LayerCover

Permissionless Pools

How pool creation moves from owner-only to policy-driven permissionless markets

TL;DR: Pool creation is owner-only by default. It becomes permissionless only when PoolRegistry is configured with an IPoolCreationPolicy contract that approves creators. For these pools, payouts are sourced from the backing syndicates (plus optional 3rd party reinsurance), and backstop support is not enabled by default.

What "Permissionless" Means Here

LayerCover supports two pool-creation modes in PoolRegistry:

ModeWho can create pools?How it's set
Default (policy unset)owner() onlypoolCreationPolicy == address(0)
Policy-driven (permissionless)Any caller approved by policysetPoolCreationPolicy(policyAddress)

So permissionless pool creation is opt-in, not always-on.

Contract Flow

Pool creation flows through the same authorization hook for both standard and optimistic pools:

  • addProtocolRiskPool(...)
  • addOptimisticOraclePool(...)

Both call _authorizePoolCreation(...), which does:

  1. If no policy is set, require msg.sender == owner()
  2. If a policy is set, call policy.validatePoolCreation(caller, protocolToken, riskRating)
  3. Revert if validation fails




What a Creation Policy Can Enforce


IPoolCreationPolicy is intentionally minimal:


    

  • Input: caller, protocolToken, riskRating
    • 

  • Output: bool approved
    • 



That lets governance plug in different rules without changing PoolRegistry, for example:


    

  • Allowlist/denylist checks
    • 

  • Bonded pool creation (anti-spam deposits)
    • 

  • Risk-rating limits for new creators
    • 

  • Per-creator rate limits or quotas
    • 





Built-In Guardrails Still Apply


Even with permissionless creation enabled, PoolRegistry still enforces protocol-level invariants:


    

  • claimFeeBps must be <= 10_000 bps
    • 

  • Standard pools require protocolTokenToCover != address(0)
    • 

  • Optimistic pools require oracleQuestionCID != bytes32(0)
    • 

  • Creation events are emitted (PoolCreated, plus pool-type events) for indexers and monitoring
    • 



This means a policy can decide who may create pools, while PoolRegistry still decides what is valid pool data.




Payout Source for Permissionless Pools


Permissionless pool payouts are expected to come from:


    

  1. The syndicates that backed the risk
    2. 

  2. Optional 3rd party reinsurance, if configured
    3. 



The global Backstop Pool is not enabled by default for permissionless pools.
If governance explicitly opts a permissionless market into additional protocol-level support, payout behavior may differ from this default.


Operational Notes


    

  • setPoolCreationPolicy(address) is onlyOwner
    • 

  • Setting policy to address(0) turns permissionless mode off and returns to owner-only creation
    • 

  • In production, owner should be a governance multisig or timelock, not an EOA
    • 



For broader admin controls, see Governance & Administration.
Previous
3rd Party Reinsurance
Next
Governance & Administration