---
title: "Lagoon v0.6 is live: security, autonomy, and modularity"
description: "Lagoon v0.6 ships PPS guardrails, a Security Council, dual access modes, entry/exit fee caps, and seven more capabilities. Live and audited."
date: "2026-05-19"
author: "Lagoon"
category: "Product"
tags: ["product", "smart-contracts", "v0.6", "vaults", "ERC-7540", "security"]
url: "https://lagoon.finance/blog/lagoon-smart-contracts-v0-6-preview"
readingTime: "8 min read"
---
Lagoon v0.6 is live and audited, shaped by feedback from the managers running
on Lagoon today. Eleven new capabilities prioritize deeper security, manager
autonomy and modularity. Full app integration is rolling out.
## Introduction
Across 120+ vaults deployed on Lagoon and 18+ EVM chains, the patterns of what managers ask for have become clear. They want finer monetization controls. Access that adapts to their jurisdiction. Safeguards that compose rather than freeze the vault when something goes wrong.
v0.6 is our response. Eleven new features, grouped into four areas: fees, access, risk, and vault lifecycle. The contracts are live and [audited](https://docs.lagoon.finance/resources/audits), build on [ERC-7540](/blog/erc-7540-explained), and can be used today via any blockchain explorer. The full app integration is rolling out and tracked on the [version history page](https://docs.lagoon.finance/resources/version-history). Each capability is optional, and each was prioritized because managers asked for it.
_Figure 1: v0.5.1 baseline versus v0.6 additions. Eleven new capabilities across four areas._
## Monetization that fits the strategy
Different strategies need different fee models. A regulated yield fund, a leveraged trading vault, and a perpetual real-world asset (RWA) strategy do not share a monetization shape. v0.6 widens the manager's toolkit and tightens investor guarantees at the same time. The v0.5.1 fee structure (management and performance) remains the baseline.
- **Entry and exit fees** are new in v0.6, capped at 2% each in the contract. Useful for discouraging short-term flows on strategies that need a minimum holding period.
- **Haircut fee**, capped at 20%, applies only to synchronous redemption and is burned from the redeemer's own shares. A frictional cost that protects long-term holders, with no payment to the manager.
- **Averaged AUM accrual** for the management fee. v0.6 takes the average of start-of-period and end-of-period total assets instead of the single snapshot at settlement, which is fairer on vaults with volatile flows.
- **Cooldown delay removed for all fee updates.** v0.5.1 gated every fee change behind a cooldown window. v0.6 drops the cooldown entirely; updates take effect immediately across all fee types. Investor protection moves into the contract's hard caps and the monotonic constraint below, rather than a timing buffer.
- **Entry and exit rates can only decrease.** The contract enforces a monotonic constraint on these two rates specifically, so the entry and exit cost an investor paid in at cannot rise after deposit.
The two-sided design (wider toolkit, harder caps) is the point. Managers tune monetization to their strategy. Investors get an onchain guarantee that entry and exit costs cannot drift up after they deposit.
## Access that fits the jurisdiction
A regulated KYC fund and a permissionless DeFi yield are different products. v0.5.1 forced both into a single access primitive. v0.6 turns access into a configurable layer that adapts to the manager's regulatory framework, without redeploying the contract.
_Figure 2: Access control in v0.6. One mode at a time. Operators with the right role can act on behalf of KYC'd users where the manager has granted permission._
- **Dual modes.** Every vault runs in whitelist (closed-by-default) or blacklist (open-by-default) mode. Mutually exclusive. Switchable atomically via `switchAccessMode()`.
- **Sync/async modes.** Configure `SyncMode` to `Both`, `SyncDeposit`, `SyncRedeem`, or `None`. The manager picks which flows are synchronous and which are forward-priced async: a high-velocity strategy can keep both sync, a regulated fund can lock everything to async, and anything in between is one parameter away.
- **External sanctions oracle.** Optional integration with an onchain sanctions list (e.g. Chainalysis) screens deposits in either mode, including permissionless vaults.
- **Operator role for KYC'd integrators.** A privileged role that custodians, prime brokers, and integrating protocols can use to deposit and redeem on behalf of users they have already KYC'd, without re-onboarding each user into the vault's access list.
