Merge branch 'main' into certora

.github/workflows/certora-steward.yml

@@ -56,4 +56,3 @@ jobs:
           - GhoBucketSteward.conf
           - GhoCcipSteward.conf
           - GhoGsmSteward.conf
-

README.md

@@ -47,6 +47,7 @@ You can find all audit reports under the [audits](./audits/) folder
 - [2023-12-07 - Certora Formal Verification (GHO Stability Module)](./certora/reports/Formal_Verification_Report_of_GHO_Stability_Module.pdf)
 - [2024-03-14 - Certora Formal Verification (GhoStewardV2)](./audits/2024-03-14_GhoStewardV2_Certora.pdf)
 - [2024-06-11 - Certora Formal Verification (UpgradeableGHO)](./audits/2024-06-11_UpgradeableGHO_Certora.pdf)
+- [2024-06-11 - Certora Formal Verification (Modular Gho Stewards)](./audits/2024-09-15_ModularGhoStewards_Certora.pdf)
 
 ## Getting Started
 

certora/steward/harness/GhoCcipSteward_Harness.sol

@@ -10,10 +10,4 @@ contract GhoCcipSteward_Harness is GhoCcipSteward {
     address riskCouncil,
     bool bridgeLimitEnabled
   ) GhoCcipSteward(ghoToken, ghoTokenPool, riskCouncil, bridgeLimitEnabled) {}
-
-  function getCcipTimelocks() external view returns (CcipDebounce memory) {
-    return _ccipTimelocks;
-  }
-
-
 }

certora/steward/specs/GhoAaveSteward.spec

@@ -32,7 +32,6 @@ methods {
 
 
     function getGhoTimelocks() external returns (IGhoAaveSteward.GhoDebounce) envfree;
-    function GHO_BORROW_RATE_MAX() external returns uint32 envfree;
     function MINIMUM_DELAY() external returns uint256 envfree;
     function RISK_COUNCIL() external returns address envfree;
 
@@ -225,23 +224,6 @@ rule updateGhoSupplyCap__correctness() {
 }
 
 
-rule updateGhoBorrowRate__correctness() {
-    env e; uint16 optimalUsageRatio; uint32 baseVariableBorrowRate;
-    uint32 variableRateSlope1; uint32 variableRateSlope2;
-
-    uint16 optimalUsageRatio_before = OPTIMAL_USAGE_RATIO;
-    uint32 baseVariableBorrowRate_before = BASE_VARIABLE_BORROW_RATE;
-    uint32 variableRateSlope1_before = VARIABLE_RATE_SLOPE1;
-    uint32 variableRateSlope2_before = VARIABLE_RATE_SLOPE2;
-
-    updateGhoBorrowRate(e,optimalUsageRatio, baseVariableBorrowRate, variableRateSlope1, variableRateSlope2);
-
-
-    assert baseVariableBorrowRate + variableRateSlope1 + variableRateSlope2 <= to_mathint(GHO_BORROW_RATE_MAX());
-}
-
-
-
 
 
 

docs/gho-stewards.md

@@ -0,0 +1,38 @@
+## Overview
+
+These contracts each control different parameters related to GHO and its facilitators. They allow the Aave DAO and an approved Risk Council to change these parameters, according to set rules and configurations.
+
+Each Steward is designed to have a specific set of segregated responsibilities in an effort to avoid having to redeploy the entire original Steward. Instead, only the specific steward whose responsibilities are affected will have to be redeployed.
+
+### [GhoAaveSteward](/src/contracts/misc/GhoAaveSteward.sol)
+
+This Steward manages parameters related to the GHO token. Specifically, it allows the Risk Council to change the following parameters:
+
+- Borrow Rate
+- Borrow Cap
+- Supply Cap
+
+In addition, the Aave DAO is allowed to change the configuration for the GHO Borrow Rate. This puts restrictions on how much the Risk Council is allowed to change parameters related to the borrow rate. There are 4 parameters that comprise the borrow rate:
+
+- `optimalUsageRatio`
+- `baseVariableBorrowRate`
+- `variableRateSlope1`
+- `variableRateSlope2`
+
+For example, the Aave DAO can specify that the optimalUsageRatio variable may only be changed by 3% at a time.
+
+### [GhoBucketSteward](/src/contracts/misc/GhoBucketSteward.sol)
+
+This Steward allows the Risk Council to set the bucket capacities of controlled facilitators. Additionally, it allows the Aave DAO to add or remove controlled facilitators.
+
+### [GhoCcipSteward](/src/contracts/misc/GhoCcipSteward.sol)
+
+This Steward allows the management of parameters related to CCIP token pools. It allows the Risk Council to update the CCIP bridge limit, and to update the CCIP rate limit configuration.
+
+### [GhoGsmSteward](/src/contracts/misc/GhoGsmSteward.sol)
+
+This Steward allows the Risk Council to update the exposure cap of the GSM, and to update the buy and sell fees of the GSM.
+
+### [RiskCouncilControlled](/src/contracts/misc/RiskCouncilControlled.sol)
+
+This is a helper contract to define the approved Risk Council and enforce its authority to call permissioned functions.

