Governance controls ensure that privileged operations are transparent, constrained, and accountable. This pillar covers role definitions, upgrade authorities, timelocks, multisig configurations, and risk parameter management.
All privileged roles are documented with explicit enumeration of their capabilities. Roles follow least-privilege principles; no single role can both modify parameters and move funds. Role assignments are verifiable on-chain. Individual actors should not have an overlap of duties that create perverse incentives or increase attack vectors.
Program upgrade authority is clearly defined: immutable, multisig-controlled, or governance-gated. If upgradeable, the upgrade path is documented, and users can easily verify the currently deployed version against the source code via the verified builds API. Authority transfer and revocation procedures exist.
Privileged actions are subject to enforced on-chain timelocks with duration proportional to impact. Emergency bypass conditions are explicitly defined, documented, and scoped. Timelock duration and bypass history are publicly auditable.
Multisig threshold, total signer count, and signer identity are documented. Threshold follows n-of-m best practices relative to signer count. Key rotation and signer removal procedures are in place. No single entity controls a majority of keys. Signer hardware wallets have vendor diversity.
Economic parameters (collateral factors, liquidation thresholds, fee structures, rate models) are governed by appropriate roles with documented change procedures. Parameter bounds and their downstream impact on users are specified. Historical parameter changes are logged and publicly accessible.