Roles and Permissions

Access Control Model

Admin roles

Sensitive roles are multisig-based. Admin rotation uses delayed two-step acceptance to prevent hostile takeover via single compromised key.

Role Summary

Sensitive roles are multisig-based with delayed two-step rotation.

Raise admin Per-raise

Collateral whitelisting, caps, transferability toggle

Strategy admin Per-wrapper

Configure yield strategy parameters (Aave V3 at launch), deploy and force-withdraw allocations

Yield claimer Per-wrapper

Trigger yield claims and fee distribution

Circuit breaker owner Per-breaker

Configure windows, max draw rates, protected-contract registry

Platform admin Global

Platform fee configuration and parameters

Admin Procedures

Admin rotation

• Two-step delayed acceptance model
• New admin is proposed, then must accept after a delay
• Prevents immediate hostile takeover from single key compromise

Pause controls

Admin can pause depositsDepositThe action of investing collateral into a raise. The raise contract receives collateral, routes it to the yield strategy, and mints a pFT position NFT. A live oracle price feed determines USD notional for FT allocation via deposit-time conversion.. Exit rights remain available even when paused. See Circuit Breaker, Pausing for stress-scenario details.

Transferability

transferable must be explicitly enabled on PutManager via enableTransferable before investors can use exits via withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for optional buyback and burn (if configured). (withdrawFT). This gate allows projects to control when FTFT (Fundraising Token)The project's token being sold in a raise. Investors receive fundraising token allocation at deposit time, which they can later withdraw to claim the FT tokens. claiming becomes available.

Strategy-Layer Controls

Strategy-layer control functions:

• Configure strategy parameters (Aave V3 at launch)
• Deploy and force-withdrawWithdrawClaim project tokens and forfeit principal protection on the withdrawn amount. Implemented by withdrawFT. Requires transferable to be enabled. Released capital moves to capitalDivesting for optional buyback and burn (if configured). strategy allocations
• Set/rotate yieldYieldReturns generated by the yield strategy on deposited collateral. Variable, not guaranteed. Distributed via the yield waterfall: platform fee (10%) to DAO, then net yield (90%) to the project. claimer roles
• Set circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time. reference

Projects can start conservatively and add strategies over time.

Upgradeability

Core contracts are upgradeable. Upgrade risk is mitigated by:

• Multisig authorization requirements
• Delayed execution patterns
• Raise isolationRaise IsolationEach raise operates with independent reserve collateral accounting, position state, yield strategy routing, and admin controls. A failure in one raise cannot affect other raises. (upgrade to one raise does not affect others)

Trust Assumptions

See Guarantees, Trust Assumptions for the full trust model. The table below focuses on admin-specific trust boundaries.

Component	Trust Model
Strategy management	Admin-controlled strategy configuration (Aave V3 at launch)
Circuit breakerCircuit BreakerVelocity control on outflows that limits how fast capital can leave through wrapper withdraw paths. Uses a dual-buffer model to protect against exploit-velocity drains while keeping exits available over time.	Admin-configured rate limits
YieldYieldReturns generated by the yield strategy on deposited collateral. Variable, not guaranteed. Distributed via the yield waterfall: platform fee (10%) to DAO, then net yield (90%) to the project. claiming	Permissionless trigger, admin-configured routing
Contract upgrades	Multisig-gated with controlled authorization

Admin key and upgrade risks

Design mitigations:

• Multisig-admin model
• Delayed admin rotation acceptance

Key management is the residual trust surface. Multisig requirements and delayed rotation reduce the impact of a compromised or malicious admin but do not eliminate it.