No min timelock at initialisation

README.md

@@ -28,7 +28,7 @@ Those rewards can be transferred to the `skimRecipient`.
 The vault's owner has the choice to distribute back these rewards to vault depositors however they want.
 For more information about this use case, see the [Rewards](#rewards) section.
 
-All actions that may be against users' interests (e.g. enabling a market with a high exposure) are subject to a timelock of minimum 24 hours.
+All actions that may be against users' interests (e.g. enabling a market with a high exposure) can be subject to a timelock of up to two weeks.
 The `owner`, or the `guardian` if set, can revoke the action during the timelock.
 After the timelock, the action can be executed by anyone.
 

certora/helpers/MetaMorphoHarness.sol

@@ -31,10 +31,6 @@ contract MetaMorphoHarness is MetaMorpho {
         return pendingCap[id];
     }
 
-    function minTimelock() external pure returns (uint256) {
-        return ConstantsLib.MIN_TIMELOCK;
-    }
-
     function maxTimelock() external pure returns (uint256) {
         return ConstantsLib.MAX_TIMELOCK;
     }

certora/specs/Liveness.spec

@@ -56,6 +56,8 @@ rule canForceRemoveMarket(MetaMorphoHarness.MarketParams marketParams) {
     requireInvariant timelockInRange();
     // Safe require as it corresponds to some time very far into the future.
     require e3.block.timestamp < 2^63;
+    // Safe require as it corresponds to some time very far into the past.
+    require e3.block.timestamp > 0;
     submitMarketRemoval@withrevert(e3, marketParams);
     assert !lastReverted;
 

certora/specs/PendingValues.spec

@@ -4,7 +4,7 @@ import "Range.spec";
 function hasNoBadPendingTimelock() returns bool {
     MetaMorphoHarness.PendingUint192 pendingTimelock = pendingTimelock_();
 
-    return pendingTimelock.validAt == 0 <=> pendingTimelock.value == 0;
+    return pendingTimelock.validAt == 0 => pendingTimelock.value == 0;
 }
 
 // Check that having no pending timelock value is equivalent to having its valid timestamp at 0.
@@ -15,23 +15,27 @@ invariant noBadPendingTimelock()
         requireInvariant timelockInRange();
         // Safe require as it corresponds to some time very far into the future.
         require e.block.timestamp < 2^63;
+        // Safe require as it corresponds to some time very far into the past.
+        require e.block.timestamp > 0;
     }
 }
 
 // Check that the pending timelock value is always strictly smaller than the current timelock value.
 invariant smallerPendingTimelock()
-    assert_uint256(pendingTimelock_().value) < timelock()
+    assert_uint256(pendingTimelock_().value) < timelock() || timelock() == 0
 {
-    preserved {
+    preserved with (env e) {
         requireInvariant pendingTimelockInRange();
         requireInvariant timelockInRange();
+        // Safe require as it corresponds to some time very far into the past.
+        require e.block.timestamp > 0;
     }
 }
 
 function hasNoBadPendingCap(MetaMorphoHarness.Id id) returns bool {
     MetaMorphoHarness.PendingUint192 pendingCap = pendingCap_(id);
 
-    return pendingCap.validAt == 0 <=> pendingCap.value == 0;
+    return pendingCap.validAt == 0 => pendingCap.value == 0;
 }
 
 // Check that having no pending cap value is equivalent to having its valid timestamp at 0.
@@ -42,6 +46,8 @@ invariant noBadPendingCap(MetaMorphoHarness.Id id)
         requireInvariant timelockInRange();
         // Safe require as it corresponds to some time very far into the future.
         require e.block.timestamp < 2^63;
+        // Safe require as it corresponds to some time very far into the past.
+        require e.block.timestamp > 0;
     }
 }
 
@@ -71,6 +77,8 @@ invariant noBadPendingGuardian()
         requireInvariant timelockInRange();
         // Safe require as it corresponds to some time very far into the future.
         require e.block.timestamp < 2^63;
+        // Safe require as it corresponds to some time very far into the past.
+        require e.block.timestamp > 0;
     }
 }
 

certora/specs/Range.spec

@@ -23,7 +23,6 @@ methods {
     function isAllocator(address) external returns(bool) envfree;
     function skimRecipient() external returns(address) envfree;
 
