Trust Assumptions

The question that matters: "What can the Varla team do to my funds?" This page answers that question directly.
✦ Key Takeaways
  • No one can access, move, or freeze your collateral
  • All custody rules are enforced purely by on-chain smart contracts
  • Admin roles control protocol parameters, not user funds
  • Contracts are immutable — deployed without proxy wrappers

What Admins Can Do

Varla uses OpenZeppelin's AccessManager for role-based access control. Here's what each role can do:

RoleCapabilities
ADMINGrant/revoke other roles, configure protocol-wide parameters
RISK_MANAGERAdjust LTV tiers, liquidation config, max positions
ORACLE_UPDATERPush price updates (off-chain service → on-chain oracle)
POOL_MANAGERSet deposit/borrow caps, interest rate strategy
GUARDIANEmergency position invalidation, early market resolution
TREASURYReceive protocol fees (no fund access)

What Admins Cannot Do

Hard guarantees (enforced by code)
These are not promises — they are impossible given the contract design.
CannotWhy
Access user collateralERC1155 custody is in VarlaCore; only the depositor can withdraw (if healthy)
Freeze withdrawalsNo admin function exists to block withdrawals — only health checks
Modify debt arbitrarilyScaled debt is computed from pool index; no admin override
Redirect liquidation proceedsCollateral goes to liquidator, not admin
Take lender depositsPool shares are ERC4626; admins can only set caps

Custody Model

Collateral Custody

When you deposit prediction market positions as collateral, the protocol holds those ERC1155 tokens in the on-chain core contract. You can withdraw them as long as your account remains healthy.

This is fully non-custodial — no one, including the Varla team, can access, freeze, or redirect your funds. All custody rules are enforced purely by on-chain smart contracts:

  • You can withdraw whenever on-chain health checks allow
  • No off-chain operator can freeze your withdrawals
  • The team has no "admin key" to move user funds

Lender Funds

Lender deposits live in the ERC4626 pool contract. Withdrawals are limited by available liquidity (funds that are currently not borrowed).

Debt & Repayments

Borrower debt is tracked in VarlaCore as scaled debt. Repayments move the underlying ERC20 from the borrower to Core and then to the Pool.

Contract Immutability

Varla contracts are currently immutable — they are deployed without proxy wrappers.

No upgrades possible
The deployed contracts cannot be changed. This provides strong security guarantees: the code you interact with today is the code that will run forever.

If proxies are introduced in the future:

  • Proxy admin will be a multisig with timelock
  • Upgrades will require multiple signatures + delay period
  • This page will be updated accordingly

Oracle Trust

The oracle is push-based: an off-chain service pushes prices to the on-chain VarlaOracle.

Current Trust Assumptions

  • You trust the ORACLE_UPDATER to push accurate prices
  • On-chain guards mitigate some risks: staleness checks, conservative pricing (min of spot/TWAP), liquidation grace windows

Decentralization Roadmap

  • Multi-reporter oracles (planned)
  • Decentralized oracle network (planned)
  • On-chain price bounds (planned)

Trust Spectrum

ComponentTrust LevelNotes
Collateral custodyTrustlessPure on-chain; no admin access
Debt accountingTrustlessMath-based; no admin override
Contract codeImmutableContracts cannot be upgraded
Protocol parametersTrusted (for now)Admin-controlled; DAO governance planned
Oracle pricesTrusted (for now)Off-chain updater; decentralized oracle planned