src/contracts/facilitators/aave/tokens/GhoVariableDebtToken.sol

@@ -329,7 +329,7 @@ contract GhoVariableDebtToken is DebtTokenBase, ScaledBalanceTokenBase, IGhoVari
   }
 
   /// @inheritdoc IGhoVariableDebtToken
-  function getBalanceFromInterest(address user) external view override returns (uint256) {
+{function getBalanceFromInterest(address user) external view override returns (uint256) {
     return _ghoUserState[user].accumulatedDebtInterest;
   }
 

src/contracts/misc/GhoAaveSteward.sol

@@ -21,9 +21,6 @@ import {RiskCouncilControlled} from './RiskCouncilControlled.sol';
 contract GhoAaveSteward is Ownable, RiskCouncilControlled, IGhoAaveSteward {
   using ReserveConfiguration for DataTypes.ReserveConfigurationMap;
 
-  /// @inheritdoc IGhoAaveSteward
-  uint32 public constant GHO_BORROW_RATE_MAX = 0.25e4; // 25.00%
-
   uint256 internal constant BPS_MAX = 100_00;
 
   /// @inheritdoc IGhoAaveSteward
@@ -227,14 +224,6 @@ contract GhoAaveSteward is Ownable, RiskCouncilControlled, IGhoAaveSteward {
       ),
       'INVALID_VARIABLE_RATE_SLOPE2'
     );
-
-    require(
-      uint256(newRates.baseVariableBorrowRate) +
-        uint256(newRates.variableRateSlope1) +
-        uint256(newRates.variableRateSlope2) <=
-        GHO_BORROW_RATE_MAX,
-      'BORROW_RATE_HIGHER_THAN_MAX'
-    );
   }
 
   /**

src/contracts/misc/GhoBucketSteward.sol

@@ -93,6 +93,11 @@ contract GhoBucketSteward is Ownable, RiskCouncilControlled, IGhoBucketSteward {
     return _controlledFacilitators.values();
   }
 
+  /// @inheritdoc IGhoBucketSteward
+  function isControlledFacilitator(address facilitator) external view returns (bool) {
+    return _controlledFacilitatorsByAddress[facilitator];
+  }
+
   /// @inheritdoc IGhoBucketSteward
   function getFacilitatorBucketCapacityTimelock(
     address facilitator

src/contracts/misc/GhoCcipSteward.sol

@@ -130,7 +130,12 @@ contract GhoCcipSteward is RiskCouncilControlled, IGhoCcipSteward {
   }
 
   /// @inheritdoc IGhoCcipSteward
-  function RISK_COUNCIL() public view override returns (address) {
+  function getCcipTimelocks() external view override returns (CcipDebounce memory) {
+    return _ccipTimelocks;
+  }
+
+  /// @inheritdoc IGhoCcipSteward
+  function RISK_COUNCIL() external view override returns (address) {
     return _riskCouncil;
   }
 

src/contracts/misc/interfaces/IGhoAaveSteward.sol

@@ -30,7 +30,6 @@ interface IGhoAaveSteward {
    * @notice Updates the borrow rate of GHO, only if:
    * - respects `MINIMUM_DELAY`, the minimum time delay between updates
    * - the update changes parameters up to the maximum allowed change according to risk config
-   * - the update is lower than `GHO_BORROW_RATE_MAX`
    * @dev Only callable by Risk Council
    * @dev Values are all expressed in BPS
    * @param optimalUsageRatio The new optimal usage ratio
@@ -90,12 +89,6 @@ interface IGhoAaveSteward {
    */
   function getGhoTimelocks() external view returns (GhoDebounce memory);
 
-  /**
-   * @notice Returns maximum value that can be assigned to GHO borrow rate.
-   * @return The maximum value that can be assigned to GHO borrow rate in ray (e.g. 0.01e27 results in 1.0%)
-   */
-  function GHO_BORROW_RATE_MAX() external view returns (uint32);
-
   /**
    * @notice The address of pool data provider of the POOL the steward controls
    */

src/contracts/misc/interfaces/IGhoBucketSteward.sol

@@ -32,6 +32,13 @@ interface IGhoBucketSteward {
    */
   function getControlledFacilitators() external view returns (address[] memory);
 
+  /**
+   * @notice Checks if a facilitator is controlled by this steward
+   * @param facilitator The facilitator address to check
+   * @return True if the facilitator is controlled by this steward
+   */
+  function isControlledFacilitator(address facilitator) external view returns (bool);
+
   /**
    * @notice Returns timestamp of the facilitators last bucket capacity update
    * @param facilitator The facilitator address

src/contracts/misc/interfaces/IGhoCcipSteward.sol

@@ -7,6 +7,9 @@ pragma solidity ^0.8.10;
  * @notice Defines the basic interface of the GhoCcipSteward
  */
 interface IGhoCcipSteward {
+  /**
+   * @notice Struct storing the last update by the steward of the bridge and rate limit param.
+   */
   struct CcipDebounce {
     uint40 bridgeLimitLastUpdate;
     uint40 rateLimitLastUpdate;
@@ -41,6 +44,12 @@ interface IGhoCcipSteward {
     uint128 inboundRate
   ) external;
 
