Overview

Flexible Vaults are built on a modular, upgradeable architecture that enables seamless integration with new protocols. The system is designed to offer dynamic permission management for curators, allowing precise and adaptable control over what actions can be performed — without compromising on safety or decentralization goals.

This architecture implements a fully-featured liquid vault with the following capabilities:

1. Granular Role-Based Access Control – Vault behavior is governed by configurable roles and permissions that define what users and curators are allowed to do
2. Deposits – Users can convert supported assets into vault shares via a request queue mechanism
3. Withdrawals – Shares can be redeemed back into underlying assets, subject to queue processing and oracle pricing
4. Delegated Yield Strategies – Curators can interact with external protocols to generate yield on the liquidity in the vault

Granular Role-Based Access Control

Flexible Vaults introduce Verifier.sol, a call-level permission control system. It determines whether a curator (CALLER_ROLE holder) is allowed to make specific calls based on the verification type:

Verification Types

1. ONCHAIN_COMPACT
   • Allows calls where hash(who, where, selector) exists in an admin-controlled allowlist.
   • Primarily for static strategies or system-owned contracts.
2. MERKLE_COMPACT
   • Like ONCHAIN_COMPACT, but uses Merkle root validation for scalability.
   • Allows large call sets with minimal gas overhead.
3. MERKLE_EXTENDED
   • Validates hash(who, where, value, calldata) against a Merkle tree.
   • Ensures full calldata and value are verified.
4. CUSTOM_VERIFIER
   • Delegates permission checks to contracts implementing ICustomVerifier.
   • Enables arbitrary verification logic.

Built-in Custom Verifiers

• ERC20Verifier: Validates transfer/approve calls with role-checks on caller, recipient, and asset.
• SymbioticVerifier, EigenLayerVerifier: Validate delegation and reward-specific and calls.
• BitmaskVerifier: Matches call byte-by-byte with a bitmask, allowing partial call validation. Enables checks like approve(farmContract, anyAmount).