-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document the requirements about external contracts #125
Comments
I'm not sure it should be a requirement tbh. For now, I don't see any other things we could add. |
this must not be possible, even with a token that is completely adversarial. The only thing that breaks when an "ERC20" is not compliant should be the markets with this token as borrowable or collateral (and same with IRMs, oracles).
this should also be defined then |
Yes that's what I meant: what are the requirements about external calls such that a market is sound. This issue does not require to update the code, only the documentation |
Updated the description of the issue. Right now it sounds like we arrive at a pretty nice specification for the IRM and the oracle, but the token specification seems to be more tricky. In particular there can be many ways in which a particular token would not make for a sound market in Blue |
In the formal verification, we used the following assumptions:
Keep in mind that these are only about the functional correctness property and not about the economical properties. Also, reverts in those contracts were not tested. |
I feel that it's slightly too conservative: most tokens have a mint function and it should be fine from a correctness perspective. Although the burn function may cause issues. |
I feel that this spec is really valuable. Concretely, what should we do with it ? Put a comment in IERC20, IIrm and IOracle ? |
Yes I missed that, we do test with a mint function and it's fine. There is no test with a burn function but it's pretty clear that if the Morpho contract gets its tokens burnt then there is an issue.
That sounds good |
Or maybe a comment in the |
This has a very high value to me, because it'll be printed on Etherscan |
A Morpho Blue is setting up a few contracts that can be called in the main functions: the IRM, the oracles, the tokens. We should define what we expect from those contracts so that the code works as expected.
For each token:
totalSupply
for example is wrong)The IRM will be whitelisted by governance, but we can expect that the
borrowRate
function is a function that only modifies its own storage.EDIT: The IRM is expected to be nonreentrant in the Certora verification, and it seems to be enough to prove functional correctness properties (but probably not enough to prove economical properties). This means that the IRM is allowed to change any other contract's storage.
For the oracles, we could make the same assumption as for the IRM.
EDIT: the oracle is using a view function (which compiles to STATICCALL), this means that it does not change any storage. This seems to be enough to prove functional corecctness properties. It's obviously not enough to prove economical properties: for example we could imagine an oracle that has a preferential treatment when
tx.origin == user
.Note that being a user of a market comes with economical risks (for example with a badly tuned oracle). The user should assume those risks, and instead we focus in this issue on smart contract risks. Do you see more assumptions that should be made about those contracts, or can we refine the assumptions above ?
The text was updated successfully, but these errors were encountered: