# Access Control and Roles MetaVaults use a layered access control system built on [Safe](https://safe.global/) and the [Zodiac](https://www.gnosisguild.org/) framework. This page explains how the system protects depositors by constraining what each role can do. For more details on the Zodiac framework, see the [Gnosis Guild GitHub](https://github.com/gnosisguild), the [RolesModifier](https://github.com/gnosisguild/zodiac-modifier-roles), and the [Zodiac Roles documentation](https://docs.roles.gnosisguild.org/). ## Overview Each MetaVault is owned by a Safe multisig. The Safe signers delegate specific scoped actions to other actors using Zodiac [RolesModifier](https://github.com/gnosisguild/zodiac-modifier-roles) and [Delay Modifier](https://github.com/gnosisguild/zodiac-modifier-delay) contracts, enabling fine-grained on-chain permission control. ## Roles ### Owner (Safe multisig) The Safe signers are DAO-designated admins. They deploy and configure the vault, then only intervene for: * **Role management** — assign or revoke curator, guardian, and accountant roles * **Parameter changes** — update fees, max drawdown, treasury address * **Urgent actions** — pause/unpause the vault * **Timelock fast-track** — execute time-sensitive actions that would otherwise wait for the delay period Day-to-day vault operations (liquidity allocation, settlement) are delegated to the curator and accountant roles via Zodiac. ### Curator The Curator allocates liquidity within the MetaVault. All curator actions are **scoped** via Zodiac — they can only call specific functions on specific contracts, with parameter-level on-chain validation. Examples of curator actions (non-exhaustive): * Allocate liquidity to markets (e.g. Curve pools, Spectra pools, other DeFi protocols) * Manage token approvals for registered contracts * Bridge tokens to other chains Some curator actions — those judged to be outside the bounds of routine day-to-day operations — are routed through [Delay Modifiers](https://dev.spectra.finance/architecture#delay-module), making them **timelocked**. During the delay period, Guardians can inspect and cancel any suspicious action. Routine operations that fall within safe, well-defined bounds are whitelisted to execute atomically through the default RolesModifier without delay. ### Guardian The Guardian role is the security watchdog of the vault: * **Monitor curator actions** — inspect timelocked transactions during the delay period and flag suspicious activity * **Cancel timelocked actions** — call `increaseNonce` on the relevant [Delay Modifier](https://dev.spectra.finance/architecture#delay-module) to invalidate queued transactions before they execute * **Report misbehaviour** — escalate to the vault admins / DAO if a curator acts against depositors' interests, which can result in the curator having their access revoked ### Accountant The accountant role calls `settle()` on the infrastructure vault. It is responsible for performance tracking, share value calculations, and epoch management — reporting the vault's underlying value so that share prices are computed correctly. This is a deliberate **separation of duties** — the curator allocates liquidity but is not responsible for share price accounting. The accountant is typically assigned to an automated keeper or the same entity as the owner. ## Security properties 1. **Separation of concerns** — The curator allocates liquidity but cannot change vault parameters or drain funds. The accountant handles share price accounting independently — the curator has no control over settlement or epoch management. 2. **On-chain enforcement** — All permissions are enforced on-chain by the RolesModifier, not off-chain. 3. **Timelocked execution** — Sensitive curator actions pass through a delay period, giving Guardians time to review and cancel suspicious transactions. 4. **Max drawdown** — Even the accountant cannot report an underlying value below the [max drawdown](https://dev.spectra.finance/fee-model#max-drawdown-protection) threshold during settlement. 5. **Pausability** — The owner can pause the vault to halt all user-facing operations. 6. **Revocable access** — Curators who act against depositors' interests can have their role revoked by the Safe multisig.