Vault Governance Roles: Who Does What in an Onchain Fund

Introduction

In traditional finance, separation of duties is a regulatory and policy requirement. In an onchain vault, the separation of powers is enforced by code.

We built Lagoon to bring institutional-grade fund operations onchain, and with over 800 vaults deployed across 18+ EVM chains since inception, we have seen firsthand why governance design determines whether a vault earns trust or becomes a liability. The curator model that emerged across DeFi in 2025 and 2026 has professionalized vault operations, but the underlying question remains the same: who controls what, and how is that enforced?

This article is a reference guide to the four governance roles in a Lagoon vault. Whether you are deploying your first vault or evaluating an existing one as an investor, understanding these roles is the foundation for assessing any onchain fund structure.

Why Governance Separation Matters

Traditional funds rely on legal agreements between service providers: the fund administrator calculates the net asset value (NAV), the transfer agent processes subscriptions, and the compliance officer verifies investor eligibility. These separations work, but they are enforced by contracts, audits, and regulatory oversight, not by the infrastructure itself.

Onchain vaults invert this model. Instead of trusting separate companies to follow their agreements, the smart contract defines what each role can and cannot do. A valuation provider can submit a NAV proposal but cannot settle requests. A curator can execute trades but cannot change fee parameters. These constraints are verifiable by anyone reading the contract.

This matters for two reasons:

1. Security through scoping. No single compromised key can drain a vault, manipulate pricing, and approve its own access. Each role is isolated, so a breach in one does not cascade to others.
2. Institutional credibility. Asset managers evaluating onchain infrastructure consistently cite governance and risk management as their primary concern. Smart contract enforcement provides a verifiable answer that policy documents cannot.

Lagoon's ERC-7540 implementation enforces this separation natively: the vault contract rejects any transaction from an address that does not hold the required role for that operation.

The Four Governance Roles

Vault Administrator

TradFi equivalent: Board of Directors / General Partner

The vault administrator is the top-level configuration role. It sets the framework within which the vault operates, without directly touching investor capital.

Responsibilities:

• Configure vault parameters (settlement cadence, strategy constraints)
• Set fee structures
• Assign and reassign addresses for each governance role
• Manage allowlist settings and access policies

Scope: Configuration only. The vault administrator cannot move funds, settle requests, or submit valuations. Some parameters are immutable after deployment (such as the underlying asset), while others can be updated subject to a time-lock period.

Typical setup: A smart contract wallet (such as a Safe multisig) or an MPC wallet. Using a multisig ensures no single team member can unilaterally change vault parameters.

Valuation Provider

TradFi equivalent: Fund Administrator

The valuation provider determines the price at which deposits and redemptions settle. This is the role that answers the question: "What is the vault's portfolio actually worth?"

Responsibilities:

• Compute the total asset value of the portfolio
• Submit NAV proposals onchain
• Select and apply a consistent NAV methodology
• Ensure pricing accuracy across all positions (onchain and off-chain)

Scope: Propose only. The valuation provider submits a NAV figure, but it takes effect only after the curator accepts it. This role cannot settle requests, move funds, or modify any vault parameters.

Typical setup: An automated script that reads portfolio positions, an onchain oracle, or a third-party valuation service. For strategies with off-chain components (such as real-world assets), a professional valuation agent may be required.

Curator

TradFi equivalent: Portfolio Manager + Transfer Agent

The curator is the operational heart of the vault. It is the only role that can execute transactions on behalf of the vault, making it the most powerful and most closely watched.

Responsibilities:

• Review and accept (or reject) NAV proposals from the valuation provider
• Settle all pending deposit and redemption requests
• Execute the investment strategy: deploy capital, rebalance positions, bridge assets across chains
• Determine settlement timing and frequency

Scope: Operations and execution only. The curator cannot change fee structures, modify the allowlist, or reassign roles. Its authority is scoped to accepting valuations and moving capital within the strategy mandate.

Typical setup: A Safe multisig (e.g. 3-of-5) or an institutional MPC wallet through providers like Fireblocks or Fordefi. The custody model for the curator wallet is one of the most consequential decisions in vault design, since this is the address that signs strategy transactions.

Critical independence requirement: The curator and the valuation provider must be separate entities. If the same address controls both, it can propose a favorable NAV and immediately settle against it, effectively manipulating the share price. Lagoon's contracts enforce this separation: the two-step verification (propose, then accept) prevents unilateral price manipulation.

Whitelist Manager

TradFi equivalent: Compliance Officer

The whitelist manager controls who can interact with the vault. This role is optional: permissionless vaults leave it unassigned, while regulated products use it to enforce investor eligibility at the contract level.

Responsibilities:

• Maintain the allowlist of approved investor addresses
• Enforce KYC/AML and accreditation requirements programmatically
• Gate vault access before transactions execute (pre-trade enforcement)

Scope: Access control only. The whitelist manager cannot move funds, submit valuations, or change vault parameters. It operates as a binary gate: an address is either approved or it is not.

Typical setup: A KYC/KYB provider integration, an externally owned account (EOA) managed by the compliance team, or a smart contract connected to an identity verification service. For DeFi-native strategies targeting open participation, this role is simply left unassigned.

How the Roles Work Together

The governance roles are not independent silos. They interact in a specific sequence during every settlement cycle, creating a chain of verification that no single participant can bypass.

The Settlement Cycle

Step 1: Investor submits a request. An investor calls requestDeposit or requestRedeem on the vault contract. If a whitelist manager is configured, the contract checks the caller's address against the allowlist before accepting the request. Assets transfer to the vault, and the request enters a pending queue. No shares are minted yet.

Step 2: Valuation provider proposes the NAV. The valuation provider computes the portfolio's total asset value and submits it onchain. This figure determines the exchange rate (share price) for all pending requests. Because the price is set after requests are submitted (forward pricing), investors cannot front-run the settlement.

Step 3: Curator reviews and settles. The curator examines the proposed NAV. If it is accurate, the curator accepts it and settles all pending requests in a single transaction. Fees are computed, shares are minted (for deposits) or assets are released (for redemptions) at the settlement price. The curator then deploys the new capital according to the strategy.

This three-step process ensures that:

• The entity proposing the price (valuation provider) cannot settle the requests (curator)
• The entity settling requests (curator) cannot change who has access (whitelist manager)
• The entity configuring the vault (administrator) cannot execute trades (curator)

Checks and Balances

This separation mirrors the principle behind traditional fund operations, but with one critical difference: onchain enforcement is continuous and verifiable, not periodic and trust-based. An investor can read the vault contract to confirm which addresses hold which roles, and verify that no single entity controls multiple functions.

Configuring Roles in Practice

Common Configuration Patterns

Mistakes to Avoid

Assigning all roles to the same address. This eliminates every governance benefit. If one key is compromised, the attacker controls valuation, execution, configuration, and access simultaneously. Always use distinct addresses.

Using the curator wallet as the valuation provider. This is the most common governance mistake in vault design. It removes the two-step verification that prevents share price manipulation. Even if the same team manages both functions, use separate signing addresses.

Skipping the whitelist manager for regulated products. If your vault accepts capital from accredited or institutional investors, compliance must be enforced at the contract level, not as an off-chain process that can be bypassed. Onchain enforcement is auditable and pre-trade, which is what regulators expect.

Using a single-key EOA for the curator. The curator controls strategy execution. A single private key means a single point of failure. Use a multisig or MPC wallet to distribute signing authority across multiple parties.