Vault Setup and Controls

Steakhouse has consistently taken a depositor-centric approach towards risk management, co-inventing significant innovations - such as Aragon DAO guardian for Morpho vaults - on top of the Morpho protocol.

Vault setup is paramount for lender safety because, despite the non-custodial nature of Morpho vaults, nefarious curators could add malicious markets and extract depositor capital through a variety of potential attack vectors. To root out these risks at the source, we utilize a multi-layered approach to ensure multiple lines of defense for our vault depositors. Below is a canonical example for our Morpho vaults for clarity:

Overview of a typical Morpho vault deployment, with users taking Guardian roles through an Aragon DAO multisig and reallocations executed autonomously by our automated engine
Overview of a typical Morpho vault deployment, with users taking Guardian roles through an Aragon DAO multisig and reallocations executed autonomously by our automated engine

“Owner” Multisig: Within the Morpho protocol, the “Owner” role dictates the ability to make significant changes to the governance of a particular curator’s vault. Specifically, the “Owner” role has the ability to delegate the power to onboard new markets, change performance fees and fee deposit addresses, and more to specific actors.

Steakhouse’s “owner” employs a Safe multisig with a quorum of five keys, meaning that five persons must coordinate to introduce any owner-level operations. Any “owner” action also requires an internal process to ensure proper signature is enforced internally and ensure the signers of the validity of the operation. Steakhouse also monitors all major changes in permissions - if a role downstream of “owner” is compromised, we can easily coordinate and revoke access rights through the “owner” multisig.

Some of our vault configurations can have different owner multisigs, such as vaults that are integrated in fintech apps or wallets. For vault users more generally, it is advisable to closely audit what address plays the role of an owner and who the signers are on the multisig, particularly if the signers are shared with other key roles.

Action Timelock: Every time a vault onboards a new market, there is a potential change in the risk profile of that particular vault. Steakhouse vaults 7-day timelocks (above the minimum, protocol-enforced 3-day timelock), forcing a 7-day delay between any proposed market into a Steakhouse vault and the ability to deploy deposited assets into the new market.

Longer timelocks restrict the flexibility of a given curator and provide ample time for depositors to either withdraw deposited assets from the pool or utilize the veto line of defense.

Veto Mechanism: Seeking to provide depositors with even more control over their funds and curated vaults, Steakhouse introduced the Aragon DAO guardian to enable vault depositors to veto critical actions made by the curator.

This mechanism was recognized as best-in-class by Credora, an independent risk assessor, and led to Steakhouse vaults receiving a market-leading 5 of 6 “A+” ratings.

While these controls are primarily beneficial to vault depositors, Steakhouse monitors key vault parameters and any changes are reported internally. Therefore, even in the unlikely case of a compromised owner multisig, we can use the timelock and guardian capabilities to delay any nefarious actions and correct it during the timelock delay and veto process.

Each Steakhouse vault is scrutinized through our in-house Vault DDQ process, which involves at least 2 internal and 1 external reviewer before a Steakhouse vault goes live.

Aragon DAOs are an example of a multi-user multisig where token ownership grants signer roles instead. In practice, it means that vault users become vault guardians proportionally to the size of their deposit. This helps keep the Guardian role aligned with the incentive of the vault users and mitigates the risk of a security breach compromising the role

PreviousAllocation ProcessNextPortfolio Monitoring

Last updated