Skip to content

Security & Governance Interaction

The security and behavior of the $M token are deeply intertwined with the M0 Protocol's governance and other core contracts.

Supply Control

  • The total supply of $M is exclusively controlled by the MinterGateway contract.
  • MToken.mint(address recipient, uint240 amount) can only be called by the minterGateway address set in MToken.
  • MToken.burn(address account, uint240 amount) can only be called by the minterGateway address. This ensures that $M tokens are only created or destroyed as per the protocol's minting (collateral-backed) and burning (debt-repayment) rules managed by MinterGateway.

Earning Mechanism Governance

  • Earner Approval: Whether an account can switch to an earning balance (startEarning()) is determined by M0 Governance. The MToken contract checks if an account is an approved earner by querying the TTGRegistrar (specifically, the APPROVED_EARNERS list or if EARNERS_LIST_IGNORED is true).

    // Simplified check from _isApprovedEarner(address account_)
    function _isApprovedEarner(address account_) internal view returns (bool) {
        return ttgRegistrarReader.getBool("earners_list_ignored") || ttgRegistrarReader.listContains("earners", account_);
    }

  • Rate Model Control: The interest rate for earners is determined by the EARNER_RATE_MODEL. The address of this model is a governance-controlled parameter stored in the TTGRegistrar and read by MToken during updateIndex().

Safety Controls for Earners

  • The stopEarning(address account_) function allows anyone to call it for an account_ that is no longer on the APPROVED_EARNERS list. This is a crucial safety mechanism to prevent an account from continuing to accrue yield if its earner status is revoked by governance.

    function stopEarning(address account_) external {
    if (_isApprovedEarner(account_)) revert IsApprovedEarner(); // Can only be called if account is NOT an approved earner
    _stopEarning(account_);
}

Index Management and Synchronization

  • The MToken.updateIndex() function is critical for reflecting the correct yield. As mentioned, it's called by MinterGateway to ensure synchronization with Minter-side interest accruals and by MToken itself during critical state changes. This synchronization is vital for the protocol's economic balance.

Rounding and Numerical Stability

  • The consistent use of protocol-favoring rounding rules in conversions and transfers contributes to the robustness of the $M token system. These small, accumulated amounts act as a buffer and eventually contribute to protocol reserves (e.g., claimable by the DistributionVault).
  • Explicit overflow checks and the use of libraries like UIntMath and ContinuousIndexingMath ensure numerical precision and prevent errors during balance and index calculations.

Immutability

The MToken contract itself is designed to be immutable, meaning its core logic cannot be upgraded directly. Changes to its behavior (like interest rates or earner eligibility) are managed externally through governance-controlled parameters in the TTGRegistrar and updatable Rate Model contracts.