---
title: "Vault Governance Roles: Who Does What in an Onchain Fund"
description: "Learn how four governance roles secure onchain funds: vault admin, curator, valuation provider, and whitelist manager, each enforced by smart contracts."
date: "2026-04-07"
author: "Lagoon"
category: "Product"
tags: ["governance", "vaults", "roles", "ERC-7540", "institutional"]
url: "https://lagoon.finance/blog/vault-governance-roles"
readingTime: "9 min read"
---
Every onchain vault needs clear rules about who can value assets, who can move funds, and who can grant access. Lagoon enforces these through four governance roles scoped at the smart contract level: vault administrator, valuation provider, curator, and whitelist manager. Here is what each role does, how they interact during settlement, and how they map to traditional fund structures.
## Introduction
In traditional finance, separation of duties is a regulatory and policy requirement. In an onchain vault, the separation of powers is enforced by code.
We built [Lagoon](https://lagoon.finance) to bring institutional-grade fund operations onchain, and with over 800 vaults deployed across 18+ EVM chains since inception, we have seen firsthand why governance design determines whether a vault earns trust or becomes a liability. The [curator model that emerged across DeFi in 2025 and 2026](https://defiprime.com/defi-vaults-guide) has professionalized vault operations, but the underlying question remains the same: who controls what, and how is that enforced?
Whether you are deploying your first vault or evaluating an existing one as an investor, understanding these roles is the foundation for assessing any onchain fund structure.
## Why governance separation matters
Traditional funds rely on legal agreements between service providers: the fund administrator calculates the net asset value (NAV), the transfer agent processes subscriptions, and the compliance officer verifies investor eligibility. These separations work, but they are enforced by contracts, audits, and regulatory oversight, not by the infrastructure itself.
Onchain vaults invert this model. Instead of trusting separate companies to follow their agreements, the smart contract defines what each role can and cannot do. A valuation provider can submit a NAV proposal but cannot settle requests. A curator can execute trades but cannot change fee parameters. These constraints are verifiable by anyone reading the contract.
This matters for two reasons:
1. **Security through scoping.** No single compromised key can drain a vault, manipulate pricing, and approve its own access. Each role is isolated, so a breach in one does not cascade to others.
2. **Institutional credibility.** Asset managers evaluating onchain infrastructure [consistently cite governance and risk management](https://www.coindesk.com/sponsored-content/accelerating-convergence-between-traditional-and-on-chain-finance-in-2026) as their primary concern. Smart contract enforcement provides a verifiable answer that policy documents cannot.
Lagoon's ERC-7540 implementation enforces this separation natively: the vault contract rejects any transaction from an address that does not hold the required role for that operation.
## The four governance roles
### Vault administrator
**TradFi equivalent:** Board of Directors / General Partner
The vault administrator is the top-level configuration role. It sets the framework within which the vault operates, without directly touching investor capital.
**Responsibilities:**
- Configure vault parameters (settlement cadence, strategy constraints)
- Set fee structures
- Assign and reassign addresses for each governance role
- Manage allowlist settings and access policies
**Scope:** Configuration only. The vault administrator cannot move funds, settle requests, or submit valuations. Some parameters are immutable after deployment (such as the underlying asset), while others can be updated subject to a time-lock period.
**Typical setup:** A smart contract wallet (such as a Safe multisig) or an MPC wallet. Using a multisig ensures no single team member can unilaterally change vault parameters.
### Valuation provider
**TradFi equivalent:** Fund Administrator
The valuation provider determines the price at which deposits and redemptions settle. This is the role that answers the question: "What is the vault's portfolio actually worth?"
**Responsibilities:**
- Compute the total asset value of the portfolio
- Submit NAV proposals onchain
- Select and apply a consistent NAV methodology
- Ensure pricing accuracy across all positions (onchain and off-chain)
**Scope:** Propose only. The valuation provider submits a NAV figure, but it takes effect only after the curator accepts it. This role cannot settle requests, move funds, or modify any vault parameters.
**Typical setup:** An automated script that reads portfolio positions, an onchain oracle, or a third-party valuation service. For strategies with off-chain components (such as [real-world assets](/blog/erc-7540-explained)), a professional valuation agent may be required.
### Curator
**TradFi equivalent:** Portfolio Manager + Transfer Agent
The curator is the operational heart of the vault. It is the only role that can execute transactions on behalf of the vault, making it the most powerful and most closely watched.
**Responsibilities:**
- Review and accept (or reject) NAV proposals from the valuation provider
- Settle all pending deposit and redemption requests
- Execute the investment strategy: deploy capital, rebalance positions, bridge assets across chains
- Determine settlement timing and frequency
**Scope:** Operations and execution only. The curator cannot change fee structures, modify the allowlist, or reassign roles. Its authority is scoped to accepting valuations and moving capital within the strategy mandate.
