Skip to main content


The Ondo Protocol uses OpenZeppelin's AccessControl library to implement role-based access control (RBAC). RBAC is a popular security methodology for breaking down a system's functionality into coherent groups. Each role has an admin responsible for adding and removing others from the role, whether an externally-owned account (EOA), a smart contract, or a multi-signature account controlled by a group of EOAs. Note that accounts can hold multiple roles. The RBAC system is flexible and can be modified post-deployment to suit changing needs.

The following roles have been defined:

  • Governance
  • Panic
  • Guardian
  • Creator
  • Strategist
  • Deployer
  • Strategy
  • Vault


The Governance role is granted to the DAO governance contract. It acts as the default admin for all other roles, unless another admin has been appointed by Governance. This role has full control over the RBAC system, allowing it to create new roles, add/remove from roles, change the admins, etc. In addition, the Governance role can call setPerformanceFeeCollector to assign a contract for collecting and paying out performance fees. And, in case of an exploit, only Governance can call rescueTokens to pull all funds from all contracts.


In case an exploit has been discovered, this role can immediately pause the entire protocol to prevent most external functions from being called. This role can be controlled by a single trusted EOA, or a multi-sig of community members. It is important the role can act quickly.


This role is responsible for resuming the protocol after it has been paused by Panic. This role can be managed by a multi-sig.


There are two entry points to create new Vaults products. This will require EOA accounts to specify details like the underlying assets, the specific strategy to use, the duration of the product, etc. There can be many creators creating products for their communities.


Strategists are granted this role by the Governance role. The Strategist has access to a number of functions on the AllPairVault contract. Its purpose is to push the products through different lifecycle states. Note that the Strategists are defined per Vault. They do not have global access to all products. The goal is to eventually incentivize anyone to call these functions (e.g. Keep3r), or use scheduled bots.


The roles below are for smart contracts, not EOAs. The Deployer role is a special admin role for adding/removing contracts from these roles.


This role is specifically for smart contracts that implement strategies. For example, at launch Ondo will provide strategy contracts for Uniswap and Sushiswap. These strategies will be whitelisted by the Deployer role. If a strategy has not been whitelisted, it can not be added to the protocol.


Role given to the primary smart contract that manages fixed duration tranche products. Only the Deployer can whitelist these contracts.