Safety
Governance and Permissions
How Lucida separates user ownership from protocol administration.
User ownership first
Lucida is designed so user ownership is represented by Lucida shares in a specific Vault. Those shares are the accounting record used to determine the user's proportional claim on that Vault's redeemable assets.
The Lucida Vault program does not include an administrator instruction that directly edits, deletes, or reallocates an individual user's shares. User shares change through user-authorized deposits, user-authorized withdrawals, and the program's share accounting rules.
Governance operations are separate from user wallet control. Lucida governance does not hold a user's wallet keys, cannot sign wallet transactions for a user, and does not turn a user's wallet into a custodial account.
What ownership means
A user's Lucida shares do not disappear because a strategy setting changes, a fee account is reconciled, or an operational review takes place. The practical question is always how many underlying assets those shares can redeem under current Vault and strategy conditions.
Governance scope
| Area | Current behavior | Effect on users |
|---|---|---|
| Strategy configuration | The configured governance authority can initialize or update approved strategy accounts used by a Vault. | This can affect where Vault assets are deployed, expected APY, liquidity, and strategy risk. It does not directly delete user shares. |
| Program upgrades | The Lucida program may have an upgrade authority according to the active deployment configuration. | An upgrade can change future protocol behavior. Users should verify upgrade authority and release disclosures before depositing. |
| Protocol fees | Performance fees are separated from user principal and accounted through fee paths when realized yield exists. | Fee handling should not burn user shares or remove principal. Users can review fee disclosures and on-chain fee-account activity. |
| Strategy migration | Governance may coordinate a migration of strategy receipt positions if a strategy integration requires replacement or recovery. | User shares remain the Vault ownership record. Migration must be reconciled so Vault accounting continues to map shares to redeemable underlying assets. |
| Deposit and withdrawal controls | The Lucida Vault program does not expose dedicated pause-deposit, pause-withdraw, or resume instructions. | Deposits and withdrawals depend on successful on-chain execution, wallet approval, strategy liquidity, and program validation, not on an administrator approval queue. |
What governance cannot do
- No wallet custody. Governance cannot sign transactions from a user's wallet or access a user's private keys.
- No manual withdrawal approval queue. Withdrawals are user-initiated on-chain redemptions, not requests waiting for an administrator to approve.
- No dedicated deposit or withdrawal pause switch. The Lucida Vault program does not include pause-deposit, pause-withdraw, or resume instructions.
- No direct user-share edit instruction. The Lucida Vault program does not expose an administrator instruction that directly rewrites an individual user's share balance.
