[SIP0.2] Establish Guardian Module & Emergency Risk Controls

1. Overview:

This SIP proposes establishing a Guardian Module for the Lazy Summer Protocol: a narrowly scoped, community-controlled multisig empowered to take temporary emergency actions during high-severity risk events, reducing loss amplification while preserving DAO sovereignty.

RFC: [RFC] Establish Guardian Module & Emergency Risk Controls

2. Motivation:

The Guardian Module introduces a minimal, accountable safety layer aligned with best practices used by Compound, ENS, Arbitrum, and others designed to:

• act faster than governance,
• operate only under explicit emergency conditions,
• and remain fully accountable to the DAO.

This SIP does not centralize power or replace risk management. It reduces loss amplification, not risk existence.

3. Specification:

3.1 Guardian Module Overview

The Guardian Module will be implemented as a multisig with strictly limited emergency authorities.

Authorized actions (only):

1. Vault Pause
   Temporarily halt deposits and withdrawals on affected DAO-managed vaults.

2. Deposit Cap Override
   Set deposit caps to 0 for DAO risk-managed vaults.

3. Governance / Onchain Proposal Cancellation
   Cancel in-flight proposals that pose immediate protocol risk.

The Lazy Summer Protocol has regular and with expiry date guardians. Only the latter can cancel proposals - as long as they are not expired.

Explicit limitations:

• No proactive parameter tuning
• No fund movement
• No strategy onboarding/offboarding
• Reactive use only

All actions are:

• fully transparent,
• time-bounded,
• subject to mandatory post-incident DAO review.

3.2 Emergency Trigger Thresholds

Guardians may exercise authority only when one or more of the following conditions are met:

• ≥ 4% realized or projected loss at a fleet or ark level
• Active exploit or credible exploit in progress
• Severe oracle failure or critical dependency outage
• External protocol failure materially impacting vault safety

Thresholds are intentionally conservative to allow earlier intervention than DAO voting cycles.

3.3 Guardian Composition & Signing Rules

Proposed multisig configuration:

• 8 signers
• 6/8 signing threshold (75%)
• 180d expiration, renewable via governance

Initial Guardian Set (proposed):

• @blockful
• @Meta
• @Raphael_Anode
• @halaprix
• @MasterMojo
• @jensei
• @JavierD
• @chrisb

To confirm the initial set of guardians I request all the above mentioned users to confirm, accept the responsibilities and post their wallet address to be included in the guardian multi-sig in the comment below this post.

This set reflects:

• risk & governance expertise,
• operational readiness,
• diversity of affiliations,
• prior public accountability.

A subjective assessment of member selection is included to align with L2BEAT Security Council standards, and can be found here.

3.4 Guardian Responsibilities

Guardians are expected to:

• remain highly responsive during incidents,
• act strictly within defined authority,
• coordinate with @BlockAnalitica, SEAL Org, Lazy Summer Foundation, and the DAO,
• publish or contribute to post-incident transparency reports,
• accept public accountability for actions taken.

Failure to meet expectations may result in removal via governance.

3.5 Contracts & Transactions

	`function grantGuardianRole(address account)`

	`function setGuardianExpiration(
		address account,
		uint256 expiration`

on all supported chains

    "protocolAccessManager": {
      "base": "0xf389BCEa078acD9516414F5dabE3dDd5f7e39694",
      "mainnet": "0xf389BCEa078acD9516414F5dabE3dDd5f7e39694",
      "arbitrum": "0xf389BCEa078acD9516414F5dabE3dDd5f7e39694",
      "sonic": "0xAFb8a8beA8F7CdB4b65437b0c5963dc7Cd270bC6",
      "hyper": "0x38fB5a7fa70103dCd9e8A969f3975A77E0fE755f"
    },

where

/// @notice Minimum allowed guardian expiration period (7 days)
uint256 public constant MIN_GUARDIAN_EXPIRY = 7 days;

/// @notice Maximum allowed guardian expiration period (180 days)
uint256 public constant MAX_GUARDIAN_EXPIRY = 180 days;

3.6 Compensation

To align incentives and accountability:

• 15% of DAO-managed vault income allocated to a Guardian compensation pool
  • Split evenly across active signers
  • Distributed only while Guardian powers are active
  • as soft-proposed: here.

In addition, the DAO may approve:

• Supplementary SUMR emissions (subject to separate confirmation or future SIP)

4. Risk Assessment

Risks:

• Centralization of emergency power
• Guardian inactivity or capture
• Governance capture preventing renewal

Mitigations:

• Narrow, enumerated powers only
• High multisig threshold (75%)
• Annual expiration & DAO renewal
• Full transparency & post-event review

Upon confirmation from the proposed individual entities, I will create and share a multi-sig in the comment below; pre-onchain vote publishing.

