Roles & Capabilities

The roles and capabilities for managing Morpho Vaults differ significantly between the protocol-agnostic Vaults V2 and the original Morpho Market V1-centric Vaults V1. This document outlines the responsibilities and permissions for each version.

Morpho Vaults V2 Roles

The Vault V2 architecture introduces a refined role system with a clear separation of concerns, designed for enhanced security and operational flexibility.

Owner

The Owner holds the highest-level administrative power, responsible for appointing and managing the key roles that govern the vault.

• Recommended Approach: A secure multisig (e.g., 4-of-6) or an equivalent institutional-grade MPC wallet. A single EOA is highly discouraged for production vaults.
• Impact of Compromise: Full administrative control loss. The Owner can replace the Curator, who controls the vault's strategy.

Capabilities

• Only one address can have this role.
• Transfer ownership of the vault (setOwner).
• Appoint or change the Curator (setCurator).
• Add or remove Sentinels (setIsSentinel).
• Set the vault's ERC-20 name and symbol.

Curator

The Curator is the vault's chief risk officer and strategist. They define the investment thesis, set risk parameters, and enable the tools for the Allocator.

• Recommended Approach: A multisig (e.g., 2-of-4 or 3-of-5) or an MPC wallet.
• Impact of Compromise: Can propose and, after a timelock, execute changes that alter the vault's risk profile. The Sentinel and depositors have the timelock duration to react.

Capabilities

• Only one address can have this role.
• Protocol Management:
  • [Timelocked] Enable or disable yield sources via Adapters (setIsAdapter).
• Risk Curation:
  • [Timelocked] Increase absolute or relative caps for any risk id (increaseAbsoluteCap, increaseRelativeCap).
  • Instantly decrease absolute or relative caps (decreaseAbsoluteCap, decreaseRelativeCap).
• Yield & Fee Management:
  • [Timelocked] Set the Vault Interest Controller (setVic).
  • [Timelocked] Set the performanceFee and managementFee.
  • [Timelocked] Set the performanceFeeRecipient and managementFeeRecipient.
• Operational Management:
  • [Timelocked] Add or remove Allocators (setIsAllocator).
  • [Timelocked] Set Gate contracts for onchain compliance (setSharesGate, setReceiveAssetsGate, setSendAssetsGate).
  • [Timelocked] Set the penalty for forceDeallocate (setForceDeallocatePenalty).
• Timelock Management:
  • Instantly increase the duration of any timelock (increaseTimelock).
  • [Timelocked, 2 weeks] Decrease the duration of any timelock (decreaseTimelock).
  • [Timelocked] Irreversibly disable a timelocked action (abdicateSubmit).

Allocator

The Allocator is the active portfolio manager, responsible for executing the vault's strategy within the boundaries set by the Curator.

• Recommended Approach: A smart contract with automated logic, a hot-key EOA operated by a bot, or a fast-response multisig.
• Impact of Compromise: Can misallocate funds between already approved adapters, potentially leading to suboptimal yield or temporary liquidity imbalances. Cannot introduce new, unapproved risks.

Capabilities

• Multiple addresses can have this role.
• Allocate capital from the vault's idle assets to enabled Adapters (allocate).
• Deallocate capital from Adapters back to the vault's idle assets (deallocate).
• Set and manage the liquidityAdapter to handle user deposits and withdrawals.

Sentinel

The Sentinel is a safety-oriented role designed for reactive risk mitigation. It acts as a check on the Curator and can intervene in emergencies.

• Recommended Approach: Can be a hot key, a DAO governance contract (e.g., Snapshot), or a trusted third party.
• Impact of Compromise: Minimal. A compromised Sentinel can only take actions that reduce risk (e.g., deallocate funds) or halt pending changes. It cannot introduce new risk.

Capabilities

• Multiple addresses can have this role.
• Deallocate funds from any enabled Adapter back to the vault's idle assets (deallocate).
• Instantly decrease absolute or relative caps for any risk id.
• Revoke any pending timelocked action submitted by the Curator (revoke).

Any Address

Capabilities

• Execute any action submitted by the Curator once its timelock has expired.
• Trigger a forceDeallocate to provide in-kind redemption liquidity (subject to a penalty).
• Trigger realizeLoss on an adapter to update the vault's accounting after a bad debt event.

Morpho Vaults V1 Roles

For reference, here are the roles and capabilities for the Morpho Vaults V1 architecture.

Owner

Roles

• Highly Recommended Approaches:
  • Deploy a multisig with minimum 4/6 signers, OR
  • Use an enterprise MPC wallet with equivalent security controls
  • Implement strict operational security protocols
  • Distribute signing authority across trusted entities
  • Never use single-key EOA (Externally Owned Account) control
• Impact of Compromise: Complete vault control loss without recovery options

Capabilities

• Only a single address can have this role.
• Change owner (2 steps: the new owner has to accept ownership).
• Renounce ownership.
• Set the curator.
• Add/remove addresses with the allocator role (including the Public Allocator).
• [Time-locked] Set the guardian.
• Increase the timelock duration for every time-locked function.
• [Time-locked if already set] Decrease the timelock duration for every time-locked function.
• Set the performance fee.
• Set the fee recipient.
• Set the rewards distributor address.
• All the capabilities of the Curator, the Allocator and the Guardian.

Curator

Roles

• Recommended Approaches:
  • Deploy a multisig with minimum 2/4 or 3/5 signers, OR
  • Use an enterprise MPC wallet with multi-party authorization policies
  • Implement robust operational security protocols
  • Distribute signing authority with geographical redundancy
• Impact of Compromise: Elevated risk exposure, recoverable by owner intervention

Capabilities

• Only a single address can have this role.
• Decrease a supply cap on a Morpho market.
• [Time-locked] Increase a supply cap on a Morpho market, which includes enabling a new market (by setting a non-zero cap on a not yet enabled market).
• [Time-locked] Submit the forced removal of a market.
• Revoke the pending supply cap on a Morpho market.
• Revoke the pending removal of a Morpho market.
• All the capabilities of the Allocator.

Note: the Curator can't pause the withdrawal of funds.

Allocator

Roles

• Recommended Options:
  • Smart contract with automated reallocation logic
  • EOA operated by monitoring bot
  • Multisig with fast response capabilities (1/3 or 2/4), OR
  • Enterprise MPC wallet with appropriate authorization controls
• Mitigation Strategy: Set restrictive market caps to limit potential damage

Capabilities

• Multiple addresses can have this role.
• Can modify the allocation between markets and the idle supply in the vault within the bounds set by the Curator.
• Set the supply queue to some arbitrary queue of markets.
• Re-order the withdraw queue by applying a permutation to it. Can omit markets on which the vault has 0 supply and 0 cap to remove it form the withdraw queue.

Guardian

Roles

• Implementation Options:
  • Snapshot-based governance system
  • Aragon DAO integration
  • Multisig managed by community representatives
• Security Benefit: Provides emergency intervention capability for users

Capabilities

• Only a single address can have this role.
• Can revoke a pending timelock decrease until the previous timelock ends and the new timelock is accepted (by the Owner).
• Can revoke a pending guardian until the timelock ends and the new guardian is accepted (by the Owner).
• Can revoke each pending market cap increase until the timelock ends and the new market cap is accepted (by the Owner or the Curator).
• In particular, it cannot revoke a pending fee (submitted by the Owner).

Any address

Capabilities

• Can accept the new cap after timelock.
• Can accept the new fee after timelock.
• Can accept the new guardian after timelock.
• Can accept the new Timelock value after the current timelock duration.