Overview

Tapio implements a sophisticated multi-layered governance system designed for institutional-grade protocol management. The governance architecture separates concerns across specialized roles, each with specific permissions and constraints, ensuring secure parameter management while enabling efficient day-to-day operations. The following diagram illustrates the governance structure

Tapio governance layer (1).png

Governance Roles

Tapio's governance system consists of five distinct roles, each designed for specific operational responsibilities:

Protocol Owner

The Protocol Owner maintains upgrade authority over all protocol contracts through Beacon proxy patterns. This cold storage multisig is used exclusively for protocol-wide upgrades and emergency pause overrides, typically activated only during major version updates or critical security responses.

Key Permissions:

  • Upgrade all contracts via Beacon implementations

  • Emergency pause override across all SPAs

  • Transfer upgrade authority

Governor

The Governor manages business logic and economic parameters through timelock-controlled actions. This role sets parameter boundaries and manages fee structures while operating within Protocol Owner oversight.

Key Permissions:

  • Set parameter boundaries in ParameterRegistry (absolute caps and relative ranges)

  • Adjust all fee types (swap, mint, redeem, off-peg multipliers)

  • Configure decay periods and volatility settings

  • Grant and revoke operational roles (Curator, Guardian)

Curator

The Curator handles day-to-day parameter optimization, specifically focused on amplification coefficient management. This role operates without timelock delays for responsive market management.

Key Permissions:

  • Initiate A coefficient ramping within Governor-approved bounds

  • Adjust A values based on market conditions

  • Monitor and respond to exchange rate provider data

Constraints:

  • Cannot exceed absolute caps set in ParameterRegistry

  • Limited to relative change ranges defined by Governor

  • All actions must pass Keeper bounds checking

Guardian

The Guardian provides emergency response capabilities with immediate effect but limited scope. This role can be automated for rapid incident response.

Key Permissions:

  • Pause individual SPAs immediately

  • Cancel ongoing A coefficient ramping

  • Monitor protocol health and trigger emergency procedures

Constraints:

  • Cannot unpause SPAs (requires Protocol Owner approval)

  • No parameter adjustment capabilities

  • Limited to emergency response functions only

PreviousAddressesNextGovernance workflows

Last updated