Governance and Emergency Controls

Roles

• Timelock Governor

  • can change parameters in RiskRegistry, FeeAccumulator, PegRail configs

  • can onboard new collateral profiles (adapter + oracle + params)

• Guardian

  • can pause risk-increasing actions

  • cannot loosen parameters

• Oracle Admin

  • manages signer sets and feed configs (via timelock ideally)

Timelock requirements

• minimum delay on parameter changes (24 hours)

• emergency pause is immediate

• any “risk loosening” must go through timelock

Parameter change policy (operational)

• caps increase gradually with observed liquidity

• safety factors change rarely; require risk review

• oracle signer changes require explicit rotation procedure and monitoring

Emergency controls

The emergency layer exists to contain damage, not to “manage the system day-to-day.”

Pause granularity

Separate pause flags for:

• new minting

• collateral withdrawals

• peg rail outflows

• starting new auctions (rare; careful)

• onboarding new profiles

Deposits and repayments should remain possible whenever feasible.

Wind-down mode

If a severe failure occurs (oracle compromise, critical exploit, irrecoverable bug), the protocol can enter wind-down:

• freeze issuance

• freeze non-essential transfers from custody

• optionally freeze prices at last known good values

• provide controlled settlement path

Exact settlement design is sensitive and is specified and audited separately by an independent auditor; the key architecture is that the core can be placed into a mode where it stops taking new risk.