Subscribe to Morpho
MorphoUnderstanding Morpho Vaults: Intro & Simplifying Isolated Markets
Morpho Vaults combines the best of isolated markets and multi-asset lending pools to create a better way to lend. In time, we believe Morpho Vaults will become the default lending solution. Today, we are introducing a four-part series explaining why, starting with Part One: Intro to the Morpho Approach & Simplifying Isolated Markets.The Morpho ApproachThere are two main approaches to structuring lending markets in decentralized finance: lending pools and isolated markets. The former excels in...
MorphoAligning Around MORPHO — The Only Asset For Morpho
TL;DRMorpho will have only one asset—the MORPHO token. This single-asset approach ensures complete alignment between the network of contributing entities and the Morpho DAO (MORPHO token holders). To clarify this alignment, Morpho Labs is becoming a wholly-owned subsidiary of the Morpho Association to eliminate any perceived conflicts with equity value and ensure that token holders and these contributing entities share the same incentive. As the Morpho DAO explores introducing protocol fees t...
MorphoUnderstanding Morpho Vaults: Enabling Diverse Risk Profile
Morpho Vaults (formerly known as MetaMorpho Vaults) combines the best of isolated markets and multi-asset lending pools to create a better way to lend. In time, we believe Morpho Vaults will become the default lending solution. Last week, we introduced the Understanding Morpho Vaults article series with Part One: Intro to the Morpho Approach & Simplifying Isolated Markets. Today, we share Part Two: Enabling Diverse Risk Profiles to explain how, unlike the traditional one-size-fits-all approac...
>200 subscribers
MorphoUnderstanding Morpho Vaults: Intro & Simplifying Isolated Markets
Morpho Vaults combines the best of isolated markets and multi-asset lending pools to create a better way to lend. In time, we believe Morpho Vaults will become the default lending solution. Today, we are introducing a four-part series explaining why, starting with Part One: Intro to the Morpho Approach & Simplifying Isolated Markets.The Morpho ApproachThere are two main approaches to structuring lending markets in decentralized finance: lending pools and isolated markets. The former excels in...
MorphoAligning Around MORPHO — The Only Asset For Morpho
TL;DRMorpho will have only one asset—the MORPHO token. This single-asset approach ensures complete alignment between the network of contributing entities and the Morpho DAO (MORPHO token holders). To clarify this alignment, Morpho Labs is becoming a wholly-owned subsidiary of the Morpho Association to eliminate any perceived conflicts with equity value and ensure that token holders and these contributing entities share the same incentive. As the Morpho DAO explores introducing protocol fees t...
MorphoUnderstanding Morpho Vaults: Enabling Diverse Risk Profile
Morpho Vaults (formerly known as MetaMorpho Vaults) combines the best of isolated markets and multi-asset lending pools to create a better way to lend. In time, we believe Morpho Vaults will become the default lending solution. Last week, we introduced the Understanding Morpho Vaults article series with Part One: Intro to the Morpho Approach & Simplifying Isolated Markets. Today, we share Part Two: Enabling Diverse Risk Profiles to explain how, unlike the traditional one-size-fits-all approac...
Subscribe to Morpho
>200 subscribers
Share Dialog
Share Dialog
MetaMorpho is an open-source, immutable, heavily audited code base that has now also been formally verified using Certora.
Formal verification is a staple of Morpho's security framework. Not long ago, we shared the formal verification of Morpho Blue, and today, we are doing the same for MetaMorpho.
Used effectively, formal verification can help develop higher quality and, most importantly, more secure smart contracts. That is why Morpho Labs has invested significant time and resources into formally verifying Morpho Blue and now MetaMorpho.
This article recaps the benefits of formal verification and provides examples of MetaMorpho verification using CVL, Certora's Verification Language.
The full scope of MetaMorpho's formal verification is available here.
Formal verification is the process of using mathematical methods to prove the correctness of a smart contract by verifying that it satisfies specific properties. These properties are expressed using formal language supported by the verification tool used to prove them.
Formal verification stands out due to its exhaustive approach to evaluating software correctness. Other methods, such as unit testing, can only verify correctness for specific scenarios or inputs, whereas formal verification enables checking every possible scenario or input.
Despite its capabilities, it is worth noting that formal verification is still only one part of Morpho’s comprehensive security framework.
Now, to look at formal verification in practice, using real examples from the repo.
