Ctrlk

Access Manager

Control who can access the vault.

The Access Manager controls which addresses are authorized to interact with the vault. Access rules are enforced on-chain, ensuring that participation restrictions are transparent and verifiable.

Lagoon vaults support two access modes, configurable at creation:

  • Whitelist mode — Only approved addresses can participate. All others are blocked.

  • Blacklist mode — All addresses can participate, except those explicitly blocked.

Responsibilities

The Access Manager is responsible for:

  • Adding or removing addresses from the whitelist or blacklist, depending on the active mode

  • Keeping the access list aligned with the vault's onboarding, compliance, and access policy

  • Coordinating with external compliance systems when sanctions list integration is enabled

What the Access Manager can do

Whitelist mode

  • Add approved addresses to the allowlist

  • Remove addresses when access should no longer be permitted

  • Restrict participation to approved wallets only

Blacklist mode

  • Block specific addresses from interacting with the vault

  • Revoke addresses from the blocklist to restore access

  • Allow open participation by default, with targeted exclusions

External sanctions list

  • Integrate with a third-party on-chain sanctions list for automated compliance checks

  • Sanctioned addresses are blocked regardless of the active access mode

  • The sanctions list contract is configured at vault initialization

Typical use cases

  • KYC or KYB gated vaults (whitelist mode)

  • Open vaults with compliance exclusions (blacklist mode)

  • Jurisdiction-based access restrictions

  • Regulatory-compliant products with sanctions screening

Super Operator

The Super Operator is a privileged address that always bypasses access list restrictions, regardless of the active access mode.

What this means for users

Users can verify the active access mode and their own access status on-chain. Vault operators remain responsible for accurately disclosing the vault's access policy, onboarding requirements, and any permissioning rules applied to participants.

PreviousCuratorNextSecurity Council

Last updated