Upgradability & Emergency Controls

Parameters can be adjusted, but the code itself is locked. New functionality ships through new deployments and guided migrations, not by upgrading existing contracts.

Roles and parameters.

• Controller. Sets dynamic weights, per-adapter/venue caps, slippage ceilings, CL-LP band limits, and loop safety thresholds.

• Pauser. May suspend deposits or specific adapters during incidents; withdrawals remain prioritized where safe.

• Fee manager. Maintains the fee recipient address if ever rotated (requires redeploy if immutable storage is used for this field).

Immutable deployments.

• No proxies, no UUPS, no Transparent. v1 contracts are immutable.

• Upgrades. New features deploy as new contracts; optional migration tools can assist moving funds from an old vault to a new one (e.g., migrate() routines or UI-guided withdraw/deposit).

• Change management. Public changelogs, release notes, and staged rollouts (per vault) reduce operational risk.

Emergency procedures.

• pause() on vault or adapter level.

• Adapter-level emergencyWithdraw() to pull funds without compounding.

• Loop delevering and CL-LP band flattening on stress.

• Post-incident validation and communication prior to resume.