5. Voting

If YES: - Approves creation of the Guardian Module, authorizes deployment of contracts, confirms initial Guardian set, and activates emergency authorities under defined thresholds.

If NO: - Maintains current governance-only emergency posture.

Tagging all @Recognized_Delegates for review, before it is posted for an onchain vote ~04/02/2026.

I’m happy to accept my role as Guardian, and I’m really looking forward to the DAO-managed vaults.
Wallet address: 0xcA4Bc5E1564EBdC2b7e2C9e498735860668A807f

I’m happy to accept my role as Guardian

Wallet address: 0xe9c245293dac615c11a5bf26fcec91c3617645e4 (chrisb.eth)

I accept the role, my signer : 0x718b75a546a1b7edf107199aaa62dc257cb7ee80⁩

I accept my role as Guardian.

wallet: 0xF68D2BfCecd7895BBa05a7451Dd09A1749026454 (MassterMojo.eth)

I accept my role as Guardian.

wallet: 0x1F3D3A7A9c548bE39539b39D7400302753E20591(gov.blockful.eth)

Happy to accept my role as a Guardian.

As an address please use: 0x6ad64B3B5300821b651aF5415c2119a6ED4e2007

I accept my role as Guardian.

wallet: 0x746bb7beFD31D9052BB8EbA7D5dD74C9aCf54C6d(jensei.eth)

I would like to make a suggestion here: Adding a regular liveness check to test the operational readiness of the Guardian module by verifying the availability of keys and the responsiveness of GM members, including the effectiveness of coordination.

This could be as simple as creating and signing an empty transaction every month / 3 months, and sharing how long it took to reach the 6/8 threshold and 8/8 threshold. Obviously results here could be skewed due to coordination around the liveness check. But maybe a proposer could be added to the multisig, who randomly decides when the liveness check happens, which maintains security while maintaining the integrity of the test. Allowing for a more realistic simulation of an emergency / exploit.

I am very much for the liveness check, and was something was discussed with @jensei and @halaprix recently too.

I also like the idea of an external proposer being added to create this periodic check.

thank you all for confirming and accepting your role as Guardians. We are still missing @Meta’s confirmation and I did not hear back for couple of days - I would like to supplementary nominate @Sixty, @TokenBrice, and @Thomas. As we only need one more signer, I would suggest to consider the other two community members to be considered in future when a rotation of guardians would be needed

secondly, I do agree with @Sixty comment on the liveness check and also considering adding a proposer who randomly decides on the timing of the check

Hey @jensei, happy to accept the nomination for the guardian role.

Wallet address: 0x84bC99d6067f30E01e32D7E7E193d68E24546EcC

Hi @jensei, I think since @Sixty already accepted the role, you have the necessary signers.
But you can consider me as back up if a rotation of guardians is necessary.

0xF523EEc9E35a697E5bc3e3534167BE9bAdB68e2D

@blockful @Raphael_Anode @halaprix @MasterMojo @JavierD @chrisb

thank you @Sixty for accepting your nomination and stepping in!

I have deployed and activated the multisig with 6/8 ruleset across Base, Ethereum, Arbitrum, Sonic, and HyperEVM networks at tx.

additionally thank you @Thomas for stepping in as a backup! much appreciated

VOTE:

I remain interested in the Guardian role, and feel strongly that having a representative deeply aligned with depositors would be of benefit to the protocol

–

doesnt 6/8 slow reaction down here drastically.

if they can only init pausing. set caps to 0, (wish it could pulling funds from farms) type things. they it should be 2/8 at most.

I agree with you here that 6/8 might slow down the reaction time. Which is why I suggested the liveness check; if it takes particularly long for the minimum amount of signers to react, reducing the signing threshold can be explored.

As it stands, though, the number of signers and the threshold are around the industry-accepted standard for best security practices when it comes to sensitive protocol operations.

these are not really protocol operations. These are panic safety features>

to add a new vault
to change perFee
to add new strat …etc

these need 6/8

But to panic.. it should be 1/8 IMHO.

it would be good if it was public, meaning anyone could trigger it, if there was someway to avoid competition sabatoge and vandalism. like some sort of meaningful bond

I also agree that 6/8 is quite aggresive and agree it’s not really at the same level as the L2 security councils, which I think this is based on.

I also believe that it should be >1 though, as one person should not be able to trigger this without confirmation from another.

Perhaps 3 is ok, especially with the liveness check.