-    function minTimelock() external returns(uint256) envfree;
     function maxTimelock() external returns(uint256) envfree;
     function maxQueueLength() external returns(uint256) envfree;
     function maxFee() external returns(uint256) envfree;
@@ -33,17 +32,16 @@ function isPendingTimelockInRange() returns bool {
     MetaMorphoHarness.PendingUint192 pendingTimelock = pendingTimelock_();
 
     return pendingTimelock.validAt != 0 =>
-        assert_uint256(pendingTimelock.value) <= maxTimelock() &&
-        assert_uint256(pendingTimelock.value) >= minTimelock();
+        assert_uint256(pendingTimelock.value) <= maxTimelock();
 }
 
-// Check that the pending timelock is bounded by the min timelock and the max timelock.
+// Check that the pending timelock is bounded by the max timelock.
 invariant pendingTimelockInRange()
     isPendingTimelockInRange();
 
-// Check that the timelock is bounded by the min timelock and the max timelock.
+// Check that the timelock is bounded by the max timelock.
 invariant timelockInRange()
-    timelock() <= maxTimelock() && timelock() >= minTimelock()
+    timelock() <= maxTimelock()
 {
     preserved {
         requireInvariant pendingTimelockInRange();

src/MetaMorpho.sol

@@ -128,11 +128,11 @@ contract MetaMorpho is ERC4626, ERC20Permit, Ownable2Step, Multicall, IMetaMorph
         string memory _symbol
     ) ERC4626(IERC20(_asset)) ERC20Permit(_name) ERC20(_name, _symbol) Ownable(owner) {
         if (morpho == address(0)) revert ErrorsLib.ZeroAddress();
+        if (initialTimelock > ConstantsLib.MAX_TIMELOCK) revert ErrorsLib.AboveMaxTimelock();
 
         MORPHO = IMorpho(morpho);
         DECIMALS_OFFSET = uint8(uint256(18).zeroFloorSub(IERC20Metadata(_asset).decimals()));
 
-        _checkTimelockBounds(initialTimelock);
         _setTimelock(initialTimelock);
 
         IERC20(_asset).forceApprove(morpho, type(uint256).max);
@@ -218,7 +218,7 @@ contract MetaMorpho is ERC4626, ERC20Permit, Ownable2Step, Multicall, IMetaMorph
     function submitTimelock(uint256 newTimelock) external onlyOwner {
         if (newTimelock == timelock) revert ErrorsLib.AlreadySet();
         if (pendingTimelock.validAt != 0) revert ErrorsLib.AlreadyPending();
-        _checkTimelockBounds(newTimelock);
+        if (newTimelock > ConstantsLib.MAX_TIMELOCK) revert ErrorsLib.AboveMaxTimelock();
 
         if (newTimelock > timelock) {
             _setTimelock(newTimelock);
@@ -704,12 +704,6 @@ contract MetaMorpho is ERC4626, ERC20Permit, Ownable2Step, Multicall, IMetaMorph
         assets = shares.toAssetsDown(market.totalSupplyAssets, market.totalSupplyShares);
     }
 
-    /// @dev Reverts if `newTimelock` is not within the bounds.
-    function _checkTimelockBounds(uint256 newTimelock) internal pure {
-        if (newTimelock > ConstantsLib.MAX_TIMELOCK) revert ErrorsLib.AboveMaxTimelock();
-        if (newTimelock < ConstantsLib.MIN_TIMELOCK) revert ErrorsLib.BelowMinTimelock();
-    }
-
     /// @dev Sets `timelock` to `newTimelock`.
     function _setTimelock(uint256 newTimelock) internal {
         timelock = newTimelock;

src/libraries/ConstantsLib.sol

@@ -9,9 +9,6 @@ library ConstantsLib {
     /// @dev The maximum delay of a timelock.
     uint256 internal constant MAX_TIMELOCK = 2 weeks;
 
