Roles & Capabilities
The roles and capabilities for managing Morpho Vaults differ significantly between the future-proof Vaults V2 and the original variable rate market-focused Vaults V1. This document outlines the responsibilities and permissions for each version.
Morpho Vaults V2 Roles
The Vault V2 architecture introduces a refined role system with a clear separation of concerns, designed for enhanced security and operational flexibility.
Separation of Concerns is Key in V2
Unlike V1, the Owner in V2 does not inherit the powers of other roles. Each role is distinct, ensuring that administrative control is separate from strategic risk curation and daily portfolio operations.
Owner
The Owner holds the highest-level administrative power, responsible for appointing and managing the key roles that govern the vault.
- Recommended Approach: A secure multisig (e.g., 4-of-6) or an equivalent institutional-grade MPC wallet. A single EOA is highly discouraged for production vaults.
- Impact of Compromise: Full administrative control loss. The
Ownercan replace theCurator, who controls the vault's strategy.
Capabilities
- Only one address can have this role.
- Transfer ownership of the vault (
setOwner). - Appoint or change the
Curator(setCurator). - Add or remove
Sentinels(setIsSentinel). - Set the vault's ERC-20
nameandsymbol.
Curator
The Curator is the vault's chief risk officer and strategist. They define the allocation strategy, set risk parameters, and enable the tools for the Allocator.
- Recommended Approach: A multisig (e.g., 2-of-4 or 3-of-5) or an MPC wallet.
- Impact of Compromise: Can propose and, after a timelock, execute changes that alter the vault's risk profile. The
Sentineland depositors have the timelock duration to react.
Capabilities
- Only one address can have this role.
- Protocol Management:
[Timelocked]Enable or disable yield sources via Adapters (addAdapter,removeAdapter).
- Risk Curation:
[Timelocked]Increase absolute or relative caps for any riskid(increaseAbsoluteCap,increaseRelativeCap).- Instantly decrease absolute or relative caps (
decreaseAbsoluteCap,decreaseRelativeCap).
- Yield & Fee Management:
[Timelocked]Set theperformanceFeeandmanagementFee.[Timelocked]Set theperformanceFeeRecipientandmanagementFeeRecipient.
- Operational Management:
[Timelocked]Add or removeAllocators(setIsAllocator).[Timelocked]SetGatecontracts for onchain compliance (setSharesGate,setReceiveAssetsGate,setSendAssetsGate).[Timelocked]Set the penalty forforceDeallocate(setForceDeallocatePenalty).
A forceDeallocatePenalty of 0 allows anyone to call forceDeallocate on behalf of any user. It would not lead to loss of assets, but could be used to cause vault assets to become idle at times unintended by the Curator.
- Timelock Management:
[Timelocked]Increase the duration of any timelock (increaseTimelock). The timelock for this action equals its own current timelock duration (if set to 0, it can be executed immediately).[Timelocked]Decrease the duration of any timelock (decreaseTimelock). The timelock for this action equals the current timelock of the function being decreased.[Timelocked]Irreversibly disable a timelocked action (abdicate).
Allocator
The Allocator is the active execution role, responsible for deploying liquidity within the boundaries set by the Curator.
- Recommended Approach: A hot-key EOA operated by a bot, or a fast-response multisig.
- Impact of Compromise: Can misallocate assets between already approved adapters, potentially leading to suboptimal yield or temporary liquidity imbalances. Cannot introduce new, unapproved risks.
Capabilities
- Multiple addresses can have this role.
- Allocate capital from the vault's idle assets to enabled Adapters (
allocate). - Deallocate capital from Adapters back to the vault's idle assets (
deallocate). - Set and manage the
liquidityAdapterto handle user deposits and withdrawals. - Set the maximum rate at which assets can grow (
setMaxRate).
Sentinel
The Sentinel is a safety-oriented role designed for reactive risk mitigation. It acts as a check on the Curator and can intervene in emergencies.
- Recommended Approach: Can be a hot key, a DAO governance contract (e.g., Snapshot), or a trusted third party.
