Steakhouse MetaMorpho Vaults are upgrading their guardian setups to fully trustless

Summary

The current Guardian setup is a good bootstrap solution for new vaults. Nevertheless, we thought there could be ways to be more decentralized, transparent, and trustless. We already lead the field of curated vaults with a 7-day timelock, and we aim to iterate on that model with one fewer trusted assumption to give comfort to lenders that they always retain full control over their interactions with Morpho smart contracts.

We have been working with Aragon over the last few weeks to leverage their experience working with some of the most important DAOs in the space. Lido DAO, for example, is an Aragon DAO that secures almost 10m staked Ether (nearly $40bn) since launch. The flexibility of an Aragon DAO setup means that the components of the guardian are fully trustless, with no off-chain components.

We believe that this will provide a better set of trust assumptions (namely, no trust assumptions) and help secure Steakhouse MetaMorpho vault users. As always, Steakhouse MetaMorpho vaults users input is welcome. Of course, they will have veto rights.

We hope that this new set of transparent, trustless guardian configurations will help lenders feel more comfortable allocating to Steakhouse MetaMorpho vaults.

MetaMorpho Risk Parameter Steakhouse Vaults Rationale
Market selection Blue-chip real-world asset and crypto collateral Offer opportunities in all-weather market conditions
Timelock 7 days Shorter time frames do not give enough time for token holders to react on adverse parameter modifications
Guardian On-Chain Aragon DAO Trustless, decentralized, transparent

Context

Current setup

All Steakhouse vaults have a timelock of 7-days allowing users to exit the vault if they disagree with a significant change (as shown in the diagram below). A significant change is defined as adding/removing/updating a Morpho Blue market from a MetaMorpho and changing the guardian or the timelock period of the MetaMorpho.


Old setup

The threshold to create a revoking proposal was set around $10k. The quorum was set at the same value, ensuring most participants can revoke any malicious action attempt by themselves. We recognize that it is difficult for separate users to coordinate or even to remain informed on the evolution of the vaults. Our setup requires only one person to protect the vault.

Aragon

Aragon builds full stack DAO technology, enabling organizations to govern their protocols and assets onchain. Aragon deployed the first DAO framework in 2017. Since then Aragon’s tech stack has powered the creation of over 7500 DAOs and secures the governance of over $41b in value for leading projects like Lido, Decentraland, and API3. Aragon is excited to announce that currently another project with over $1billion in TVL, is in process of migrating to the Aragon tech-stack (announcement soon).

Aragon OSx is a modular DAO framework that allows developers to build, deploy, and evolve custom DAOs onchain. Governance logic is programmed into plugins, making custom and granular governance designs easier, faster, and safer to build. Plugins can be installed, upgraded, and uninstalled, allowing DAOs to evolve over time, trustlessly and onchain, via their governance process.

Aragon App is a new human-centered frontend that allows anyone to launch a DAO, mint tokens, and govern any wallet or ERC20 token based DAO fully onchain and with no-code.

Implementation of Aragon for Steakhouse MetaMorpho Vaults

Overall strategy

For new vaults, Steakhouse will implement the new Aragon setup. For existing vaults, unless there is strong disagreement, a new guardian will be set linking to an Aragon DAO. Those DAOs will have the sole purpose of letting the vault user vote on revoking proposals.


New setup with Aragon Guardians

For instance, you can see a test on the steakETH Guardian DAO that a proposal was made to test the system.

Overall, it remains simple, you go on the DAO page, and you can make a proposal or vote on one that will call a revoke function of the MetaMorpho contract. The voting period is one day leaving plenty of time for users to react (as the timelock is seven days).

image

Token wrapping

As you can see as well, it is not steakETH that is used to be able to create a proposal or vote. Aragon uses a wrapped version of steakETH, called gsteakETH (and the same pattern for all vaults). This allows adding sybil resistance that is not present on the MetaMorpho tokens. Unwrapping can be done any time.

Therefore, in order to create a proposal, one needs to wrap the tokens (Aragon UI automatically proposes the wrapping). Tokens need to be wrapped before the start of the proposal. We recommend delaying the start of the vote by one day to let time for other participants to wrap their tokens. Nevertheless, a small minority of users, usually only one, is enough to protect the vault.

Making the Aragon DAO immutable

Aragon DAO is a complete framework to manage DAOs. This leaves a lot of flexibility that is not wanted in our setup. The main one is the ability to change governance parameters with a vote. This means malicious people could create a vote to extend the minimum vote duration to 14 days, i.e. longer than the timerlock of the MetaMorpho. This would render the guardian useless. Obviously, it is expected that people will vote against such a proposal. Nonetheless, this has two issues. First, it requires MetaMorpho to keep their token wrapped (see previous section) and monitor the Aragon DAO proposal.

Thanks to the guidance and help of the Aragon team, we have been able to make those Aragon DAO fully immutable. As good guardians, you don’t have to monitor them.

More technically, the following roles have been revoked:

  • UPDATE_VOTING_SETTINGS_PERMISSION_ID, removing the ability of the DAO to update its settings;
  • ROOT_PERMISSION_ID on the DAO, removing the ability of the DAO to grant itself UPDATE_VOTING_SETTINGS_PERMISSION_ID again;
  • UPGRADE_PLUGIN_PERMISSION_ID removing the ability of the DAO to upgrade the voting contract and UPGRADE_DAO_PERMISSION_ID to remove the ability of the DAO to upgrade the main DAO contract.

Those changes were made on all Aragaon DAO to be used as MetaMorpho guardians. You can see a Sepolia test here on the inability to execute a vote that tries to change the settings.

Making the Aragon DAO immutable obviously makes any future change impossible. This isn’t a concern in our design of MetaMorpho vaults. Should the current settings not prove adequate in the future, we can deploy a better suited guardian which will be under the 7-day timelock.

Future developments

We will launch the steakETH vault which will use an AragonOSx DAO as the guardian. We also plan to propose the migration of the current vault’s guardians to Aragon later on. Nevertheless, we don’t plan to stop here. We are already working with Aragon on a more custom and fine-tuned governance mechanism for dual governance that will be easier to use and does not require tokens to be wrapped. In both instances users will only have to use one UI, the solution will be fully onchain, and will be trustless.

Conclusion

In our journey to be a contributing Morpho ecosystem participant, we report on our efforts to make the guardian function of MetaMorpho as trustless as possible. For this reason, we propose other vault curators match our 7-day timelock and consider a migration from oSnap or multisigs to Aragon.

As always, Steakhouse is listening to the community so feel free to provide feedback.

Steakhouse MetaMorpho trustlessness has been achieved internally.

4 Likes

Thanks to the MetaMorpho team for working with us on upgrading their guardian setups to being fully trustless, verifiable, and onchain! Looking forward to ideating even better solutions in the future and welcome a conversation with any vault curator who would like to consider this migration for their depositors. Super excited to see the growth of the Morpho ecosystem!

2 Likes

I applaud these efforts at genuine decentralisation and permissionlessness, which echoes Morpho Blue’s approach.
Well done!

2 Likes

Following the positive feedbacks and the absence of any opposition, we submitted the new Aragon DAO guardian for steakUSDC, steakPYUSD and steakUSDT in this transaction. The timelock will last 7 days during which a revoke by the guardian is possible.

Should you feel against this proposal, you can veto it on the following Snapshots:

PS: steakWBTC and steakETH were created directly with Aragon DAO guardians so there is no changes.

The new guardians will be the following:

3 Likes