Release Architecture



The FundDeployer is the gateway for a user to create a new fund and signal the migration of a fund from an old release to the current release.

As described in the previous page, this is the contract that the Dispatcher considers as the currentFundDeployer, thus allowing it to deploy and migrate VaultProxy instances.

The FundDeployer deploys configuration contracts ( ComptrollerProxy ) per-fund that are then attached to VaultProxy instances (more in the next section).

The FundDeployer is also used as a release-wide reference point for a couple types of values.

The first is the releaseStatus . When set to Paused , any functions that write to VaultProxy storage are prohibited, other than redeeming shares. This is a safety mechanism in the case that a critical bug is discovered in one of the protocol contracts.

The second storage value of FundDeployer that is referred to release-wide is a registry of allowed "vault calls" , which is referred to by the ComptrollerLib. This allows for arbitrary calls to be made from the VaultProxy as msg.sender , which will be used in calls such as delegating the SynthetixAdapter as an approved trader of Synths directly from the VaultProxy .

There is 1 shared FundDeployer for the release.


One ComptrollerProxy is deployed per-fund, and it is the canonical contract for interacting with a fund in this release. It stores core release-level configuration and is attached to a VaultProxy via the latter's accessor role described on the previous page.

All state-changing calls to the VaultProxy related to the fund's holdings and shares must thus pass through the ComptrollerProxy, making it a critically important bottleneck of access control.

The storage and logic of the ComptrollerProxy are defined by the ComptrollerLib and its associated libraries. Though it inherits the same upgradable Proxy as the VaultProxy, there is no way to call for an upgrade in this release.


As described on the previous page, the VaultLib contract contains the storage layout, event signatures, and logic for VaultProxy instances that are attached to this release.

There is 1 shared VaultLib for the release.


Extensions extend the logic of the core contracts by adding additional kinds of functionality.

They are semi-trusted, in that they are selectively granted access to state-changing calls to VaultProxy instances.

In order to make such a state-changing call, two conditions must be met:

  1. The Extension function must have been called by a ComptrollerProxy via a function with the allowsPermissionedVaultAction modifier, which opens the calling ComptrollerProxy to VaultProxy state changes.

  2. The state-changing call must pass back through the ComptrollerProxy, and is delegated to the PermissionedVaultActionLib to determine whether the calling Extension is allowed to perform such an action.

This paradigm assures that an Extension can only perform a state-changing action to a VaultProxy if it was called by that VaultProxy's corresponding ComptrollerProxy and if the Extension is permitted to make such a change at all.

Though this might seem like overkill for the current release, where extensions are all trusted and audited, it reduces the auditing surface area (e.g,. PolicyManager has no permitted actions) and opens the door for a subsequent release to allow arbitrary Extensions.

In this release, there are three Extensions. All funds share one contract per Extension.


The IntegrationManager allows exchanging a fund's assets for other assets via "adapters" to DeFi protocols (e.g., Uniswap, Kyber, Compound, Chai).

It treats these adapter plugins in an almost untrusted manner (it does rely on adapters to report the expected assets to spend and receive based on user input), validating asset values spent and received against expected values, and also providing the opportunity for policies to implement hooks that are run pre- and post-asset exchange.


The PolicyManager allows state validation via "policies" that implement hooks invoked while buying shares and making an exchange in the IntegrationManager

There is no trust involved in policies, as the PolicyManager has no access to state-changing vault actions.


The FeeManager allows for "fees" to dictate the minting, burning, or transferal of fund shares, according to their internal logics.

Like the PolicyManager, the FeeManager invokes hooks at different points in core logic, namely while buying shares, redeeming shares, and upon a specific function to invoke a "continuous" hook (e.g., for a ManagementFee that grows every block).


Each of the Extensions above make use of plugins. The IntegrationManager uses "adapters", the PolicyManager uses "policies", and the FeeManager uses "fees".

Allowed plugins are all defined on registries in their respective Extensions.

As with Extensions, the plan for subsequent releases is to open up these plugins for third party development.


In addition to "core" and "extension" release-level contracts, there are also entirely decoupled "infrastructure" contracts that can theoretically be recycled between releases. Currently, this category only contains contracts that are related to asset prices and values, but it can also contain contracts such as a forthcoming release that will implement protocol fees.


The ValueInterpreter is the single point of aggregation of various price feeds that are used to calculate the value of one or many input asset amounts in terms of an output asset.

There are two categories of assets in this release:

  • "primitives" - assets for which we have direct rates with which to convert one primitive to any other (e.g., WETH, MLN, etc)

  • "derivatives" - assets for which we only have rates in terms of underlying assets (e.g., Chai, Compound cTokens, Uniswap pool tokens, etc)

The ValueInterpreter determines whether an asset is a primitive or derivative, and executes logic to use corresponding price feeds to determine the value in the output asset.

There is only one supported price feed for each category in this release, so both are hardcoded as immutable variables.

ChainlinkPriceFeed (IPrimitivePriceFeed)

The ChainlinkPriceFeed provides all conversions between primitives. This feed registers assets with their Chainlink aggregators, thus defining the primitive asset universe for the release.


The AggregatedDerivativePriceFeed serves as a central registry that maps derivatives to their corresponding price feeds, and fetches rates from them.

There are several individual price feeds that provide the actual rates of derivatives to their underlying assets. Each inherits IDerivativePriceFeed to provide a standard interface for the AggregatedDerivativePriceFeed to register derivative mappings and grab rates. e.g., CompoundPriceFeed, ChaiPriceFeed


All interfaces to external contracts are contained in the release/interfaces/ directory.

Interfaces for internal contracts (e.g., IFundDeployer ) are kept beside the contracts to which they refer. These are narrow interfaces that only contain the functions required by other non-plugin, release-level contracts (i.e., those in the "core" and "extensions" sections above). The idea was to have a handy visual reference to the intra-release surface area of interactions between contracts.