MetaMorpho defines different roles to be able to manage the vault, the distinction between roles helps in reducing trust assumptions.
Roles follow a hierarchy, and this hierarchy is verified to hold in [Roles.spec]. More precisely, a senior role is checked to be able to do the same operations as a lesser role. Additionally, it is verified in [Reverts.spec] that the roles are necessary to be able to do permissioned operations.
For example, the following rule makes sure that having the guardian role is necessary to be able to revoke a pending timelock:
The rule is verified using the Certora prover in seconds:
MetaMorpho features a timelock mechanism that applies to every operation that could potentially increase risk for users. The following function defined in [PendingValues.spec] is verified to always return true.
In the end, the verification is completed by the Certora prover within a few minutes:
Notice how increasing the timelock itself is not subject to a timelock, as it does not increase the risk for the user. A greater timelock means that the user would have more time to react to the vault's management operations that would not align with the user risk profile.
The liveness properties ensure that some crucial actions cannot be blocked. It is notably useful to show that in case of an emergency, it is still possible to make salvaging transactions. The canPauseSupply rule in [Liveness.spec] shows that it is always possible to prevent new deposits. This is done by first setting the supply queue as the empty queue and checking that it does not revert.
With this defined, the verification is successful:
These are only some examples of MetaMorpho’s verification. Find the full scope here.
Despite the thoroughness of formal verification, it cannot guarantee absolute perfection or eliminate all potential risks associated with MetaMorpho.
Formal verification is effective within the defined scope of specifications and assumptions. Human input and interpretation, incomplete specifications, and bugs in the tools used can also impact the accuracy of results.
MetaMorpho is an open-source, immutable, heavily audited code base that has now also been formally verified using Certora.
Formal verification is a staple of Morpho's security framework. Not long ago, we shared the formal verification of Morpho Blue, and today, we are doing the same for MetaMorpho.
Used effectively, formal verification can help develop higher quality and, most importantly, more secure smart contracts. That is why Morpho Labs has invested significant time and resources into formally verifying Morpho Blue and now MetaMorpho.
This article recaps the benefits of formal verification and provides examples of MetaMorpho verification using CVL, Certora's Verification Language.
The full scope of MetaMorpho's formal verification is available here.
Formal verification is the process of using mathematical methods to prove the correctness of a smart contract by verifying that it satisfies specific properties. These properties are expressed using formal language supported by the verification tool used to prove them.
Formal verification stands out due to its exhaustive approach to evaluating software correctness. Other methods, such as unit testing, can only verify correctness for specific scenarios or inputs, whereas formal verification enables checking every possible scenario or input.
Despite its capabilities, it is worth noting that formal verification is still only one part of Morpho’s comprehensive security framework.
Now, to look at formal verification in practice, using real examples from the repo.
MetaMorpho defines different roles to be able to manage the vault, the distinction between roles helps in reducing trust assumptions.
Roles follow a hierarchy, and this hierarchy is verified to hold in [Roles.spec]. More precisely, a senior role is checked to be able to do the same operations as a lesser role. Additionally, it is verified in [Reverts.spec] that the roles are necessary to be able to do permissioned operations.
For example, the following rule makes sure that having the guardian role is necessary to be able to revoke a pending timelock:
The rule is verified using the Certora prover in seconds:
MetaMorpho features a timelock mechanism that applies to every operation that could potentially increase risk for users. The following function defined in [PendingValues.spec] is verified to always return true.
In the end, the verification is completed by the Certora prover within a few minutes:
Notice how increasing the timelock itself is not subject to a timelock, as it does not increase the risk for the user. A greater timelock means that the user would have more time to react to the vault's management operations that would not align with the user risk profile.
The liveness properties ensure that some crucial actions cannot be blocked. It is notably useful to show that in case of an emergency, it is still possible to make salvaging transactions. The canPauseSupply rule in [Liveness.spec] shows that it is always possible to prevent new deposits. This is done by first setting the supply queue as the empty queue and checking that it does not revert.
With this defined, the verification is successful:
These are only some examples of MetaMorpho’s verification. Find the full scope here.
Despite the thoroughness of formal verification, it cannot guarantee absolute perfection or eliminate all potential risks associated with MetaMorpho.
Formal verification is effective within the defined scope of specifications and assumptions. Human input and interpretation, incomplete specifications, and bugs in the tools used can also impact the accuracy of results.
No comments yet