Setting Security Standards: Marinade is upgrading a smart contract

Cerba / Alex
Published in
5 min readDec 28, 2021


In DeFi, smart contracts are often created with an authority able to apply modifications to the code, a feature that might be crucial in the future of a protocol. These authorities need to be handled with care to avoid any issue. This is why Marinade has always been adamant and transparent on security.

Some contracts will be built without the possibility to ever modify them, but this solution also has its own flaws as the protocol cannot evolve at all if the need arises.

Marinade smart contracts are governed by a multisig and can only be updated by reaching a consensus between multiple parties.

This means that the code cannot be modified by a person alone. Any change in Marinade protocol has to be planned and goes through a rigorous validation process. For the change to be validated, the majority of our multisig will have to sign a transaction authorizing it.

This article is a perfect opportunity to get familiar with this validation process but also with this first Marinade upgrade that has been cooking!

What contract is being upgraded?

As you may know, Marinade offers two different ways to unstake your mSOL. You can either ‘Unstake Now’ to instantly get your SOL back and pay a small fee or use the ‘Delayed Unstake’ function to unstake without any fee and wait until your SOL are unstaked, which can take 2 to 3 epochs in our current version.

The ‘Delayed Unstake’ function gives you an estimate of your claim date.

At launch, this parameter had been set to include a buffer of 1 epoch, to make sure that our bot would have the time to perform the necessary unstaking operations. After several months of contract operation, our developers have observed that this buffer was not necessary and could be removed. Marinade could provide your SOL earlier on any delayed-unstake operation and allow any user to unstake mSOL approximately twice as fast as before, a significant improvement.

They decided to study this possibility and suggest an upgrade of the contract.

They also suggested that the 11M SOL limit could be taken off, as Marinade is not in beta anymore.

What will change?

Here is an extract of the current (and soon outdated) flow of the ‘Delayed Unstaked function’, for archive purposes:

There are 3 moments in an epoch for Marinade. The beginning of an epoch, the epoch itself, and the last hours before the end of an epoch. These 3 moments have an impact on the Delayed Unstake function.

Here are the different situations that can happen when you use ‘Delayed unstake’ during epoch N.

  • You start unstaking during Z, which is the very beginning of epoch n (like a few minutes into epoch n).

You will receive your SOL at the beginning of epoch n+2. The amount of SOL you receive is computed as SOL = [mSOL to burn]*[mSOL price] when the unstaking starts, but mSOL price may not be updated as the Marinade bot needs to be run to update the price at the beginning of each epoch. We suggest waiting a few hours into the epoch before using 'Delayed unstake' and starting it before the last 4 hours of the epoch.

  • You start unstaking during A.

You will receive SOL at the beginning of epoch n+2. The amount computed is [mSOL to burn]*[mSOL price] when the unstaking starts.

  • You start unstaking during B, which is the last 4 hours of epoch n.

You will receive SOL at the beginning of epoch n+3. The amount computed is [mSOL to burn]*[mSOL price] when the unstaking starts.

In all 3 cases, the planned smart contract upgrade will allow you to withdraw your funds one epoch earlier. Marinade will also use this occasion to take off the 11M SOL limit on Marinade.

The planned Github commit is already available and can be seen below:

Github commit planned in order to update our delayed unstake smart contract.

What is the process for this change?

In order to integrate this upgrade, a smart contract where a significant amount of money is stored will need to be modified. Marinade is engaged to put security above anything else and is committed to offering a safe service.

This is the primary reason behind this article. Marinade wanted to display the process this change went through and give information and time to any Marinade users so they can make a conscious decision about this upgrade.

So, how does a Marinade smart contract gets modified when an improvement is found and suggested?

A proposition is made

First, our developers found out a possible improvement and suggested a code modification, as seen above.

The change is communicated and announced so users can act as they choose

Now that this upgrade proposal has been checked and studied by the team, the time to communicate it to Marinade users has arrived.

The planned date has been set to next Tuesday, 01/04/2022, in order to leave an appropriate amount of time for any Marinade user to withdraw their funds if they feel unsafe about the planned change.

To be pushed on-chain, the change has to be validated by our multisig

This upgrade is also a perfect example to display how our multisig governance works. On the planned date, the smart contract will be modified thanks to the main multisig, composed by 11 wallets.

The power to upgrade our smart contract is distributed to multiple parties (including Alameda Research, Mercurial, Orca, Saber, Serum, Raydium, Triton One and the Marinade Team).

On the update date, the smart contract upgrade will be suggested by the Marinade team (on the basis of the work done by our developers and our ecosystem partners revision) and will have to be validated by the owners of other private keys from the multisig. The smart contract update can only be applied if a majority of these wallets signs and accepts the change.

Via these additional security layers, Marinade hopes to set high security standards and be an example among the whole blockchain ecosystem. The trust put in Marinade will never be taken lightly.