-    /// @dev The minimum delay of a timelock.
-    uint256 internal constant MIN_TIMELOCK = 1 days;
-
     /// @dev The maximum number of markets in the supply/withdraw queue.
     uint256 internal constant MAX_QUEUE_LENGTH = 30;
 

src/libraries/ErrorsLib.sol

@@ -78,9 +78,6 @@ library ErrorsLib {
     /// @notice Thrown when the submitted timelock is above the max timelock.
     error AboveMaxTimelock();
 
-    /// @notice Thrown when the submitted timelock is below the min timelock.
-    error BelowMinTimelock();
-
     /// @notice Thrown when the timelock is not elapsed.
     error TimelockNotElapsed();
 

test/forge/DeploymentTest.sol

@@ -6,7 +6,7 @@ import "./helpers/IntegrationTest.sol";
 contract DeploymentTest is IntegrationTest {
     function testDeployMetaMorphoAddresssZero() public {
         vm.expectRevert(ErrorsLib.ZeroAddress.selector);
-        createMetaMorpho(OWNER, address(0), ConstantsLib.MIN_TIMELOCK, address(loanToken), "MetaMorpho Vault", "MMV");
+        createMetaMorpho(OWNER, address(0), 1 days, address(loanToken), "MetaMorpho Vault", "MMV");
     }
 
     function testDeployMetaMorphoNotToken(address notToken) public {
@@ -15,7 +15,7 @@ contract DeploymentTest is IntegrationTest {
         vm.assume(address(notToken) != address(vault));
 
         vm.expectRevert();
-        createMetaMorpho(OWNER, address(morpho), ConstantsLib.MIN_TIMELOCK, notToken, "MetaMorpho Vault", "MMV");
+        createMetaMorpho(OWNER, address(morpho), 1 days, notToken, "MetaMorpho Vault", "MMV");
     }
 
     function testDeployMetaMorpho(
@@ -27,7 +27,7 @@ contract DeploymentTest is IntegrationTest {
     ) public {
         assumeNotZeroAddress(owner);
         assumeNotZeroAddress(morpho);
-        initialTimelock = bound(initialTimelock, ConstantsLib.MIN_TIMELOCK, ConstantsLib.MAX_TIMELOCK);
+        initialTimelock = bound(initialTimelock, 0 days, ConstantsLib.MAX_TIMELOCK);
 
         IMetaMorpho newVault = createMetaMorpho(owner, morpho, initialTimelock, address(loanToken), name, symbol);
 

test/forge/GuardianTest.sol

@@ -26,7 +26,7 @@ contract GuardianTest is IntegrationTest {
     }
 
     function testGuardianRevokePendingTimelockDecreased(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
+        timelock = bound(timelock, 0, TIMELOCK - 1);
         elapsed = bound(elapsed, 0, TIMELOCK - 1);
 
         vm.prank(OWNER);
@@ -48,7 +48,7 @@ contract GuardianTest is IntegrationTest {
     }
 
     function testOwnerRevokePendingTimelockDecreased(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
+        timelock = bound(timelock, 0, TIMELOCK - 1);
         elapsed = bound(elapsed, 0, TIMELOCK - 1);
 
         vm.prank(OWNER);

test/forge/MetaMorphoFactoryTest.sol

@@ -27,7 +27,7 @@ contract MetaMorphoFactoryTest is IntegrationTest {
         bytes32 salt
     ) public {
         vm.assume(address(initialOwner) != address(0));
-        initialTimelock = bound(initialTimelock, ConstantsLib.MIN_TIMELOCK, ConstantsLib.MAX_TIMELOCK);
+        initialTimelock = bound(initialTimelock, 0, ConstantsLib.MAX_TIMELOCK);
 
         bytes32 initCodeHash = hashInitCode(
             type(MetaMorpho).creationCode,

test/forge/RevokeTest.sol

@@ -18,7 +18,7 @@ contract RevokeTest is IntegrationTest {
     }
 
     function testOwnerRevokeTimelockDecreased(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
+        timelock = bound(timelock, 0, TIMELOCK - 1);
         elapsed = bound(elapsed, 0, TIMELOCK - 1);
 
         vm.prank(OWNER);

test/forge/TimelockTest.sol

@@ -34,7 +34,7 @@ contract TimelockTest is IntegrationTest {
     }
 
     function testSubmitTimelockDecreased(uint256 timelock) public {
-        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
+        timelock = bound(timelock, 0, TIMELOCK - 1);
 
