Access Controls
Permission system and role-based access control in LayerCover
TL;DR: The live protocol uses three main operational roles: owner/admin, guardian, and committee. Exact multisig and timelock posture is deployment-specific.
LayerCover uses a role-based access control model centered on explicit contract permissions. The contracts define who can configure parameters, who can trigger emergency controls, and who can report incidents. Whether those roles sit behind EOAs, multisigs, or timelocks depends on deployment.
Role Hierarchy
Role Summary
| Role | Control Type | Primary Responsibilities | Key Restrictions |
|---|---|---|---|
| Owner/Admin | Contract owner | Protocol parameters, upgrades, dependency pointers, economic configuration | Exact operational wrapper is deployment-specific |
| Guardian | Dedicated emergency role | Pause issuance / matcher flows, change capital-pool system mode, other fast safety actions | Narrower than owner; not the general config role |
| Committee | Configured address | Report incidents and redirect pool fee recipients during incidents | Limited incident-oriented surface |
| Fee Recipient | Protocol treasury | Passive fee collection | No special permissions |
Core Permissions
| Contract | Owner / Admin | Guardian | Committee | Public / User |
|---|---|---|---|---|
| PolicyManager | Configures governance and yield settings, reinsurance enablement, premium sweep operations | setIssuancePaused() | · | policy purchase / cancel / lapse flows |
| IntentMatcher | Owner sets core config | pause / unpause | · | match execution, nonce invalidation |
| RiskManager | Configures committee, optimistic resolver, blacklists, salvage sweep | owner also sets guardian | reportIncident(), setPoolFeeRecipient() once committee is configured | claim processing |
| CapitalPool | Configures deposit cap, backstop buffer, draw limits | setSystemMode() is guardian-or-owner | · | deposits / minting |
| PoolAllocations | Configures leverage limits, mutex groups, pool caps | · | · | internal / manager-driven allocation hooks |
| PoolRegistry | Creates pools and sets ratings / caps / reinsurer approvals | · | incident routing happens through RiskManager / ProtocolConfigurator, not an on-chain vote system | read / view helpers |
The docs should not be read as a promise that every deployment uses multisigs or timelocks for these roles. The contracts define permissions; the deployment determines operational custody.
Deployment Guidance
For production deployments, the intended hardening pattern is:
- place owner roles behind a multisig or timelock
- use a separate guardian for fast emergency response
- set a committee address only if incident routing is operationally staffed
- verify treasury and fee-recipient addresses before enabling live premium flows
Related Pages
- Security & Audits - Audit reports and guarded launch strategy
- Governance - Current governance and incident-control surface
- Smart Contracts - Full interface reference
Last updated: February 2026