Safety

Governance and Permissions

How Lucida separates user ownership from protocol administration.

User ownership first

Lucida is designed so user ownership is represented by Lucida shares in a specific Vault. Those shares are the accounting record used to determine the user's proportional claim on that Vault's redeemable assets.

The Lucida Vault program does not include an administrator instruction that directly edits, deletes, or reallocates an individual user's shares. User shares change through user-authorized deposits, user-authorized withdrawals, and the program's share accounting rules.

Governance operations are separate from user wallet control. Lucida governance does not hold a user's wallet keys, cannot sign wallet transactions for a user, and does not turn a user's wallet into a custodial account.

What ownership means

A user's Lucida shares do not disappear because a strategy setting changes, a fee account is reconciled, or an operational review takes place. The practical question is always how many underlying assets those shares can redeem under current Vault and strategy conditions.

Governance scope

AreaCurrent behaviorEffect on users
Strategy configurationThe configured governance authority can initialize or update approved strategy accounts used by a Vault.This can affect where Vault assets are deployed, expected APY, liquidity, and strategy risk. It does not directly delete user shares.
Program upgradesThe Lucida program may have an upgrade authority according to the active deployment configuration.An upgrade can change future protocol behavior. Users should verify upgrade authority and release disclosures before depositing.
Protocol feesPerformance fees are separated from user principal and accounted through fee paths when realized yield exists.Fee handling should not burn user shares or remove principal. Users can review fee disclosures and on-chain fee-account activity.
Strategy migrationGovernance may coordinate a migration of strategy receipt positions if a strategy integration requires replacement or recovery.User shares remain the Vault ownership record. Migration must be reconciled so Vault accounting continues to map shares to redeemable underlying assets.
Deposit and withdrawal controlsThe Lucida Vault program does not expose dedicated pause-deposit, pause-withdraw, or resume instructions.Deposits and withdrawals depend on successful on-chain execution, wallet approval, strategy liquidity, and program validation, not on an administrator approval queue.

What governance cannot do

  • No wallet custody. Governance cannot sign transactions from a user's wallet or access a user's private keys.
  • No manual withdrawal approval queue. Withdrawals are user-initiated on-chain redemptions, not requests waiting for an administrator to approve.
  • No dedicated deposit or withdrawal pause switch. The Lucida Vault program does not include pause-deposit, pause-withdraw, or resume instructions.
  • No direct user-share edit instruction. The Lucida Vault program does not expose an administrator instruction that directly rewrites an individual user's share balance.