Upgradeability & Governance

Autopilot is designed with a constrained upgrade model:

Only peripheral components can be updated β€” core logic related to voting, rewards, user funds, and NFT ownership is immutable. This structure allows for flexibility where needed without compromising trust or non-custodial guarantees.

πŸ”§ Controlled Upgradeability

Some modules in the Autopilot system are upgradeable to allow the protocol to adapt to changes in ecosystem infrastructure, integration needs, or performance improvements.

Upgradeable Modules:

  • SwapperV1 Handles reward token conversion during the distribution process. Can be upgraded to support better DEX routing, slippage protection, or additional assets. Enables Autopilot to maintain swap efficiency over time.

  • DepositValidatorV1 Defines the rules for veAERO deposits β€” including minimum size, lock duration, and timing windows. Can be updated to reflect changes in veAERO mechanics or new eligibility requirements. Provides flexibility while keeping enforcement trustless.

  • Operator Permissions Used to manage bot operator addresses that execute voting, claiming, and swap functions. Can be updated on-chain by the owner role, with all changes logged. Ensures continued functionality in case of bot or infrastructure changes.

Upgradeable modules are limited in scope and do not affect core protocol behavior.

πŸ”’ Immutable Core Contracts

The core components of Autopilot β€” those responsible for user funds, voting rights, and reward logic β€” are immutable. These contracts cannot be upgraded or modified after deployment.

Immutable Components:

  • NFT Tracking veAERO positions are tracked on-chain. Ownership, vote weight, and reward eligibility are tied to these records and cannot be altered externally.

  • Reward Calculation Logic All formulas for vote-based reward distribution and scaling are hardcoded. They cannot be changed through governance or admin access.

  • Withdrawal Rights Users can always withdraw their NFTs outside the Special Window. This function is fixed in the contract and cannot be disabled or re-routed.

  • Access Control No contract in the system contains admin logic for fund access or reward manipulation. There are no backdoors.

🚫 Owner Limitations

The contract owner role exists for managing operator permissions and upgradeable modules only. It does not have access to user funds or critical protocol logic.

The owner cannot:

  • Access user NFTs or rewards

  • Reassign or freeze veAERO locks

  • Modify withdrawal logic

  • Change voting or reward distribution math

These limitations are enforced at the contract level and cannot be bypassed.

βš–οΈ Governance Roadmap

Autopilot is currently not governed by a token. However, the architecture supports a potential future transition to DAO-managed upgrades and operations.

In a DAO setup:

  • Upgrades (e.g., to Swapper) could be proposed and voted on by token holders

  • Operator addresses could be managed via on-chain governance

  • Treasury assets (if introduced) could be governed collectively

For now, the protocol prioritizes reliability, with upgradeability restricted to components that benefit from flexibility, not those tied to user value or access.

PreviousMathematical Security GuaranteesNextRisk Analysis & Mitigation

Last updated