Security Model & Ownership Architecture

Autopilot is built as a fully non-custodial system. All protocol logic is enforced on-chain through immutable smart contracts, ensuring users retain exclusive control over their veAERO at all times. The design limits surface area for potential misuse and guarantees that all interactions are predictable, deterministic, and user-owned.

πŸ”’ Immutable Contract Constraints

The core contract β€” PermanentLocksPoolV1 β€” is purposefully scoped to limit authority and prevent unauthorized asset handling. Critical functions are explicitly disallowed at the contract level.

❌ The contract CANNOT:

  • Transfer user NFTs: No transferFrom() or similar function exists. NFTs cannot be moved externally by the protocol.

  • Modify lock duration: Once deposited, the NFT is max-locked. Lock parameters cannot be shortened, extended, or altered.

  • Withdraw NFTs on behalf of users: Only the original depositor can withdraw their NFT.

  • Access or reassign funds: User holdings are isolated and never pooled, redistributed, or reweighted outside of mathematical reward logic.

  • Change reward math: All vote and reward calculations are fixed on deployment. No admin, governance, or upgrade mechanism can alter them.

These restrictions are hardcoded and non-bypassable β€” even via proxy upgrades or role-based permissions.

βœ… The contract CAN ONLY perform:

  • vote() – Cast votes using the deposited NFT’s veAERO voting power

  • claimBribes() – Collect bribes and protocol fees from gauge contracts

  • claim() – Collect protocol-wide rebase rewards

  • reset() – Clear prior votes for reallocation in the next epoch

The contract acts only within the scope of optimization, not custody or control.

πŸ”“ Non-Custodial Design

Autopilot does not hold user assets. Depositing veAERO into the protocol does not transfer ownership β€” it registers the lock for voting and reward tracking, while the user retains full exit rights.

Key Features:

  • Per-NFT Tracking: Each lock is tracked individually under:

    mapping(address => LockInfo[])

    This enables accurate vote weighting, reward calculation, and historical tracing per wallet.

  • Unrestricted Withdrawals (Outside Special Window): Users can withdraw their veAERO at any time outside of the defined execution window. There are no external dependencies, approval layers, or intermediaries involved.

  • Proportional Reward Allocation: Rewards are calculated based on the share of total voting power contributed by each lock. Allocation is handled via immutable math with no off-chain inputs or overrides.

Autopilot does not have access to user assets and cannot freeze, reassign, or move them under any condition.

PreviousTechnical OverviewNextAutomated Voting Strategy

Last updated