         vm.expectEmit();
         emit EventsLib.SubmitTimelock(timelock);
@@ -50,7 +50,7 @@ contract TimelockTest is IntegrationTest {
     }
 
     function testSubmitTimelockAlreadyPending(uint256 timelock) public {
-        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
+        timelock = bound(timelock, 0, TIMELOCK - 1);
 
         vm.prank(OWNER);
         vault.submitTimelock(timelock);
@@ -72,13 +72,6 @@ contract TimelockTest is IntegrationTest {
         createMetaMorpho(OWNER, address(morpho), timelock, address(loanToken), "MetaMorpho Vault", "MMV");
     }
 
-    function testDeployMetaMorphoBelowMinTimelock(uint256 timelock) public {
-        timelock = bound(timelock, 0, ConstantsLib.MIN_TIMELOCK - 1);
-
-        vm.expectRevert(ErrorsLib.BelowMinTimelock.selector);
-        createMetaMorpho(OWNER, address(morpho), timelock, address(loanToken), "MetaMorpho Vault", "MMV");
-    }
-
     function testSubmitTimelockAboveMaxTimelock(uint256 timelock) public {
         timelock = bound(timelock, ConstantsLib.MAX_TIMELOCK + 1, type(uint256).max);
 
@@ -87,14 +80,6 @@ contract TimelockTest is IntegrationTest {
         vault.submitTimelock(timelock);
     }
 
-    function testSubmitTimelockBelowMinTimelock(uint256 timelock) public {
-        timelock = bound(timelock, 0, ConstantsLib.MIN_TIMELOCK - 1);
-
-        vm.prank(OWNER);
-        vm.expectRevert(ErrorsLib.BelowMinTimelock.selector);
-        vault.submitTimelock(timelock);
-    }
-
     function testSubmitTimelockAlreadySet() public {
         uint256 timelock = vault.timelock();
 
@@ -104,7 +89,7 @@ contract TimelockTest is IntegrationTest {
     }
 
     function testAcceptTimelock(uint256 timelock) public {
-        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
+        timelock = bound(timelock, 0, TIMELOCK - 1);
 
         vm.prank(OWNER);
         vault.submitTimelock(timelock);
@@ -129,7 +114,7 @@ contract TimelockTest is IntegrationTest {
     }
 
     function testAcceptTimelockTimelockNotElapsed(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
+        timelock = bound(timelock, 0, TIMELOCK - 1);
         elapsed = bound(elapsed, 1, TIMELOCK - 1);
 
         vm.prank(OWNER);
@@ -242,7 +227,7 @@ contract TimelockTest is IntegrationTest {
     }
 
     function testAcceptGuardianTimelockDecreased(uint256 timelock, uint256 elapsed) public {
-        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
+        timelock = bound(timelock, 0, TIMELOCK - 1);
         elapsed = bound(elapsed, 1, TIMELOCK - 1);
 
         vm.prank(OWNER);
@@ -399,7 +384,7 @@ contract TimelockTest is IntegrationTest {
 
     function testAcceptCapIncreasedTimelockDecreased(uint256 cap, uint256 timelock, uint256 elapsed) public {
         cap = bound(cap, CAP + 1, type(uint184).max);
-        timelock = bound(timelock, ConstantsLib.MIN_TIMELOCK, TIMELOCK - 1);
+        timelock = bound(timelock, 0, TIMELOCK - 1);
         elapsed = bound(elapsed, 1, TIMELOCK - 1);
 
         vm.prank(OWNER);

test/forge/helpers/InternalTest.sol

@@ -5,9 +5,7 @@ import "./BaseTest.sol";
 import {MetaMorpho} from "../../../src/MetaMorpho.sol";
 
 contract InternalTest is BaseTest, MetaMorpho {
-    constructor()
-        MetaMorpho(OWNER, address(morpho), ConstantsLib.MIN_TIMELOCK, address(loanToken), "MetaMorpho Vault", "MM")
-    {}
+    constructor() MetaMorpho(OWNER, address(morpho), 1 days, address(loanToken), "MetaMorpho Vault", "MM") {}
 
     function setUp() public virtual override {
         super.setUp();