Ensuro Docs
  • Introduction
    • General Questions
    • Risk Management
  • Liquidity Providers
    • FAQ - Liquidity Providers
    • Onboarding process
  • Risk Partners
    • FAQ - Risk Partners
    • Onboarding process
    • Flow
  • Deployments
  • Audits
  • Smart Contracts
    • Architecture
    • Roles and permissions
    • Governance
    • Policy Lifecycle
    • Policies
    • Liquidity pools
    • Premiums Accounts
    • Reserves
    • Asset Management
    • Contracts
      • PolicyPool
      • EToken
      • RiskModule
        • TrustfulRiskModule
        • SignedQuoteRiskModule
        • SignedBucketRiskModule
        • FlightDelayRiskModule
        • PriceRiskModule
      • PremiumsAccount
      • AccessManager
      • IAssetManager
        • LiquidityThresholdAssetManager
        • ERC4626AssetManager
        • AAVEv3AssetManager
      • ILPWhitelist
        • LPManualWhitelist
      • Extensions
        • ERC4626CashFlowLender
        • ETokensBundleVault
        • MultiStrategyERC4626
  • Offchain APIs
    • Introduction
    • Callback notifications
    • API Reference
      • Pricing API
      • Offchain API
  • Frontend
    • Security and Monitoring
  • Legal & Compliance
    • Trust & Security in Ensuro's Ecosystem
  • Ensuro Risk Disclosures
  • Fees & Charges
  • Specific Responsibilities and Expectations of Retail Investors
  • Confirmation of Acceptance of Participation Agreement and Token Holder Terms & Conditions
  • Ensuro Terms of Service
  • Restricted Jurisdictions
  • Participation Agreement for Token Holders
  • Ensuro Anti-Money Laundering & Anti-Terrorism Financing Policy Statement
  • Privacy Policy
  • Ensuro Data Protection Policy
  • Cybersecurity Guide for Ensuro Protocol Investors
  • Tax Guide for Ensuro Protocol Investors
Powered by GitBook
On this page
  • Timelocks
  • Multisigs
  • Transaction signing
  • Restricted Executor
  1. Smart Contracts

Governance

PreviousRoles and permissionsNextPolicy Lifecycle

Last updated 1 year ago

Ensuro leverages Multisig and Timelock contracts to provide transparency and security for the protocol.

No major changes to the protocol will ever be made without first going through an internal vetting process that requires sign-off from several senior staff members and a public announcement with an appropriate warning period enforced by a .

Timelocks

Timelocks require a change to be published on the blockchain in advance. The timelock enforces a minimum waiting period for execution once the change has been proposed, and only authorized accounts or contracts can propose changes.

The Timelock contracts currently in use in Ensuro are these:

Name
Delegated roles
Min. Delay
Authorized proposers

  • DEFAULT_ADMIN_ROLE

  • LEVEL1_ROLE

  • LEVEL2_ROLE

4 days

ADMINS_MULTISIG

  • LEVEL2_ROLE

  • LP_WHITELIST_ADMIN_ROLE_ADMIN

18 hours

ADMINS_MULTISIG

  • WITHDRAW_WON_PREMIUMS_ROLE

  • RESOLVER_ROLE_ADMIN

  • POLICY_CREATOR_ROLE_ADMIN

6 hours

ADMINS_MULTISIG

Each timelock acts as its own admin, and proposals can be executed by one of several company EOAs once they've been scheduled and the lock time has elapsed.

No accounts, besides the Timelock contracts enumerated here, are granted the DEFAULT_ADMIN, LEVEL1 or LEVEL2 roles at the protocol level.

Some of the RiskModules have the LEVEL1 and LEVEL2 component-specific roles delegated directly to a Multisig in some cases to allow for faster product repricing. This exception depends on the agreement with the risk partner that the RiskModule belongs to and the maturity of the product.

Multisigs

Name
Description
Members

Main admin multisig.

Requires at least 3 signatures from senior staff.

Permissions:

Emergency operations multisig 1. Requires approval from all members. Used for emergency protocol pausing or unpausing. Permissions:

Emergency operations multisig 2. Requires approval from all members. Used for emergency protocol pausing or unpausing. Permissions:

Transaction signing

All members of the multisigs must use secure hardware wallets or isolated environments for signing transactions. This is audited internally as part of our compliance program with the Bermuda Monetary Authority.

All critical transactions, such as upgrades or major parameter changes, must require at least 3 different senior staff members to sign.

Restricted Executor

In some cases, we have integrated our monitoring system (Ensuro Forta Bot, Forta feeds, Openzeppelin Defender sentinels and internal transaction monitoring) into our automated incident response.

This requires a service account to have the ability to instantly pause the protocol in reaction to some alerts.

Name
Permissions
Authorized operations

Propose transactions on

at protocol level

on some RiskModules

Role admin on

DEFAULT_ADMIN_ROLE and GUARDIAN_ROLE on some (mainly )

at protocol level

at protocol level

Transactions are signed using as documented above.

Given that our GUARDIAN_ROLE, which is the one used for pausing, can also unpause and upgrade contracts, we have created an intermediate contract called that allows us to delegate a single operation instead of a full role.

on specific contracts

pause() authorized to an .

TimelockController smart contract
Safe Wallet Multisigs
Restricted Executor
ADMIN_TL
LEVEL2_TL
OPERATIONAL_TL
ADMINS_MULTISIG
LEVEL3_ROLE
LEVEL2_ROLE
Colin McQueen (CFO)
Gabriel Parrondo (CISO)
Gian Giacomo della Torre (CRO)
Guillermo Narvaja (CTO)
Luca Mungo (CSO)
Marco Mirabella (CEO)
GUARDIAN_TEAM_1
GUARDIAN_ROLE
Gabriel Parrondo (CISO)
Marco Mirabella (CEO)
GUARDIAN_TEAM_2
GUARDIAN_ROLE
Colin McQueen (CFO)
Guillermo Narvaja (CTO)
RESTRICTED_EXECUTOR
GUARDIAN_ROLE
PremiumsAccount
operational EOA
timelocks
CashflowLenders
Peripheral contracts
PRICER_ROLE