- Impact of Compromise: Minimal. A compromised
Sentinelcan only take actions that reduce risk (e.g., deallocate assets) or halt pending changes. It cannot introduce new risk.
Capabilities
- Multiple addresses can have this role.
- Deallocate assets from any enabled Adapter back to the vault's idle assets (
deallocate). - Instantly decrease absolute or relative caps for any risk
id. - Revoke any pending timelocked action submitted by the
Curator(revoke).
For practical UI steps, see Act as a Sentinel in the Curator App.
Any Address
Capabilities
- Execute any action submitted by the
Curatoronce its timelock has expired. - Trigger a
forceDeallocateto provide in-kind redemption liquidity (subject to a penalty).
Morpho Vaults V1 Roles
For reference, here are the roles and capabilities for the Morpho Vaults V1 architecture.
It is intended that Owner, Curator, and Guardian should be different addresses.
Owner
Roles
- Highly Recommended Approaches:
- Deploy a multisig with minimum 4/6 signers, OR
- Use an enterprise MPC wallet with equivalent security controls
- Implement strict operational security protocols
- Distribute signing authority across trusted entities
- Never use single-key EOA (Externally Owned Account) control
- Impact of Compromise: Complete vault control loss without recovery options
Capabilities
- Only a single address can have this role.
- Change
Owner(2 steps: the newOwnerhas to accept ownership). - Renounce ownership.
- Set the
Curator. - Add/remove addresses with the
Allocatorrole (including the Public Allocator). - [Time-locked] Set the
Guardian. - Increase the timelock duration for every time-locked function.
- [Time-locked if already set] Decrease the timelock duration for every time-locked function.
- Set the performance fee.
- Set the fee recipient.
- Set the rewards distributor address.
- All the capabilities of the
Curator, theAllocatorand theGuardian.
Curator
Roles
- Recommended Approaches:
- Deploy a multisig with minimum 2/4 or 3/5 signers, OR
- Use an enterprise MPC wallet with multi-party authorization policies
- Implement robust operational security protocols
- Distribute signing authority with geographical redundancy
- Impact of Compromise: Elevated risk exposure, recoverable by
Ownerintervention
Capabilities
- Only a single address can have this role.
- Decrease a supply cap on a Morpho market.
- [Time-locked] Increase a supply cap on a Morpho market, which includes enabling a new market (by setting a non-zero cap on a not yet enabled market).
- [Time-locked] Submit the forced removal of a market.
- Revoke the pending supply cap on a Morpho market.
- Revoke the pending removal of a Morpho market.
- All the capabilities of the
Allocator.
Note: the Curator can't pause the withdrawal of assets.
Allocator
Roles
- Recommended Options:
- EOA operated by monitoring bot
- Multisig with fast response capabilities (1/3 or 2/4), OR
- Enterprise MPC wallet with appropriate authorization controls
- Mitigation Strategy: Set restrictive market caps to limit potential damage
Capabilities
- Multiple addresses can have this role.
- Can modify the allocation between markets and the idle supply in the vault within the bounds set by the
Curator. - Set the supply queue to some arbitrary queue of markets.
- Re-order the withdraw queue by applying a permutation to it. Can omit markets on which the vault has 0 supply and 0 cap to remove it form the withdraw queue.
Guardian
Roles
- Implementation Options:
- Snapshot-based governance system
- Aragon DAO integration
- Multisig managed by community representatives
- Security Benefit: Provides emergency intervention capability for users
Capabilities
- Only a single address can have this role.
- Can revoke a pending timelock decrease until the previous timelock ends and the new timelock is accepted (by the
Owner). - Can revoke a pending
Guardianuntil the timelock ends and the newGuardianis accepted (by theOwner). - Can revoke each pending market cap increase until the timelock ends and the new market cap is accepted (by the
Owneror theCurator). - In particular, it cannot revoke a pending fee (submitted by the
Owner).
Any address
Capabilities
- Can accept the new cap after timelock.
- Can accept the new fee after timelock.
- Can accept the new guardian after timelock.
- Can accept the new Timelock value after the current timelock duration.