Theopetra currently uses 2 multisigs to control administrative functions in the protocol. The access control smart contract defines three primary roles which have access to privileged functions: Governor, Policy, and Vault.

The Vault role refers to the treasury itself, which controls access to the mint function and further defines contract-level permissions used to interact externally with the treasury. It is non-custodial, intended as a contract-only role.

The Governor role manages the highest security actions in the protocol, such as contract upgrades, role based access controls, and withdrawing funds from the treasury. This is a 4/7 multisig.

The Policy role manages low security actions in the protocol, such as opening and closing growth markets. This is a 3/5 multisig.

An emergency multisig is proposed as part of the transition to decentralization, which will have reduced access to the above permissions and increased signers. It is not intended for administration of the protocol, and only to be used in case of exploits to pause sensitive protocol functions.

Timelocks are used in the protocol to create a delay between privileged actions proposed by the multisig and their execution. All treasury functions use a 48-hour timelock to create response time in case of a compromised security model.