Roles & Capabilities

The roles and capabilities for managing Morpho Vaults differ significantly between the future-proof Vaults V2 and the original variable rate market-focused Vaults V1. This document outlines the responsibilities and permissions for each version.

Morpho Vaults V2 Roles

The Vault V2 architecture introduces a refined role system with a clear separation of concerns, designed for enhanced security and operational flexibility.

Separation of Concerns is Key in V2

Unlike V1, the Owner in V2 does not inherit the powers of other roles. Each role is distinct, ensuring that administrative control is separate from strategic risk curation and daily portfolio operations.

Owner

The Owner holds the highest-level administrative power, responsible for appointing and managing the key roles that govern the vault.

  • Recommended Approach: A secure multisig (e.g., 4-of-6) or an equivalent institutional-grade MPC wallet. A single EOA is highly discouraged for production vaults.
  • Impact of Compromise: Full administrative control loss. The Owner can replace the Curator, who controls the vault's strategy.

Capabilities

  • Only one address can have this role.
  • Transfer ownership of the vault (setOwner).
  • Appoint or change the Curator (setCurator).
  • Add or remove Sentinels (setIsSentinel).
  • Set the vault's ERC-20 name and symbol.

Curator

The Curator is the vault's chief risk officer and strategist. They define the allocation strategy, set risk parameters, and enable the tools for the Allocator.

  • Recommended Approach: A multisig (e.g., 2-of-4 or 3-of-5) or an MPC wallet.
  • Impact of Compromise: Can propose and, after a timelock, execute changes that alter the vault's risk profile. The Sentinel and depositors have the timelock duration to react.

Capabilities

  • Only one address can have this role.
  • Protocol Management:
    • [Timelocked] Enable or disable yield sources via Adapters (addAdapter, removeAdapter).
  • Risk Curation:
    • [Timelocked] Increase absolute or relative caps for any risk id (increaseAbsoluteCap, increaseRelativeCap).
    • Instantly decrease absolute or relative caps (decreaseAbsoluteCap, decreaseRelativeCap).
  • Yield & Fee Management:
    • [Timelocked] Set the performanceFee and managementFee.
    • [Timelocked] Set the performanceFeeRecipient and managementFeeRecipient.
  • Operational Management:
    • [Timelocked] Add or remove Allocators (setIsAllocator).
    • [Timelocked] Set Gate contracts for onchain compliance (setSharesGate, setReceiveAssetsGate, setSendAssetsGate).
    • [Timelocked] Set the penalty for forceDeallocate (setForceDeallocatePenalty).

A forceDeallocatePenalty of 0 allows anyone to call forceDeallocate on behalf of any user. It would not lead to loss of assets, but could be used to cause vault assets to become idle at times unintended by the Curator.

  • Timelock Management:
    • [Timelocked] Increase the duration of any timelock (increaseTimelock). The timelock for this action equals its own current timelock duration (if set to 0, it can be executed immediately).
    • [Timelocked] Decrease the duration of any timelock (decreaseTimelock). The timelock for this action equals the current timelock of the function being decreased.
    • [Timelocked] Irreversibly disable a timelocked action (abdicate).

Allocator

The Allocator is the active execution role, responsible for deploying liquidity within the boundaries set by the Curator.

  • Recommended Approach: A hot-key EOA operated by a bot, or a fast-response multisig.
  • Impact of Compromise: Can misallocate assets between already approved adapters, potentially leading to suboptimal yield or temporary liquidity imbalances. Cannot introduce new, unapproved risks.

Capabilities

  • Multiple addresses can have this role.
  • Allocate capital from the vault's idle assets to enabled Adapters (allocate).
  • Deallocate capital from Adapters back to the vault's idle assets (deallocate).
  • Set and manage the liquidityAdapter to handle user deposits and withdrawals.
  • Set the maximum rate at which assets can grow (setMaxRate).

Sentinel

The Sentinel is a safety-oriented role designed for reactive risk mitigation. It acts as a check on the Curator and can intervene in emergencies.

  • Recommended Approach: Can be a hot key, a DAO governance contract (e.g., Snapshot), or a trusted third party.
  • Impact of Compromise: Minimal. A compromised Sentinel can only take actions that reduce risk (e.g., deallocate assets) or halt pending changes. It cannot introduce new risk.

