Roles and Permissions

Access Control Model

Admin roles

Sensitive roles are multisig-based. Admin rotation uses delayed two-step acceptance to prevent hostile takeover via single compromised key.

Role summary

Role	Scope	Key Capabilities
Raise admin	Per-raise	CollateralCollateralThe asset an investor deposits into a raise (e.g., USDC, WETH). Each accepted collateral type runs in an isolated pool with independent reserve accounting. Active collateral is routed to the yield strategy and backs investor principal protection. whitelisting, caps, transferability toggle
Strategy admin	Per-wrapper	Configure yield strategyYield StrategyProtocol used to generate yield on deposited capital. Aave V3 is the only supported strategy at launch. Yield funds the platform fee, project ecosystem budget, and buyback and burn. parameters (Aave V3 at launch), deploy and force-withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. allocations
YieldYieldReturns generated by the yield strategy on deposited collateral. Variable and not guaranteed. Distributed via the yield waterfall: platform fee (10%) to DAO, then net yield (90%) to the project. claimer	Per-wrapper	Trigger yieldYieldReturns generated by the yield strategy on deposited collateral. Variable and not guaranteed. Distributed via the yield waterfall: platform fee (10%) to DAO, then net yield (90%) to the project. claims and fee distribution
Circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. owner	Per-breaker	Configure windows, max draw rates, protected-contract registry
Platform admin	Global	Platform feePlatform FeePercentage of yield taken by the platform (10% at launch), allocated to the DAO. No fee is charged on core user actions (deposit, redeem, withdraw). configuration and parameters

Admin Procedures

Admin rotation

• Two-step delayed acceptance model
• New admin is proposed, then must accept after a delay
• Prevents immediate hostile takeover from single key compromise

Pause controls

Admin can pause depositsDepositThe action of investing collateral into a raise. Collateral is received by the raise contract, routed to the yield strategy, and a pFT position NFT is minted. At deposit time, a live oracle price feed determines USD notional for FT allocation via deposit-time conversion.. Exit rights remain available even when paused. See Circuit Breaker — Pausing for stress-scenario details.

Transferability

transferable must be explicitly enabled on PutManager via enableTransferable before investors can use exits via withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. (withdrawFT). This gate allows projects to control when FTFT (Fundraising Token)The project's token being sold in a raise. Investors receive fundraising token allocation at deposit time, which they can later withdraw to claim the FT tokens. claiming becomes available.

Strategy-Layer Controls

At the wrapper/strategy layer, control functions include:

• Configure strategy parameters (Aave V3 at launch)
• Deploy and force-withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for buyback and burn. strategy allocations
• Set/rotate yieldYieldReturns generated by the yield strategy on deposited collateral. Variable and not guaranteed. Distributed via the yield waterfall: platform fee (10%) to DAO, then net yield (90%) to the project. claimer roles
• Set circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time. reference

This allows starting conservatively and adding strategies over time.

Upgradeability

Core contracts are upgradeable with controlled authorization paths. Upgrade risk is mitigated by:

• Multisig authorization requirements
• Delayed execution patterns
• Raise isolationRaise IsolationEach raise operates with independent reserve collateral accounting, position state, yield strategy routing, and admin controls. A failure in one raise does not affect unrelated raises. (upgrade to one raise does not affect others)

Trust Assumptions

See Guarantees — Trust Assumptions for the full trust model. The table below focuses on admin-specific trust boundaries.

Component	Trust Model
Strategy management	Admin-controlled strategy configuration (Aave V3 at launch)
Circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while ensuring exits remain available over time.	Admin-configured rate limits
YieldYieldReturns generated by the yield strategy on deposited collateral. Variable and not guaranteed. Distributed via the yield waterfall: platform fee (10%) to DAO, then net yield (90%) to the project. claiming	Permissionless trigger, admin-configured routing
Contract upgrades	Multisig-gated with controlled authorization

Admin key and upgrade risks

Mitigations in the design:

• Multisig-admin model
• Delayed admin rotation acceptance

Trust assumptions remain around key management. Compromised or malicious admin flow is mitigated but not eliminated by multisig requirements and delayed rotation.