> For the complete documentation index, see [llms.txt](https://autopilot-5.gitbook.io/autopilot/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://autopilot-5.gitbook.io/autopilot/protocol/markdown/security-model-and-ownership-architecture.md). # Security Model & Ownership Architecture Autopilot is built as a **fully non-custodial system**. All protocol logic is enforced on-chain through immutable smart contracts, ensuring users retain exclusive control over their veAERO at all times. The design limits surface area for potential misuse and guarantees that all interactions are predictable, deterministic, and user-owned. *** #### 🔒 Immutable Contract Constraints The core contract — `PermanentLocksPoolV1` — is purposefully scoped to limit authority and prevent unauthorized asset handling. Critical functions are explicitly disallowed at the contract level. **❌ The contract CANNOT:** * **Transfer user NFTs:** No `transferFrom()` or similar function exists for the **protocol** to move user NFTs. Transfer rights are restricted to the original **depositor**; **the protocol cannot move or reassign a veNFT externally.** * **Modify lock duration:** Once deposited, the NFT is max-locked. Lock parameters cannot be shortened, extended, or altered. * **Withdraw NFTs on behalf of users:** Only the original depositor can withdraw their NFT. * **Access or reassign funds:** User holdings are isolated and never pooled, redistributed, or reweighted outside of mathematical reward logic. * **Change reward math:** All vote and reward calculations are fixed on deployment. No admin, governance, or upgrade mechanism can alter them. These restrictions are hardcoded and non-bypassable — even via proxy upgrades or role-based permissions. *** #### ✅ The contract **CAN ONLY** perform: * `vote()` – Cast votes using the deposited NFT’s veAERO voting power * `claimBribes()` – Collect bribes and protocol fees from gauge contracts * `claim()` – Collect protocol-wide rebase rewards * `reset()` – Clear prior votes for reallocation in the next epoch The contract acts only within the scope of **optimization**, not custody or control. *** ### 🔓 Non-Custodial Design Autopilot does not hold user assets. Depositing veAERO into the protocol does not transfer ownership — it registers the lock for voting and reward tracking, while the user retains full exit rights. #### Key Features: * **Per-NFT Tracking:**\ Each lock is tracked individually under: ```solidity mapping(address => LockInfo[]) ``` This enables accurate vote weighting, reward calculation, and historical tracing per wallet. * **Unrestricted Withdrawals (Outside Special Window):**\ Users can withdraw their veAERO at any time **outside of the defined execution window**. There are no external dependencies, approval layers, or intermediaries involved. * **Proportional Reward Allocation:**\ Rewards are calculated based on the share of total voting power contributed by each lock. Allocation is handled via immutable math with no off-chain inputs or overrides. > Autopilot does not have access to user assets and cannot freeze, reassign, or move them under any condition. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://autopilot-5.gitbook.io/autopilot/protocol/markdown/security-model-and-ownership-architecture.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.