**Typical setup:** A Safe multisig (e.g. 3-of-5) or an institutional MPC wallet through providers like [Fireblocks or Fordefi](/blog/onchain-fund-custody). The custody model for the curator wallet is one of the most consequential decisions in vault design, since this is the address that signs strategy transactions.
**Critical independence requirement:** The curator and the valuation provider must be separate entities. If the same address controls both, it can propose a favorable NAV and immediately settle against it, effectively manipulating the share price. Lagoon's contracts enforce this separation: the [two-step verification](/blog/erc-7540-explained) (propose, then accept) prevents unilateral price manipulation.
### Whitelist manager
**TradFi equivalent:** Compliance Officer
The whitelist manager controls who can interact with the vault. This role is optional: permissionless vaults leave it unassigned, while regulated products use it to enforce investor eligibility at the contract level.
**Responsibilities:**
- Maintain the allowlist of approved investor addresses
- Enforce KYC/AML and accreditation requirements programmatically
- Gate vault access before transactions execute (pre-trade enforcement)
**Scope:** Access control only. The whitelist manager cannot move funds, submit valuations, or change vault parameters. It operates as a binary gate: an address is either approved or it is not.
**Typical setup:** A KYC/KYB provider integration, an externally owned account (EOA) managed by the compliance team, or a smart contract connected to an identity verification service. For [DeFi-native strategies](/blog/building-yield-strategy) targeting open participation, this role is simply left unassigned.
## How the roles work together
The governance roles are not independent silos. They interact in a specific sequence during every settlement cycle, creating a chain of verification that no single participant can bypass.
### The settlement cycle
**Step 1: Investor submits a request.** An investor calls `requestDeposit` or `requestRedeem` on the vault contract. If a whitelist manager is configured, the contract checks the caller's address against the allowlist before accepting the request. Assets transfer to the vault, and the request enters a pending queue. No shares are minted yet.
**Step 2: Valuation provider proposes the NAV.** The valuation provider computes the portfolio's total asset value and submits it onchain. This figure determines the exchange rate (share price) for all pending requests. Because the price is set after requests are submitted ([forward pricing](https://docs.lagoon.finance)), investors cannot front-run the settlement.
**Step 3: Curator reviews and settles.** The curator examines the proposed NAV. If it is accurate, the curator accepts it and settles all pending requests in a single transaction. Fees are computed, shares are minted (for deposits) or assets are released (for redemptions) at the settlement price. The curator then deploys the new capital according to the strategy.
This three-step process ensures that:
- The entity proposing the price (valuation provider) cannot settle the requests (curator)
- The entity settling requests (curator) cannot change who has access (whitelist manager)
- The entity configuring the vault (administrator) cannot execute trades (curator)
### Checks and balances
This separation mirrors the principle behind [traditional fund operations](/blog/onchain-vaults-fund-operations), but with one critical difference: onchain enforcement is continuous and verifiable, not periodic and trust-based. An investor can read the vault contract to confirm which addresses hold which roles, and verify that no single entity controls multiple functions.
## Configuring roles in practice
### Common configuration patterns
| Pattern | Vault Admin | Valuation Provider | Curator | Whitelist Manager |
|---|---|---|---|---|
| **DeFi-native (open)** | Team multisig | Automated script or third-party valuation provider | Smart contract wallet or MPC | Not assigned |
| **Institutional (gated)** | Team multisig | Third-party service | MPC wallet (Fireblocks) | KYC provider |
| **DAO-managed** | Governance contract | Oracle integration | Safe multisig | DAO vote |
### Mistakes to avoid
**Assigning all roles to the same address.** This eliminates every governance benefit. If one key is compromised, the attacker controls valuation, execution, configuration, and access simultaneously. Always use distinct addresses.
**Using the curator wallet as the valuation provider.** This is the most common governance mistake in vault design. It removes the two-step verification that prevents share price manipulation. Even if the same team manages both functions, use separate signing addresses.
**Skipping the whitelist manager for regulated products.** If your vault accepts capital from accredited or institutional investors, compliance must be enforced at the contract level, not as an off-chain process that can be bypassed. Onchain enforcement is auditable and pre-trade, which is what regulators expect.
**Using a single-key EOA for the curator.** The curator controls strategy execution. A single private key means a single point of failure. Use a multisig or MPC wallet to distribute signing authority across multiple parties.
- **Four distinct roles** (vault admin, valuation provider, curator, whitelist manager) enforce separation of duties at the smart contract level
- **Two-step verification** prevents share price manipulation: the entity that proposes the NAV cannot settle requests
- **TradFi mapping** is direct: each onchain role corresponds to a traditional fund service provider, but enforcement moves from legal agreements to code
- **Custody choice for the curator** is the most consequential governance decision, since this address signs all strategy transactions
- **Permissionless or gated** access is a configuration choice: the whitelist manager is optional, enabling both open DeFi strategies and regulated institutional products
Deploy a vault on Lagoon and configure governance roles across 18+ EVM chains.