Access Control
Who can do what in the protocol — roles, permissions, and emergency powers.
Yield Forge uses a minimal set of roles. Most of the protocol is permissionless — anyone can deposit, trade, harvest, and redeem. Only a few administrative functions are restricted.
Roles
| Role | What They Can Do | Restrictions |
|---|---|---|
| Protocol Owner | Upgrade facets, approve adapters/tokens, set fee recipient | All actions go through 48-hour timelock |
| Pool Guardian | Ban/unban pools, pause specific pools | Cannot withdraw funds, cannot upgrade contracts |
| Pause Guardian | Pause the protocol instantly | Cannot unpause, cannot change any parameters |
| Anyone | Add liquidity, trade PT/YT, harvest/claim yield, redeem PT | Standard gas fees apply |
The 48-Hour Timelock
The owner can't make instant changes. Every administrative action (upgrading a facet, approving a new adapter) is:
- Proposed — queued on-chain with a 48-hour delay
- Visible — anyone can inspect what the pending change does
- Executed — after 48 hours, it can be applied
- Expirable — if not executed within the grace period, it expires
This gives users time to review changes and exit the protocol if they disagree.
Emergency Pause
When a critical threat is detected, the pause guardian can instantly halt deposits and swaps — no timelock needed. Pausing can be global (entire protocol) or pool-specific. Only the owner can unpause through the standard timelock process.
!NOTE The pause guardian is a rapid-response role. They can stop things quickly but can't change anything or move funds. Think of it as a fire alarm — it stops operations, but someone else decides when to resume.