“Risk Engine” for Yield Assets

Governance Delegation
1

Summary

Some of the largest exchange rate markets on Morpho are vulnerable to positive-price-swing attacks. Yield-bearing assets like LRTs and LSTs have expected ceilings on yield, but currently, Morpho markets don’t take this into account. If an oracle incorrectly reports that the value of a yield-bearing token is much higher than its yield accounts for, current market configurations will take the oracle at its word and allow for collateral to be valued higher than it’s supposed to. Improperly valued collateral can lead to incredibly dangerous scenarios where bad debt accumulates and markets get drained.

We propose creating a chainlink-interface-compatible “Risk Engine” factory for yield-bearing liquid tokens like LRTs, LSTs, and yield-stables. Risk curators on Morpho can use this factory to generate a new smart contract that will query the underlying oracle of their choice, compare the oracle’s price to the expected appreciation of the asset over time, and limit the oracle to that appreciation. The resulting contracts can be used as input for the Morpho oracle factory.

For example, stETH has an average APY of ~3%. So, we can put an upper limit of 3% per year:

Year 0 - Upper Limit: 1ETH

  • Oracle Price: 1 stETH/1 ETH
  • Adjusted Price: 1 stETH/1 ETH

Year 1 - Upper Limit: 1.03 ETH

  • Oracle Price: 1 stETH/1.0298 ETH
  • Adjusted Price: 1 stETH/1.0298 ETH (slightly under limit)

Year 2 - Upper Limit: 1.0609 ETH

  • Oracle Price: 1 stETH/1.08 ETH
  • Adjusted Price: 1 stETH/1.0609 ETH (above limit)

Scope & Features

  1. Risk Engine factory: allows for risk curators to choose their parameters and oracle of choice
  2. Yield interfaces: custom interfaces for each yield asset being supported
  3. Core assets: start with support for low-risk rated yield tokens: wstETH, weETH.
  4. Additional assets: add support for popular yield tokens on Morpho:
  • SUSDS
  • SUSDE
  • RETH
  • RSETH
  • EZETH
  1. Immutability: the Ojo team will not have control over the factory once it is deployed.
  2. Oracle-agnostic support: support for major oracles currently used by the Morpho DAO

Scalability

  • New assets: this framework can be expanded to support new assets by adding new interfaces.
  • Configurability: if the yield on a token dramatically changes, risk curators can decide on new parameters and create a new market.
  • Testing: We will test price swing responses to ensure the upper limits are enforced.
  • Permissionless deployments: risk curators can deploy new instances without having to contact the Ojo team.
  • Documentation: the Ojo team will create detailed documentation to help Risk Curators implement.

Open Source

This Risk Engine will be open-sourced under soft copyleft MPL-2.0. This ensures any modifications to the original code remain publicly available.

Collaboration + Support

The Ojo team will ask for feedback from risk curators on Morpho to ensure the design meets the needs of both the Morpho DAO and risk curators. Curators will decide their own parameters as they deem appropriate. We are already collaborating with Gauntlet on the relevant design.

Alignment with Morpho

This Risk Engine strengthens Morpho by giving risk curators another tool in their belt to keep their vaults safe. By reducing the risk of overpriced collateral, they can protect users against panic-causing oracle attacks and market manipulation. Risk curators may also be more comfortable listing new yield-bearing tokens, resulting in more revenue and TVL for the Morpho protocol.

Audits

The Ojo team will engage at least 2 independent auditors to ensure the design works as intended for all the associated tokens.

Disclaimer

All software, code, or deliverables provided by Ojo to Morpho DAO are furnished on an “as is” and “as available” basis, with no representations or warranties of any kind, whether express, implied, or statutory. See our full Terms of Service in a comment below.

Schedule

We are proposing both a software development cycle and some time for technical support to help Morpho Risk Curators integrate.

  • Week 1: core factory contract development
  • Week 2: support for core assets (wstETH & weETH)
  • Week 3-4: support for additional assets (SUSDS, SUSDE, etc)
  • Week 5-8: audits & deployment
  • Week 9: technical support

Funding Request

We are requesting $100,000 for this proposal, calculated by a 7-day TWAP from the time of disbursement, with the following release schedule:

  1. 50% upon governance approval
  2. 50% upon deployment

Funding will be used for R&D, thorough audits, and deployment costs.

2 Likes
2

Please find our full ToS here

4

Also relevant for the discussion: in this post, Chaos Labs outline the recent Venus exploit, and how a design like what we’ve proposed can help. As these attacks become more common and sophisticated, we believe it’s paramount we help build this for the Morpho DAO.

5

We talked with the Ojo team about similar functionality for oracles before. If there is a factory that allows risk curators to specify the capped value parameters and can use any Morpho oracle as an input we think this could be a good initiative.

1 Like
6

Ether.fi supports the proposal to introduce a Risk Engine for yield-bearing assets on Morpho. As a provider of weETH, we recognize the critical importance of ensuring accurate collateral valuation to protect lending markets from oracle manipulation and mispricing risks. Implementing a framework that accounts for the expected appreciation of yield-bearing tokens will enhance market security and encourage responsible expansion of LRT and LST collateral options.

By incorporating weETH into this Risk Engine, Morpho’s ecosystem can benefit from a more resilient lending environment, safeguarding against bad debt accumulation while increasing confidence in new asset listings. We appreciate the Ojo team’s thoughtful approach to scalability, configurability, and security, and we look forward to collaborating to ensure the successful integration of this framework.