Capabilities

  • Multiple addresses can have this role.
  • Deallocate assets from any enabled Adapter back to the vault's idle assets (deallocate).
  • Instantly decrease absolute or relative caps for any risk id.
  • Revoke any pending timelocked action submitted by the Curator (revoke).

For practical UI steps, see Act as a Sentinel in the Curator App.

Any Address

Capabilities

  • Execute any action submitted by the Curator once its timelock has expired.
  • Trigger a forceDeallocate to provide in-kind redemption liquidity (subject to a penalty).

Morpho Vaults V1 Roles

For reference, here are the roles and capabilities for the Morpho Vaults V1 architecture.

It is intended that Owner, Curator, and Guardian should be different addresses.

Owner

Roles

  • Highly Recommended Approaches:
    • Deploy a multisig with minimum 4/6 signers, OR
    • Use an enterprise MPC wallet with equivalent security controls
    • Implement strict operational security protocols
    • Distribute signing authority across trusted entities
    • Never use single-key EOA (Externally Owned Account) control
  • Impact of Compromise: Complete vault control loss without recovery options

Capabilities

  • Only a single address can have this role.
  • Change Owner (2 steps: the new Owner has to accept ownership).
  • Renounce ownership.
  • Set the Curator.
  • Add/remove addresses with the Allocator role (including the Public Allocator).
  • [Time-locked] Set the Guardian.
  • Increase the timelock duration for every time-locked function.
  • [Time-locked if already set] Decrease the timelock duration for every time-locked function.
  • Set the performance fee.
  • Set the fee recipient.
  • Set the rewards distributor address.
  • All the capabilities of the Curator, the Allocator and the Guardian.

Curator

Roles

  • Recommended Approaches:
    • Deploy a multisig with minimum 2/4 or 3/5 signers, OR
    • Use an enterprise MPC wallet with multi-party authorization policies
    • Implement robust operational security protocols
    • Distribute signing authority with geographical redundancy
  • Impact of Compromise: Elevated risk exposure, recoverable by Owner intervention

Capabilities

  • Only a single address can have this role.
  • Decrease a supply cap on a Morpho market.
  • [Time-locked] Increase a supply cap on a Morpho market, which includes enabling a new market (by setting a non-zero cap on a not yet enabled market).
  • [Time-locked] Submit the forced removal of a market.
  • Revoke the pending supply cap on a Morpho market.
  • Revoke the pending removal of a Morpho market.
  • All the capabilities of the Allocator.

Note: the Curator can't pause the withdrawal of assets.

Allocator

Roles

  • Recommended Options:
    • EOA operated by monitoring bot
    • Multisig with fast response capabilities (1/3 or 2/4), OR
    • Enterprise MPC wallet with appropriate authorization controls
  • Mitigation Strategy: Set restrictive market caps to limit potential damage

Capabilities

  • Multiple addresses can have this role.
  • Can modify the allocation between markets and the idle supply in the vault within the bounds set by the Curator.
  • Set the supply queue to some arbitrary queue of markets.
  • Re-order the withdraw queue by applying a permutation to it. Can omit markets on which the vault has 0 supply and 0 cap to remove it form the withdraw queue.

Guardian

Roles

  • Implementation Options:
    • Snapshot-based governance system
    • Aragon DAO integration
    • Multisig managed by community representatives
  • Security Benefit: Provides emergency intervention capability for users

Capabilities

  • Only a single address can have this role.
  • Can revoke a pending timelock decrease until the previous timelock ends and the new timelock is accepted (by the Owner).
  • Can revoke a pending Guardian until the timelock ends and the new Guardian is accepted (by the Owner).
  • Can revoke each pending market cap increase until the timelock ends and the new market cap is accepted (by the Owner or the Curator).
  • In particular, it cannot revoke a pending fee (submitted by the Owner).

Any address

Capabilities

  • Can accept the new cap after timelock.
  • Can accept the new fee after timelock.
  • Can accept the new guardian after timelock.
  • Can accept the new Timelock value after the current timelock duration.

On this page