For descriptions of user roles, see the "USERS" section.

Trust Levels

Investors

Untrusted

Enzyme Council

Fully trusted

Fund Owners

Untrusted by default, but with on- and off-chain mitigations in place.

The Enzyme Protocol aims to mitigate against malicious fund owners within reason, while not being overly restrictive. This happens partially in the protocol, partially in the Enzyme Council's registry of plugins, and partially via off-chain trust mechanisms. For example,

• (protocol) the fund owner cannot arbitrarily act upon the VaultProxy (i.e., the fund's holdings or shares issuance)

• (protocol) the fund owner can only transact with a fund's assets via officially-registered adapters in the IntegrationManager

• (Council) only adapters that are not easily game-able are made available to all funds (e.g., only AMMs, rather than open order books; also, OTC trading is only allowed via Council-approved order makers)

• (Council) policies governed by the PolicyManager are continuously developed to programatically increase trust in a fund owner, e.g., policies that guarantee daily redemption windows, limit the permitted use specific of adapters, or limit asset composition in the fund's holdings

• (off-chain) the verification of fund owner identities

Investors should view fund managers as an untrusted foundation, upon which layers of trust can be added via these mechanisms.

Migrators (including the fund owner)

Untrusted

A migrator can create any new arbitrary fund configuration to which a fund will be migrated.

This untrusted nature is mitigated by the timelock (initially 48 hours) between signaling and executing fund migration.

The investor is expected to review the new configuration and decide whether or not to remain in the fund within the timelock period.