+  /**
+   * @notice Returns timestamp of the last update of Ccip parameters.
+   * @return The CcipDebounce struct describing the last update of Ccip parameters.
+   */
+  function getCcipTimelocks() external view returns (CcipDebounce memory);
+
   /**
    * @notice Returns the minimum delay that must be respected between parameters update.
    * @return The minimum delay between parameter updates (in seconds)

src/test/TestGhoAaveSteward.t.sol

@@ -327,6 +327,21 @@ contract TestGhoAaveSteward is TestGhoBase {
     assertEq(currentBorrowRate, newBorrowRate);
   }
 
+  function testUpdateGhoBorrowRateUpwardsFromHigh() public {
+    // set a very high borrow rate of 80%
+    uint32 highBaseBorrowRate = 0.80e4;
+    _setGhoBorrowRateViaConfigurator(highBaseBorrowRate);
+    highBaseBorrowRate += 0.04e4;
+    vm.prank(RISK_COUNCIL);
+    GHO_AAVE_STEWARD.updateGhoBorrowRate(
+      defaultRateParams.optimalUsageRatio,
+      highBaseBorrowRate,
+      defaultRateParams.variableRateSlope1,
+      defaultRateParams.variableRateSlope2
+    );
+    assertEq(highBaseBorrowRate, _getGhoBorrowRate());
+  }
+
   function testUpdateGhoBorrowRateDownwards() public {
     uint32 oldBorrowRate = _getGhoBorrowRate();
     uint32 newBorrowRate = oldBorrowRate - 1;
@@ -341,18 +356,19 @@ contract TestGhoAaveSteward is TestGhoBase {
     assertEq(currentBorrowRate, newBorrowRate);
   }
 
-  function testUpdateGhoBorrowRateMaxValue() public {
-    uint32 ghoBorrowRateMax = GHO_AAVE_STEWARD.GHO_BORROW_RATE_MAX();
-    _setGhoBorrowRateViaConfigurator(ghoBorrowRateMax - 1);
+  function testUpdateGhoBorrowRateDownwardsFromHigh() public {
+    // set a very high borrow rate of 80%
+    uint32 highBaseBorrowRate = 0.80e4;
+    _setGhoBorrowRateViaConfigurator(highBaseBorrowRate);
+    highBaseBorrowRate -= 0.04e4;
     vm.prank(RISK_COUNCIL);
     GHO_AAVE_STEWARD.updateGhoBorrowRate(
       defaultRateParams.optimalUsageRatio,
-      ghoBorrowRateMax,
+      highBaseBorrowRate,
       defaultRateParams.variableRateSlope1,
       defaultRateParams.variableRateSlope2
     );
-    uint32 currentBorrowRate = _getGhoBorrowRate();
-    assertEq(currentBorrowRate, ghoBorrowRateMax);
+    assertEq(highBaseBorrowRate, _getGhoBorrowRate());
   }
 
   function testUpdateGhoBorrowRateMaxIncrement() public {
@@ -660,19 +676,6 @@ contract TestGhoAaveSteward is TestGhoBase {
     );
   }
 
-  function testRevertUpdateGhoBorrowRateIfValueMoreThanMax() public {
-    uint32 maxGhoBorrowRate = GHO_BORROW_RATE_MAX;
-    _setGhoBorrowRateViaConfigurator(maxGhoBorrowRate);
-    vm.prank(RISK_COUNCIL);
-    vm.expectRevert('BORROW_RATE_HIGHER_THAN_MAX');
-    GHO_AAVE_STEWARD.updateGhoBorrowRate(
-      defaultRateParams.optimalUsageRatio,
-      maxGhoBorrowRate + 1,
-      defaultRateParams.variableRateSlope1,
-      defaultRateParams.variableRateSlope2
-    );
-  }
-
   function testRevertUpdateGhoBorrowRateIfMaxExceededUpwards() public {
     uint32 oldBorrowRate = _getGhoBorrowRate();
     uint32 newBorrowRate = oldBorrowRate + GHO_BORROW_RATE_CHANGE_MAX + 1;

src/test/TestGhoBucketSteward.t.sol

@@ -212,4 +212,15 @@ contract TestGhoBucketSteward is TestGhoBase {
     newGsmList[0] = address(GHO_GSM_4626);
     GHO_BUCKET_STEWARD.setControlledFacilitator(newGsmList, true);
   }
+
+  function testIsControlledFacilitator() public {
+    address facilitator = makeAddr('FACILITATOR');
+    address[] memory controlledFacilitators = new address[](1);
+    controlledFacilitators[0] = facilitator;
+    vm.prank(SHORT_EXECUTOR);
+    GHO_BUCKET_STEWARD.setControlledFacilitator(controlledFacilitators, true);
+    assertTrue(GHO_BUCKET_STEWARD.isControlledFacilitator(facilitator));
+    address nonFacilitator = makeAddr('NON_FACILITATOR');
+    assertFalse(GHO_BUCKET_STEWARD.isControlledFacilitator(nonFacilitator));
+  }
 }