Governance

Trilobyte uses a role-based access control system combined with a Timelock for governance delay on critical actions.

Governance Architecture

┌───────────────────────────────────────────────┐
│                  Timelock                      │
│        (OZ TimelockController)                │
│   Proposer / Executor / Canceller roles       │
│   Admin of Globals (governor actions delayed) │
└──────────────────────┬────────────────────────┘
                       │ admin
┌──────────────────────▼────────────────────────┐
│                   Globals                      │
│          (OZ Access + Pausable + Upgradeable)  │
│   Settings · Roles · Fees · Assets · Managers  │
└───────────────────────────────────────────────┘

The Timelock is set as the admin of the Globals contract. This means all admin-level actions must go through a time-delayed governance process.

Roles

Role

Key

Assigned To

Responsibilities

Admin

"admin"

Governor / Timelock

Global settings, asset whitelist, contract upgrades, treasury, fee updates

Security Admin

"sec_adm"

Security team

Emergency pause/unpause of the protocol

Operations Admin

"ops_adm"

Operations team

Approve/remove pool managers, set credit limits, clear delinquency

Timelock Controller

The Timelock enforces a minimum delay on governance operations. This gives protocol participants time to review and react to proposed changes before they take effect.

Operation Lifecycle

Unset → Waiting → Ready → Done

Proposer schedules an operation with a delay
The operation enters Waiting state
After the delay passes, the operation becomes Ready
Executor executes the operation → Done

A Canceller can cancel any pending operation before execution.

Timelocked Actions

The following actions go through the Timelock:

Action

Function

Impact

Update global settings

set_settings

Changes loan parameter bounds

Whitelist assets

add_supported_asset

Enables new tokens for lending

Remove assets

remove_supported_asset

Disables tokens

Update protocol fee

set_fee

Changes fee percentage

Update treasury

set_treasury

Changes fee recipient

Upgrade contracts

upgrade

Deploys new contract code

Non-Timelocked Actions

Some actions are intentionally instant for operational agility:

Action

Role

Reason

Pause/unpause

Security Admin

Emergency response

Approve/remove managers

Ops Admin

Operational management

Set credit limits

Ops Admin

Risk management

Clear delinquency

Ops Admin

Manager review

Emergency Powers

The Security Admin can pause the entire protocol instantly:

pause(caller) — Halts all state-changing functions protected by #[when_not_paused]
unpause(caller) — Resumes normal operation

This is a circuit breaker for emergencies — exploits, critical bugs, or market events that require immediate protocol freeze.

Pausing the protocol prevents new deposits, vault creation, and collateral operations. Existing vaults that are already Active continue to accept payments (the pause is on Globals-level operations).

Self-Administered Timelock

The Timelock is deployed as self-administered — it is its own admin. This means:

No single address can bypass the time delay
The Timelock's own settings (delay, roles) can only be changed through the Timelock itself
This creates a fully decentralised governance loop

PreviousDefault & Risk Management NextFor Borrowers

Last updated 2 months ago

hashtagGovernance Architecture

hashtagRoles

hashtagTimelock Controller

hashtagOperation Lifecycle

hashtagTimelocked Actions

hashtagNon-Timelocked Actions

hashtagEmergency Powers

hashtagSelf-Administered Timelock

Governance Architecture

Roles

Timelock Controller

Operation Lifecycle

Timelocked Actions

Non-Timelocked Actions

Emergency Powers

Self-Administered Timelock