# Steakhouse MetaMorpho Vaults are upgrading their guardian setups to fully trustless
## Summary
The current [Guardian](https://medium.com/b-protocol/a-decentralized-guardian-setup-how-metamorpho-lps-veto-risk-curator-actions-bf6653f6425a) setup is a good bootstrap solution for new vaults. Nevertheless, we thought there could be ways to be more decentralized, transparent, and trustless. We already lead the field of curated vaults with a 7-day timelock, and we aim to iterate on that model with one fewer trusted assumption to give comfort to lenders that they always retain full control over their interactions with Morpho smart contracts.
We have been working with Aragon over the last few weeks to leverage their experience working with some of the most important DAOs in the space. [Lido DAO](https://mainnet.lido.fi), for example, is an Aragon DAO that secures almost 10m staked Ether (nearly $40bn) since launch. The flexibility of an Aragon DAO setup means that the components of the guardian are fully trustless, with no off-chain components.
We believe that this will provide a better set of trust assumptions (namely, no trust assumptions) and help secure Steakhouse MetaMorpho vault users. As always, Steakhouse MetaMorpho vaults users input is welcome. Of course, they will have veto rights.
We hope that this new set of transparent, trustless guardian configurations will help lenders feel more comfortable allocating to Steakhouse MetaMorpho vaults.
| MetaMorpho Risk Parameter | Steakhouse Vaults | Rationale |
|---------------------------|--------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
| Market selection | Blue-chip real-world asset and crypto collateral | Offer opportunities in all-weather market conditions |
| Timelock | 7 days | Shorter time frames do not give enough time for token holders to react on adverse parameter modifications |
| Guardian | On-Chain Aragon DAO | Trustless, decentralized, transparent |
## Context
### Current setup
All Steakhouse vaults have a timelock of 7-days allowing users to exit the vault if they disagree with a significant change (as shown in the diagram below). A significant change is defined as adding/removing/updating a Morpho Blue market from a MetaMorpho and changing the guardian or the timelock period of the MetaMorpho.
![image](https://hackmd.io/_uploads/SyFBg6eRa.png)
*Old setup*
The threshold to create a revoking proposal was set around $10k. The quorum was set at the same value, ensuring most participants can revoke any malicious action attempt by themselves. We recognize that it is difficult for separate users to coordinate or even to remain informed on the evolution of the vaults. Our setup requires only one person to protect the vault.
### Aragon
[Aragon](https://aragon.org/) builds full stack DAO technology, enabling organizations to govern their protocols and assets onchain. Aragon deployed the first DAO framework in 2017. Since then Aragon’s tech stack has powered the creation of over 7500 DAOs and secures the governance of over $41b in value for leading projects like Lido, Decentraland, and API3. Aragon is excited to announce that currently another project with over $1billion in TVL, is in process of migrating to the Aragon tech-stack (announcement soon).
[Aragon OSx](https://devs.aragon.org/) is a modular DAO framework that allows developers to build, deploy, and evolve custom DAOs onchain. Governance logic is programmed into plugins, making custom and granular governance designs easier, faster, and safer to build. Plugins can be installed, upgraded, and uninstalled, allowing DAOs to evolve over time, trustlessly and onchain, via their governance process.
[Aragon App](https://app.aragon.org/) is a new human-centered frontend that allows anyone to launch a DAO, mint tokens, and govern any wallet or ERC20 token based DAO fully onchain and with no-code.
## Implementation of Aragon for Steakhouse MetaMorpho Vaults
### Overall strategy
For new vaults, Steakhouse will implement the new Aragon setup. For existing vaults, unless there is strong disagreement, a new guardian will be set linking to an Aragon DAO. Those DAOs will have the sole purpose of letting the vault user vote on revoking proposals.
![image](https://hackmd.io/_uploads/S1KrZTl0p.png)
New setup with Aragon Guardians
For instance, you can see a test on the [steakETH Guardian DAO](https://app.aragon.org/#/daos/ethereum/steaketh-guardian.dao.eth/dashboard) that a proposal was made to test the system.
Overall, it remains simple, you go on the DAO page, and you can make a proposal or vote on one that will call a revoke function of the MetaMorpho contract. The voting period is one day leaving plenty of time for users to react (as the timelock is seven days).
![image](https://hackmd.io/_uploads/BkLwWpg0a.png)
### Token wrapping
As you can see as well, it is not steakETH that is used to be able to create a proposal or vote. Aragon uses a wrapped version of steakETH, called gsteakETH (and the same pattern for all vaults). This allows adding sybil resistance that is not present on the MetaMorpho tokens. Unwrapping can be done any time.
![image](https://hackmd.io/_uploads/BJY_Z6l0p.png)
Therefore, in order to create a proposal, one needs to wrap the tokens (Aragon UI automatically proposes the wrapping). Tokens need to be wrapped before the start of the proposal. We recommend delaying the start of the vote by one day to let time for other participants to wrap their tokens. Nevertheless, a small minority of users, usually only one, is enough to protect the vault.
## Making the Aragon DAO immutable
Aragon DAO is a complete framework to manage DAOs. This leaves a lot of flexibility that is not wanted in our setup. The main one is the ability to change governance parameters with a vote. This means malicious people could create a vote to extend the minimum vote duration to 14 days, i.e. longer than the timerlock of the MetaMorpho. This would render the guardian useless. Obviously, it is expected that people will vote against such a proposal. Nonetheless, this has two issues. First, it requires MetaMorpho to keep their token wrapped (see previous section) and monitor the Aragon DAO proposal.
Thanks to the guidance and help of the Aragon team, we have been able to make those Aragon DAO fully immutable. As good guardians, you don’t have to monitor them.
More technically, the following roles have been revoked:
* `UPDATE_VOTING_SETTINGS_PERMISSION_ID`, removing the ability of the DAO to update its settings;
* `ROOT_PERMISSION_ID` on the DAO, removing the ability of the DAO to grant itself `UPDATE_VOTING_SETTINGS_PERMISSION_ID` again;
* `UPGRADE_PLUGIN_PERMISSION_ID` removing the ability of the DAO to upgrade the voting contract and UPGRADE_DAO_PERMISSION_ID to remove the ability of the DAO to upgrade the main DAO contract.
Those changes were made on all Aragaon DAO to be used as MetaMorpho guardians. You can see a Sepolia test here on the inability to execute a vote that tries to change the settings.
Making the Aragon DAO immutable obviously makes any future change impossible. This isn’t a concern in our design of MetaMorpho vaults. Should the current settings not prove adequate in the future, we can deploy a better suited guardian which will be under the 7-day timelock.
### Future developments
We will launch the steakETH vault which will use an AragonOSx DAO as the guardian. We also plan to propose the migration of the current vault's guardians to Aragon later on. Nevertheless, we don’t plan to stop here. We are already working with Aragon on a more custom and fine-tuned governance mechanism for dual governance that will be easier to use and does not require tokens to be wrapped. In both instances users will only have to use one UI, the solution will be fully onchain, and will be trustless.
## Conclusion
In our journey to be a contributing Morpho ecosystem participant, we report on our efforts to make the guardian function of MetaMorpho as trustless as possible. For this reason, we propose other vault curators match our 7-day timelock and consider a migration from oSnap or multisigs to Aragon.
As always, Steakhouse is listening to the community so feel free to provide feedback.
Steakhouse MetaMorpho trustlessness has been achieved internally.