Skip to content

Roles & Capabilities

Implement a secure role distribution system following these guidelines. Reference the complete role documentation for technical details.

Owner

Roles

  • Critical Security Requirements:
    • Deploy a multisig with minimum 4/6 signers
    • Implement strict operational security protocols
    • Distribute keys across trusted entities
    • Never use EOA (Externally Owned Account) control
  • Impact of Compromise: Complete vault control loss without recovery options

Capabilities

  • Only a single address can have this role.
  • Change owner (2 steps: the new owner has to accept ownership).
  • Renounce ownership.
  • Set the curator.
  • Add/remove addresses with the allocator role (including the Public Allocator).
  • [Time-locked] Set the guardian.
  • Increase the timelock duration for every time-locked function.
  • [Time-locked if already set] Decrease the timelock duration for every time-locked function.
  • Set the performance fee.
  • Set the fee recipient.
  • Set the rewards distributor address.
  • All the capabilities of the Curator, the Allocator and the Guardian.

Curator

Roles

  • Security Requirements:
    • Deploy a multisig with minimum 2/4 or 3/5 signers
    • Implement medium-level operational security protocols
    • Distribute keys with geographical redundancy
  • Impact of Compromise: Elevated risk exposure, recoverable by owner intervention

Capabilities

  • Only a single address can have this role.
  • Decrease a supply cap on a Morpho market.
  • [Time-locked] Increase a supply cap on a Morpho market, which includes enabling a new market (by setting a non-zero cap on a not yet enabled market).
  • [Time-locked] Submit the forced removal of a market.
  • Revoke the pending supply cap on a Morpho market.
  • Revoke the pending removal of a Morpho market.
  • All the capabilities of the Allocator.

Note: the Curator can't pause the withdrawal of funds.

Allocator

Roles

  • Implementation Options:
    • Smart contract with automated reallocation logic
    • EOA operated by monitoring bot
    • Multisig with fast response capabilities (1/3 or 2/4)
  • Mitigation Strategy: Set restrictive market caps to limit potential damage

Capabilities

  • Multiple addresses can have this role.
  • Can modify the allocation between markets and the idle supply in the vault within the bounds set by the Curator.
  • Set the supply queue to some arbitrary queue of markets.
  • Re-order the withdraw queue by applying a permutation to it. Can omit markets on which the vault has 0 supply and 0 cap to remove it form the withdraw queue.

Guardian

Roles

  • Implementation Options:
    • Snapshot-based governance system
    • Aragon DAO integration
    • Multisig managed by community representatives
  • Security Benefit: Provides emergency intervention capability for users

Capabilities

  • Only a single address can have this role.
  • Can revoke a pending timelock decrease until the previous timelock ends and the new timelock is accepted (by the Owner).
  • Can revoke a pending guardian until the timelock ends and the new guardian is accepted (by the Owner).
  • Can revoke each pending market cap increase until the timelock ends and the new market cap is accepted (by the Owner or the Curator).
  • In particular, it cannot revoke a pending fee (submitted by the Owner).

Any address

Capabilities

  • Can accept the new cap after timelock.
  • Can accept the new fee after timelock.
  • Can accept the new guardian after timelock.
  • Can accept the new Timelock value after the current timelock duration.