Initial timelock can be zero

README.md

@@ -28,7 +28,7 @@ Those rewards can be transferred to the `skimRecipient`.
 The vault's owner has the choice to distribute back these rewards to vault depositors however they want.
 For more information about this use case, see the [Rewards](#rewards) section.
 
-All actions that may be against users' interests (e.g. enabling a market with a high exposure) can be subject to a timelock of up to two weeks.
+All actions that may be against users' interests (e.g. enabling a market with a high exposure) is subject to a timelock. To make vault setup easier, the initial timelock can be anywhere between 0 seconds and 2 weeks. Any further timelock change must set the value between 24 hours and 2 weeks.
 The `owner`, or the `guardian` if set, can revoke the action during the timelock.
 After the timelock, the action can be executed by anyone.
 

certora/helpers/MetaMorphoHarness.sol

@@ -31,6 +31,10 @@ contract MetaMorphoHarness is MetaMorpho {
         return pendingCap[id];
     }
 
+    function minTimelock() external pure returns (uint256) {
+        return ConstantsLib.MIN_TIMELOCK;
+    }
+
     function maxTimelock() external pure returns (uint256) {
         return ConstantsLib.MAX_TIMELOCK;
     }

certora/specs/PendingValues.spec

@@ -4,7 +4,7 @@ import "Range.spec";
 function hasNoBadPendingTimelock() returns bool {
     MetaMorphoHarness.PendingUint192 pendingTimelock = pendingTimelock_();
 
-    return pendingTimelock.validAt == 0 => pendingTimelock.value == 0;
+    return pendingTimelock.validAt == 0 <=> pendingTimelock.value == 0;
 }
 
 // Check that having no pending timelock value is equivalent to having its valid timestamp at 0.
@@ -22,7 +22,7 @@ invariant noBadPendingTimelock()
 
 // Check that the pending timelock value is always strictly smaller than the current timelock value.
 invariant smallerPendingTimelock()
-    assert_uint256(pendingTimelock_().value) < timelock() || timelock() == 0
+    assert_uint256(pendingTimelock_().value) < timelock()
 {
     preserved with (env e) {
         requireInvariant pendingTimelockInRange();

certora/specs/Range.spec

@@ -23,6 +23,7 @@ methods {
     function isAllocator(address) external returns(bool) envfree;
     function skimRecipient() external returns(address) envfree;
 
+    function minTimelock() external returns(uint256) envfree;
     function maxTimelock() external returns(uint256) envfree;
     function maxQueueLength() external returns(uint256) envfree;
     function maxFee() external returns(uint256) envfree;
@@ -32,7 +33,8 @@ function isPendingTimelockInRange() returns bool {
     MetaMorphoHarness.PendingUint192 pendingTimelock = pendingTimelock_();
 
     return pendingTimelock.validAt != 0 =>
-        assert_uint256(pendingTimelock.value) <= maxTimelock();
+        assert_uint256(pendingTimelock.value) <= maxTimelock() &&
+        assert_uint256(pendingTimelock.value) >= minTimelock();
 }
 
 // Check that the pending timelock is bounded by the max timelock.

certora/specs/Timelock.spec

@@ -187,3 +187,15 @@ rule removableTime(env e_next, method f, calldataarg args) {
     }
     assert true;
 }
+
+rule timelockZero(env e, method f, calldataarg args) {
+    requireInvariant pendingTimelockInRange();
+
+    uint256 timelockBefore = timelock();
+
+    f(e, args);
+
+    uint256 timelockAfter = timelock();
+
+    assert timelockAfter == 0 => timelockBefore == 0;
+}

src/MetaMorpho.sol

@@ -219,6 +219,7 @@ contract MetaMorpho is ERC4626, ERC20Permit, Ownable2Step, Multicall, IMetaMorph
         if (newTimelock == timelock) revert ErrorsLib.AlreadySet();
         if (pendingTimelock.validAt != 0) revert ErrorsLib.AlreadyPending();
         if (newTimelock > ConstantsLib.MAX_TIMELOCK) revert ErrorsLib.AboveMaxTimelock();
+        if (newTimelock < ConstantsLib.MIN_TIMELOCK) revert ErrorsLib.BelowMinTimelock();
 
         if (newTimelock > timelock) {
             _setTimelock(newTimelock);

src/libraries/ConstantsLib.sol

@@ -9,6 +9,9 @@ library ConstantsLib {
     /// @dev The maximum delay of a timelock.
     uint256 internal constant MAX_TIMELOCK = 2 weeks;
 
