search

Governance

Trilobyte uses a role-based access control system combined with a Timelock for governance delay on critical actions.

hashtag
Governance Architecture

┌───────────────────────────────────────────────┐
│                  Timelock                      │
│        (OZ TimelockController)                │
│   Proposer / Executor / Canceller roles       │
│   Admin of Globals (governor actions delayed) │
└──────────────────────┬────────────────────────┘
                       │ admin
┌──────────────────────▼────────────────────────┐
│                   Globals                      │
│          (OZ Access + Pausable + Upgradeable)  │
│   Settings · Roles · Fees · Assets · Managers  │
└───────────────────────────────────────────────┘

The Timelock is set as the admin of the Globals contract. This means all admin-level actions must go through a time-delayed governance process.

hashtag
Roles

Role
Key
Assigned To
Responsibilities

Admin

"admin"

Governor / Timelock

Global settings, asset whitelist, contract upgrades, treasury, fee updates

Security Admin

"sec_adm"

Security team

Emergency pause/unpause of the protocol

Operations Admin

"ops_adm"

Operations team

Approve/remove pool managers, set credit limits, clear delinquency

hashtag
Timelock Controller

The Timelock enforces a minimum delay on governance operations. This gives protocol participants time to review and react to proposed changes before they take effect.

hashtag
Operation Lifecycle

  1. Proposer schedules an operation with a delay

  2. The operation enters Waiting state

  3. After the delay passes, the operation becomes Ready

  4. Executor executes the operation → Done

A Canceller can cancel any pending operation before execution.

hashtag
Timelocked Actions

The following actions go through the Timelock:

Action
Function
Impact

Update global settings

set_settings

Changes loan parameter bounds

Whitelist assets

add_supported_asset

Enables new tokens for lending

Remove assets

remove_supported_asset

Disables tokens

Update protocol fee

set_fee

Changes fee percentage

Update treasury

set_treasury

Changes fee recipient

Upgrade contracts

upgrade

Deploys new contract code

hashtag
Non-Timelocked Actions

Some actions are intentionally instant for operational agility:

Action
Role
Reason

Pause/unpause

Security Admin

Emergency response

Approve/remove managers

Ops Admin

Operational management

Set credit limits

Ops Admin

Risk management

Clear delinquency

Ops Admin

Manager review

hashtag
Emergency Powers

The Security Admin can pause the entire protocol instantly:

  • pause(caller) — Halts all state-changing functions protected by #[when_not_paused]

  • unpause(caller) — Resumes normal operation

This is a circuit breaker for emergencies — exploits, critical bugs, or market events that require immediate protocol freeze.

circle-exclamation

Pausing the protocol prevents new deposits, vault creation, and collateral operations. Existing vaults that are already Active continue to accept payments (the pause is on Globals-level operations).

hashtag
Self-Administered Timelock

The Timelock is deployed as self-administered — it is its own admin. This means:

  • No single address can bypass the time delay

  • The Timelock's own settings (delay, roles) can only be changed through the Timelock itself

  • This creates a fully decentralised governance loop

PreviousDefault & Risk ManagementNextFor Borrowers

Last updated