1 Like
7

Gauntlet supports this proposal to introduce a risk engine aimed at mitigating vulnerabilities that arise from smart contract-fed oracles. By implementing such a mechanism, Morpho markets can be better protected from risks associated with price feed manipulation via the underlying smart contract or market feed, which we describe in the table below. This risk engine mechanism could effectively minimize the potential for bad debt accumulation for depositors and mitigate large-scale liquidations for borrowers in the event of upward manipulation of price feed.

A proposed risk engine can substantially reduce exposure to exploitative attacks by limiting the possible gains an exploiter could realize from such manipulations. This strategy can lower the potential profitability of attacks, effectively discouraging malicious actors from targeting Morpho markets.

The table below illustrates how the risk engine could address key manipulation and exploit vectors in the context of Morpho markets:

Manipulation/Exploit Vector Risk Engine Protection
Smart contract rate manipulation (e.g., LST, yield bearing stables) The engine would impose filters to restrict unrealistic exchange rate increases thus mitigate reliance on only the output of the smart contract.
ERC-4626 donation attack By implementing a cap on the convertToAsset function, this mechanism would prevent abnormal exchange rate for the underlying asset. This will reduce impact of increases value of collateral or borrowed ERC-4626 assets via this attack. Would make it harder for attackers to artificially inflate the price to either increase their borrowing power or incur large liquidations.
Pegged Assets and Stablecoins Smart Contract or Market Price Manipulation The engine would apply an upper bound on the price of assets, effectively protecting against sudden and temporary price manipulations that could harm both borrowers and depositors.

A recent example of a use case for Ojo’s proposed risk engine would be the wUSDM ERC-4626 donation attack that took place on Venus protocol. The attack saw the exchange rate artificially inflated from 1.0694 to 1.7641, which incurred $902k in bad debt. If Ojo’s proposed risk mechanism had been implemented, the profitability of the exploit could have been drastically reduced, thus potentially preventing the attack altogether or reducing incurred debt. It’s worth noting that this exploit was carried out in a single block, using a flash loan to amplify the impact.

Recommendations for Implementation:

  • Wider adoption by curators: The success of this solution hinges on broad adoption by risk curators. To ensure comprehensive coverage across Morpho markets, it’s essential that all curators implement this risk engine for all assets subject to these manipulation risks. If adoption is partial, some markets will remain vulnerable to attacks.
  • Integration with the Morpho Chainlink Factory contract: Gauntlet recommends that Morpho Labs and Ojo collaborate to integrate this risk engine into the Morpho Chainlink Factory contract. A flexible design where curators can opt to activate and fine-tune the cap settings for specific oracles would improve the mechanism’s adoption and reduce the need for managing multiple contracts.
  • Caps to the Risk Engine: Due to the immutability of the risk engine within the Morpho Oracle, the annualized cap is fixed once set. As a result, curators must set relatively aggressive caps (e.g., a 10% cap when LRT yields are around 3–5%) to avoid scenarios where the cap becomes a constraint to actual price and curators would potentially need to create a new market and migrate borrowers and liquidity. Even with aggressive caps, the profitability of malicious attacks and the potential for protocol insolvency are significantly mitigated.

In conclusion, the proposed risk engine could be a key risk mechanism for Morpho markets, addressing price feed vulnerabilities. By leveraging Ojo’s risk engine, and ensuring widespread adoption across Morpho curators, we can further improve security and risk management within the Morpho ecosystem.

2 Likes
8

We support this proposal. Addressing potential attack vectors through engineering solutions is crucial for maintaining the integrity of permissionless markets like Morpho, and we find this approach ideal and an important initiative.

This initiative is reminiscent of Lido’s Negative Rebase Protection (LIP-23), which incorporates a second opinion oracle framework. Although they target different specific risk factors, we view both designs as critical for mitigating protocol risks. Furthermore, for assets exhibiting relatively stable yields, the introduction of this Risk Engine should not impair the essential function of market-based price discovery.

1 Like
9

Thanks to all the above teams for supporting our proposal! We’re more than happy to collaborate on the following:

  • Wider adoption by curators - Risk Curators are independent organizations and they ultimately make decisions for their own vaults, but we can make it easy on them. We will help with technical support, documentation, and communications with the Morpho DAO. As mentioned by Gauntlet, "...it’s essential that all curators implement this risk engine for all assets subject to these manipulation risks."
  • Integration with the Morpho Chainlink Factory contract - This feature removes a layer of complexity for Risk Curators who choose to migrate. We will work with the Morpho Association team on the best way to coordinate this work after the initial Risk Engine is delivered.
  • Caps to the Risk Engine - Rather than suggest parameters ourselves, we leave it up to expert Risk Curators to come up with the right parameters, depending on their appetite for risk and how often they would like to create new markets. We will be happy to quote general rules of thumb in our docs.
1 Like
10

We’d like to add a comment on the Kelp Incident that Steakhouse posted about last week.

Due to a bug in the fee minter, an excess amount of tokens was unintentionally minted and ended up in Kelp’s fee recipient address. We’re fortunate this didn’t impact the rsETH exchange rate; if it had, and without the proposed system architecture, the curators’ vaults could have faced significantly higher risk.