Protocol Timelock
Stake DAO's core contracts are protected by a governance timelock that enforces a 48-hour delay on all protocol changes. This provides transparency and gives users time to review and react to any modifications before they take effect.
How It Works
The ProtocolTimelock contract owns the ProtocolController and all critical protocol parameters. Any change to the protocol must follow this process:
- Schedule — A proposer submits the operation with a minimum 48-hour delay
- Wait — The mandatory delay period allows community review
- Execute — After the delay passes, the operation can be executed
Role Structure
| Role | Permissions |
|---|---|
| Proposer | Can schedule operations (governance multisig) |
| Executor | Can execute operations after delay (permissionless) |
| Guardian | Can execute emergency security functions immediately |
| Admin | Can manage roles (add/remove guardians) |
Emergency Response
Guardians can execute limited security functions immediately without waiting for the timelock delay:
| Function | Effect |
|---|---|
pause | Stops new deposits for a protocol (withdrawals remain active) |
unpause | Resumes deposits |
shutdown | Emergency shutdown of a specific gauge |
unshutdown | Resumes a shutdown gauge |
What's Protected
The timelock governs all critical protocol operations:
- Strategy deployment and configuration
- Fee parameter changes
- Reward receiver updates
- Protocol controller settings
- Allocator and sidecar configuration
User Guarantees
- Transparency: All governance actions are visible on-chain 48 hours before execution
- Exit rights: Withdrawals are never blocked, even during emergencies
- No surprises: Parameter changes cannot happen instantly
- Rapid response: Security threats can be addressed immediately through guardian pause
Contract
The ProtocolTimelock is based on OpenZeppelin's battle-tested TimelockController with additional guardian functionality for emergency response.
See Contract Addresses for deployed timelock addresses.