Access Control and Roles

MetaVaults use a layered access control system built on Safe and the Zodiac framework. This page explains how the system protects depositors by constraining what each role can do.

For more details on the Zodiac framework, see the Gnosis Guild GitHub, the RolesModifier, and the Zodiac Roles documentation.

Overview

Each MetaVault is owned by a Safe multisig. The Safe signers delegate specific scoped actions to other actors using Zodiac RolesModifier and Delay Modifier contracts, enabling fine-grained on-chain permission control.

Roles

Owner (Safe multisig)

The Safe signers are DAO-designated admins. They deploy and configure the vault, then only intervene for:

• Role management — assign or revoke curator, guardian, and accountant roles

• Parameter changes — update fees, max drawdown, treasury address

• Urgent actions — pause/unpause the vault

• Timelock fast-track — execute time-sensitive actions that would otherwise wait for the delay period

Day-to-day vault operations (liquidity allocation, settlement) are delegated to the curator and accountant roles via Zodiac.

Curator

The Curator allocates liquidity within the MetaVault. All curator actions are scoped via Zodiac — they can only call specific functions on specific contracts, with parameter-level on-chain validation.

Examples of curator actions (non-exhaustive):

• Allocate liquidity to markets (e.g. Curve pools, Spectra pools, other DeFi protocols)

• Manage token approvals for registered contracts

• Bridge tokens to other chains

Some curator actions — those judged to be outside the bounds of routine day-to-day operations — are routed through Delay Modifiers, making them timelocked. During the delay period, Guardians can inspect and cancel any suspicious action. Routine operations that fall within safe, well-defined bounds are whitelisted to execute atomically through the default RolesModifier without delay.

Guardian

The Guardian role is the security watchdog of the vault:

• Monitor curator actions — inspect timelocked transactions during the delay period and flag suspicious activity

• Cancel timelocked actions — call increaseNonce on the relevant Delay Modifier to invalidate queued transactions before they execute

• Report misbehaviour — escalate to the vault admins / DAO if a curator acts against depositors' interests, which can result in the curator having their access revoked

Accountant

The accountant role calls settle() on the infrastructure vault. It is responsible for performance tracking, share value calculations, and epoch management — reporting the vault's underlying value so that share prices are computed correctly. This is a deliberate separation of duties — the curator allocates liquidity but is not responsible for share price accounting. The accountant is typically assigned to an automated keeper or the same entity as the owner.

Security properties

1. Separation of concerns — The curator allocates liquidity but cannot change vault parameters or drain funds. The accountant handles share price accounting independently — the curator has no control over settlement or epoch management.

2. On-chain enforcement — All permissions are enforced on-chain by the RolesModifier, not off-chain.

3. Timelocked execution — Sensitive curator actions pass through a delay period, giving Guardians time to review and cancel suspicious transactions.

4. Max drawdown — Even the accountant cannot report an underlying value below the max drawdown threshold during settlement.

5. Pausability — The owner can pause the vault to halt all user-facing operations.

6. Revocable access — Curators who act against depositors' interests can have their role revoked by the Safe multisig.