Skip to main content

Factory Governor

The FactoryGovernor contract plays a crucial role in the security and management of the EVK factory. Acting as the upgradeAdmin, it gives trusted parties the ability to upgrade, pause, or unpause the factory and, by extension, all upgradeable vaults created by it. This centralized control is essential for emergency responses.

What is Factory Governor?

FactoryGovernor is installed as the upgradeAdmin of the EVK factory. Unlike vault-level governors such as GovernorAccessControl, which focus on individual vaults, FactoryGovernor is responsible for the factory itself and all vaults that depend on its implementation. This distinction makes it the first line of defense and intervention for protocol-wide events.

Key Features and How They Work

One of the most important features of FactoryGovernor is the adminCall function. This allows users with the DEFAULT_ADMIN_ROLE to execute arbitrary function calls on the factory, which is typically used for upgrades or other administrative actions. This level of access should be reserved for highly trusted entities, such as DAO multisig.

In addition to upgrades, FactoryGovernor provides robust mechanisms for pausing and unpausing the factory. If a situation arises that requires immediate intervention — such as a discovered vulnerability or a market event — anyone with the PAUSE_GUARDIAN_ROLE can pause the factory. This is done by installing a ReadOnlyProxy as the factory's implementation. The effect is immediate: all upgradeable vaults created by the factory are paused, as they rely on the factory's implementation. Importantly, non-upgradeable vaults are not affected by this action, preserving their independence.

When the situation is resolved, a user with the UNPAUSE_ADMIN_ROLE can unpause the factory. This is accomplished by retrieving the previous implementation from the ReadOnlyProxy and restoring it as the factory's implementation.

Roles and Security Considerations

The FactoryGovernor contract relies on three main roles: DEFAULT_ADMIN_ROLE, PAUSE_GUARDIAN_ROLE, and UNPAUSE_ADMIN_ROLE. The admin role is the most powerful and should be held by a highly trusted multisig, as it can perform admin calls and manage roles. The pause and unpause roles are typically delegated to guardians or risk managers who are responsible for monitoring the protocol and responding to emergencies.

Careful assignment of these roles is critical. Only trusted parties should have the ability to pause or unpause the factory, as these actions affect all upgradeable vaults.

Pausing is a powerful circuit breaker and should be used judiciously. While it provides immediate protection in emergencies, it also halts all upgradeable vault activity. For layered security, FactoryGovernor is combined with vault-level governors, which can provide more granular control and additional safeguards.