Skip to content
Developers
Get Started · Concepts

The three layers of protection

What the contract enforces, what Move guarantees, and what the market is left to judge.

Derived from thesis §6

A depositor's safety comes from three layers. The first two are enforced for you; the third is the one the market judges. Knowing which is which tells you exactly how much your own code can and can't put at risk.

Layer 1: the capital floor (the contract enforces it)

Encoded in the immutable vault primitive. It changes only through governance, with a timelock and a depositor exit window.

  • Anti-rug caps: max position, aggregate exposure, drawdown, open positions.
  • Honest NAV from a deterministic lagged snapshot.
  • A guaranteed exit through proportional emergency_redeem.
  • A permissions bitfield that limits which venue functions can be called at all.
  • A witness type that lets only the plugged-in strategy operate.
  • Fee caps that can only move in the depositor's favor.

Capital cannot drift past these limits, ever, and any change to the floor is announced with an exit window first.

Layer 2: the engineering floor (Move guarantees it)

Enforced by Move's type system at compile time, independent of whatever you write into the strategy.

  • The strategy is the only path that can invoke a vault operation. There is no other door.
  • Authorization is checked inline on every call. No token is ever stored that could leak or be reused out of context.
  • The strategy never receives capital. The vault keeps custody at all times.

Bypassing the vault is not a matter of good behavior. It is structurally impossible.

Layer 3: the quality (the market judges it)

What the contract deliberately does not enforce, because it can't: whether your decisions are any good, whether you describe your strategy honestly, how you manage your own keys.

The platform makes that judgeable instead. There's a public tier (Verified / Community / Experimental), an on-chain history dashboard, a comparison of the advertised strategy against the operations actually run, the UpgradeCap status, and your on-chain reputation.

This is the layer you compete on. The first two protect the depositor no matter what you ship; this one is where a good operator is told apart from a bad one.