- **Redeem on behalf of users.** Operators with the right permission can call `redeem()` on behalf of a user via the controller argument. Useful for legal holds, trustee accounts, and orderly wind-downs without involving the user in every transaction.
The same contract supports regulated funds and permissionless strategies. The manager chooses the model; the protocol does not gate the choice.
## Defense in depth, by design
Mispriced settlement is the single biggest tail risk in async vaults. v0.5.1 leaves price safety to off-chain controls. v0.6 brings it into the contract, with narrow-scope roles so no single key controls both funds and safety.
_Figure 3: Three risk controls, three threat models. Managers compose the combination that fits their strategy._
- **Price per share (PPS) guardrails.** Annual upper and lower bounds, configured in basis points and checked at every settlement. Out-of-range valuations are rejected before they touch share supply.
- **Security Council.** A new role, scoped only to the guardrails. It can update bounds and override a non-compliant valuation. It cannot move funds, change fees, or grant access. The narrow scope is the point: managers can staff it with independent parties without surrendering operational control.
- **Vault capacity cap (`maxCap`).** Hard per-vault deposit ceiling, enforced at deposit time. Prevents over-concentration and supports fund-of-fund exposure limits.
These compose. A short-duration trading vault may run tight PPS bounds and lean on the Security Council as a circuit breaker. A long-duration RWA vault may rely on the capacity cap. The combination is the manager's call; the contract enforces it.
## Operational continuity
Vaults are long-lived contracts. Drawdowns happen. Fund families consolidate. Custody keys rotate. v0.6 adds the lifecycle moves v0.5.1 missed, without forcing a redeployment.
- **High water mark (HWM) reset.** The vault administrator enables an `allowHighWaterMarkReset` flag at deployment. With it, the Safe can re-anchor the HWM to current price per share after a drawdown. The flag is visible to investors before they deposit, so the manager's policy is public.
- **Clean migrations.** New vaults can initialize with non-zero `initialTotalAssets`, with the Safe receiving pre-minted shares. Any v0.5.1 vault can be migrated onto v0.6 without liquidating the strategy. The upgraded vault starts at 0% entry and exit fees, preserving the v0.5.1 fee structure for the inherited investor base; the monotonic constraint then prevents those rates from being raised after the fact.
- **Post-deploy metadata.** The vault owner can update the ERC-20 name and symbol after launch. Rebranding no longer requires a redeploy.
- **Post-deploy Safe rotation.** The vault owner can rotate the Safe address — the role that holds custody of vault assets — without redeploying the contract. Custody key migrations, signer changes, and Safe upgrades become a single transaction.
- **Redeem cancellation.** Investors can cancel a pending redeem request before settlement and recover their shares, reducing the lock-up risk that institutional allocators flag as a constraint on async vaults.
- **Deeper security:** Price-per-share guardrails, a single-purpose Security Council, capacity caps without enlarging any role's scope.
- **Manager autonomy:** Granular fees, dual access modes, post-deploy metadata and Safe rotation, and HWM reset put strategy parameters in the manager's hands within hard, investor-friendly caps.
- **Strategy modularity:** The same contract supports KYC funds and permissionless strategies; the `SyncMode` parameter switches between sync, async, or mixed deposit/redeem; no redeploy required to change shape.
- **Non-disruptive rollout:** v0.6 applies to new deployments. v0.5.1 vaults continue unchanged and can opt in for the upgrade.
Read the v0.6.0 deployment details on the Lagoon version history page. The
contracts are live today; the app rollout is tracked there.
## Going further
- [ERC-7540 Explained: Async Vaults for Real-World Assets](/blog/erc-7540-explained): the underlying standard that v0.6 builds on.
- [Lagoon's fee structure: the four fee types, explained](/blog/lagoon-fee-structure): the management, performance, and protocol fee mechanics that v0.6 builds on.
- [Vault Governance Roles: Who Does What in an Onchain Fund](/blog/vault-governance-roles): the four-role model v0.6 augments with the Security Council and Operator role.
- [Onchain Fund Custody: MPC, Multisig, and Safeguards](/blog/onchain-fund-custody): the custody background that informs the Operator role and redeem-on-behalf capability.