+    /// @dev The minimum delay of a timelock.
+    uint256 internal constant MIN_TIMELOCK = 1 days;
+
     /// @dev The maximum number of markets in the supply/withdraw queue.
     uint256 internal constant MAX_QUEUE_LENGTH = 30;
 

src/libraries/ErrorsLib.sol

@@ -78,6 +78,9 @@ library ErrorsLib {
     /// @notice Thrown when the submitted timelock is above the max timelock.
     error AboveMaxTimelock();
 
+    /// @notice Thrown when the submitted timelock is below the min timelock.
+    error BelowMinTimelock();
+
     /// @notice Thrown when the timelock is not elapsed.
     error TimelockNotElapsed();
 

test/forge/GuardianTest.sol

@@ -26,7 +26,7 @@ contract GuardianTest is IntegrationTest {
     }
 
     function testGuardianRevokePendingTimelockDecreased(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, 0, TIMELOCK - 1);
+        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
         elapsed = bound(elapsed, 0, TIMELOCK - 1);
 
         vm.prank(OWNER);
@@ -48,7 +48,7 @@ contract GuardianTest is IntegrationTest {
     }
 
     function testOwnerRevokePendingTimelockDecreased(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, 0, TIMELOCK - 1);
+        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
         elapsed = bound(elapsed, 0, TIMELOCK - 1);
 
         vm.prank(OWNER);

test/forge/RevokeTest.sol

@@ -18,7 +18,7 @@ contract RevokeTest is IntegrationTest {
     }
 
     function testOwnerRevokeTimelockDecreased(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, 0, TIMELOCK - 1);
+        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
         elapsed = bound(elapsed, 0, TIMELOCK - 1);
 
         vm.prank(OWNER);

test/forge/TimelockTest.sol

@@ -34,7 +34,7 @@ contract TimelockTest is IntegrationTest {
     }
 
     function testSubmitTimelockDecreased(uint256 timelock) public {
-        timelock = bound(timelock, 0, TIMELOCK - 1);
+        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
 
         vm.expectEmit();
         emit EventsLib.SubmitTimelock(timelock);
@@ -50,7 +50,7 @@ contract TimelockTest is IntegrationTest {
     }
 
     function testSubmitTimelockAlreadyPending(uint256 timelock) public {
-        timelock = bound(timelock, 0, TIMELOCK - 1);
+        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
 
         vm.prank(OWNER);
         vault.submitTimelock(timelock);
@@ -88,8 +88,16 @@ contract TimelockTest is IntegrationTest {
         vault.submitTimelock(timelock);
     }
 
+    function testSubmitTimelockBelowMinTimelock(uint256 timelock) public {
+        timelock = bound(timelock, 0, ConstantsLib.MIN_TIMELOCK - 1);
+
+        vm.prank(OWNER);
+        vm.expectRevert(ErrorsLib.BelowMinTimelock.selector);
+        vault.submitTimelock(timelock);
+    }
+
     function testAcceptTimelock(uint256 timelock) public {
-        timelock = bound(timelock, 0, TIMELOCK - 1);
+        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
 
         vm.prank(OWNER);
         vault.submitTimelock(timelock);
@@ -114,7 +122,7 @@ contract TimelockTest is IntegrationTest {
     }
 
     function testAcceptTimelockTimelockNotElapsed(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, 0, TIMELOCK - 1);
+        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
         elapsed = bound(elapsed, 1, TIMELOCK - 1);
 
         vm.prank(OWNER);
@@ -227,7 +235,7 @@ contract TimelockTest is IntegrationTest {
     }
 
     function testAcceptGuardianTimelockDecreased(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, 0, TIMELOCK - 1);
+        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
         elapsed = bound(elapsed, 1, TIMELOCK - 1);
 
         vm.prank(OWNER);
@@ -384,7 +392,7 @@ contract TimelockTest is IntegrationTest {
 
     function testAcceptCapIncreasedTimelockDecreased(uint256 cap, uint256 timelock, uint256 elapsed) public {
         cap = bound(cap, CAP + 1, type(uint184).max);
-        timelock = bound(timelock, 0, TIMELOCK - 1);
+        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
         elapsed = bound(elapsed, 1, TIMELOCK - 1);
 
         vm.prank(OWNER);