Governance and Admin Scope

Zenji uses role-based control with explicit limits. Admin keys can operate and protect the system, but they are intentionally constrained.

Roles

RoleCan DoCannot Do
OwnerSet bounded params, toggle idle mode, withdraw protocol fees, manage emergency steps, set strategy slippage, transfer owner role (2-step).Cannot set values above hard caps, cannot disable emergency once enabled, cannot swap loan manager or yield strategy, cannot rescue collateral/debt via generic rescue path.
GovPropose/execute/cancel swapper change through timelock, transfer gov role (2-step).Cannot directly move user funds, cannot bypass timelock for swapper updates. Vault validates swapper output against oracle pricing.
PublicCall rebalance(), harvestYield(), and accrueYieldFees().Cannot change config/roles or trigger privileged emergency actions.

Timelock Scope

  • Timelocked today: swapper changes only.
  • Delay: 1 week (as configured in contract constant TIMELOCK_DELAY).
  • Flow: proposeSwapper() -> wait delay -> executeSwapper() (or cancelSwapper()).

Hard Limits in Code

MIN_TARGET_LTV          = 15%
MAX_TARGET_LTV          = 65%
MAX_FEE_RATE            = 20%
MAX_REBALANCE_BOUNTY    = 50%
MAX_VAULT_SLIPPAGE      = 10%
TIMELOCK_DELAY          = 1 week

These limits are enforced at contract level, not just policy level.

Emergency Authority (Restricted)

  • enterEmergencyMode() is a one-way latch.
  • emergencyStep(step) executes staged unwind flow.
  • emergencySkipStep(step) can mark blocked steps as resolved if an external dependency is bricked.
  • rescueAssets(token, recipient) cannot rescue collateral or debt asset.

Emergency mode triggers an orderly unwind with proportional user exits. It is not a pause switch and cannot be reversed once activated.

Role Transfers

  • transferRole(role, to) starts transfer.
  • acceptRole(role) must be called by pending role holder.

This two-step process reduces risk of accidental handoff and provides an observable on-chain transition.