Who can move the vault's funds? What's the security model?

Last updated on 
Share

Two keys, by design:

  • Owner (a cold wallet) — the superuser: sets fees, allowlists and the deposit cap, can pause, and names the operator. Used rarely.
  • Operator (a hot key) — the day-to-day: bridges funds between HyperEVM and Core, and trades/allocates only within the owner's allowlists.

The key point: no function sends funds to an arbitrary address. The operator can only move money within the vault's own accounts and trade/allocate into pre-approved markets/vaults — so even a leaked hot key can't drain the vault to itself. On top of that: an emergency pause (freezes deposits and operations but never withdrawals), a deposit cap, two-step ownership transfer, and ownership-renouncement disabled (the vault can never be left ownerless).