdrawals for an exchange. The limit applies to all accounts, including the owner. It is designed to slow mass withdrawals during a security incident, giving operators time to detect and respond before all protocol funds are drained.

This rate limit does not affect:

  • Internal transfers within the protocol

  • Accounting operations that do not reduce TVL

The system operates using Monad block approximations, not timestamps. Assuming an average block consensus time of 0.42 seconds, an “hour” is represented by a fixed number of approximate blocks.

Purpose of the Rate Limit

The mechanism provides:

  • A global throttle on withdrawals

  • A TVL-dependent maximum hourly outflow

  • A burst window at the beginning of each rate-limit period

  • A smooth linear release of additional withdrawable funds over the remaining hour

This protects user funds during unexpected events such as:

  • Smart-contract exploits

  • Private-key compromise

  • Economic attacks involving rapid withdrawals

Rate-Limit Calculation

When the first withdrawal of a new hour-period occurs, the contract:

  1. Reads the current Total Value Locked (TVL).

  2. Computes the maximum allowed withdrawal for the upcoming hour:

Hourly Withdrawal Limit

hourly limit=max(wrlsThousandthsTvlTVL1000, MIN_WITHDRAW_LIMIT_CNS)\textbf{hourly limit} = \max\left( \frac{\textit{wrlsThousandthsTvl} \cdot \text{TVL}}{1000},\ \textit{MIN\_WITHDRAW\_LIMIT\_CNS} \right)

This ensures:

  • The limit scales with protocol size

  • There is a minimum cap to ensure usability when TVL is small

Collateral Per Block (Release Rate)

This controls how quickly additional withdrawal capacity becomes available as blocks are mined.

Burst Window (First ~15 minutes)

At the start of the hour:

  • A burst amount equal to ~¼ of the hourly limit is immediately available.

  • This includes any rounding remainder from integer division.

  • After this initial window, additional capacity unlocks block-by-block.

This burst ensures:

  • Regular user withdrawals remain smooth

  • Emergency withdrawals remain possible

  • Attackers cannot instantly drain the protocol

Withdrawal Availability Curve

Below is a textual representation of the conceptual rate-limit curve.

Key Behaviors

  • First 15 minutes: Large burst available immediately

  • 15–60 minutes: Linear increase at collateralPerBlock

  • At 60 minutes: Limit fully resets for next withdrawal call

  • Next withdrawal after hour boundary: Recomputes using new TVL

Cycle Reset

At the end of the hour (approximate block count reached):

  • The next withdrawal to call _rateLimitWithdrawal resets the cycle.

  • The current TVL is used to recompute the new limit.

  • The cycle repeats: burst → linear release → reset

PreviousSecurityNextTrading Perpetuals on Perpl

Last updated