# Governance Ensuro leverages Multisig and Timelock contracts to provide transparency and security for the protocol. No major changes to the protocol will ever be made without first going through an internal vetting process that requires sign-off from several senior staff members and a public announcement with an appropriate warning period enforced by a [TimelockController smart contract](https://docs.openzeppelin.com/contracts/4.x/api/governance#TimelockController). ### Timelocks Timelocks require a change to be published on the blockchain in advance. The timelock enforces a minimum waiting period for execution once the change has been proposed, and only authorized accounts or contracts can propose changes. The Timelock contracts currently in use in Ensuro are these:

Name	Delegated roles	Min. Delay	Authorized proposers
ADMIN_TL	DEFAULT_ADMIN_ROLE LEVEL1_ROLE LEVEL2_ROLE	4 days	ADMINS_MULTISIG
LEVEL2_TL	LEVEL2_ROLE LP_WHITELIST_ADMIN_ROLE_ADMIN	18 hours	ADMINS_MULTISIG
OPERATIONAL_TL	WITHDRAW_WON_PREMIUMS_ROLE RESOLVER_ROLE_ADMIN POLICY_CREATOR_ROLE_ADMIN	6 hours	ADMINS_MULTISIG

Each timelock acts as its own admin, and proposals can be executed by one of several company EOAs once they've been scheduled and the lock time has elapsed. No accounts, besides the Timelock contracts enumerated here, are granted the `DEFAULT_ADMIN`, `LEVEL1` or `LEVEL2` roles at the protocol level. Some of the RiskModules have the `LEVEL1` and `LEVEL2` component-specific roles delegated directly to a Multisig in some cases to allow for faster product repricing. This exception depends on the agreement with the risk partner that the RiskModule belongs to and the maturity of the product. ### Multisigs

Name	Description	Members
ADMINS_MULTISIG	Main admin multisig. Requires at least 3 signatures from senior staff. Permissions: Propose transactions on timelocks LEVEL3_ROLE at protocol level LEVEL2_ROLE on some RiskModules Role admin on PRICER_ROLE DEFAULT_ADMIN_ROLE and GUARDIAN_ROLE on some Peripheral contracts (mainly CashflowLenders)	Colin McQueen (CFO) Gabriel Parrondo (CISO) Gian Giacomo della Torre (CRO) Guillermo Narvaja (CTO) Luca Mungo (CSO) Marco Mirabella (CEO)
GUARDIAN_TEAM_1	Emergency operations multisig 1. Requires approval from all members. Used for emergency protocol pausing or unpausing. Permissions: GUARDIAN_ROLE at protocol level	Gabriel Parrondo (CISO) Marco Mirabella (CEO)
GUARDIAN_TEAM_2	Emergency operations multisig 2. Requires approval from all members. Used for emergency protocol pausing or unpausing. Permissions: GUARDIAN_ROLE at protocol level	Colin McQueen (CFO) Guillermo Narvaja (CTO)

Name

Description

Members

ADMINS_MULTISIG

Main admin multisig.

Requires at least 3 signatures from senior staff.

Permissions:

Propose transactions on timelocks
LEVEL3_ROLE at protocol level
LEVEL2_ROLE on some RiskModules
Role admin on PRICER_ROLE
DEFAULT_ADMIN_ROLE and GUARDIAN_ROLE on some Peripheral contracts (mainly CashflowLenders)

GUARDIAN_TEAM_1

Emergency operations multisig 1.

Requires approval from all members.

Used for emergency protocol pausing or unpausing.

Permissions:

GUARDIAN_ROLE at protocol level

GUARDIAN_TEAM_2

Emergency operations multisig 2.

Requires approval from all members.

Used for emergency protocol pausing or unpausing.

Permissions:

GUARDIAN_ROLE at protocol level

### Transaction signing All members of the multisigs must use secure hardware wallets or isolated environments for signing transactions. This is audited internally as part of our compliance program with the Bermuda Monetary Authority. Transactions are signed using [Safe Wallet Multisigs](https://safe.global/) as documented above. All critical transactions, such as upgrades or major parameter changes, must require at least 3 different senior staff members to sign. ### Restricted Executor In some cases, we have integrated our monitoring system (Ensuro Forta Bot, Forta feeds, Openzeppelin Defender sentinels and internal transaction monitoring) into our automated incident response. This requires a service account to have the ability to instantly pause the protocol in reaction to some alerts. Given that our GUARDIAN\_ROLE, which is the one used for pausing, can also unpause and upgrade contracts, we have created an intermediate contract called [Restricted Executor ](https://github.com/ensuro/restricted-executor?tab=readme-ov-file)that allows us to delegate a single operation instead of a full role. | Name | Permissions | Authorized operations | | -------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | [RESTRICTED\_EXECUTOR](https://polygonscan.com/address/0x174F4498aF0a5102234Ad24d16Ed6E698E48Fa65) |

GUARDIAN\_ROLE on specific PremiumsAccount contracts

pause() authorized to an operational EOA.

| --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ensuro.co/ensuro-docs/smart-contracts/governance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.