Trust model¶
ELI5: Different parts of the flywheel make different promises. TARE's engine won't touch your collateral; Keep's managers can change strategies — know which is which.
Core invariant¶
No vote, keeper, admin, or caller may move a solvent user's collateral, mint on a bad price, or alter live debt. Routers only move value already released or earned.
Full scope: Core invariant.
Trust boundaries by protocol¶
TARE engine [engine-only scope]¶
| Role | Can | Cannot |
|---|---|---|
| Engine owner | List collateral, pause, shutdown, withdraw seized only | Move solvent deposits, alter live debt, mint to self |
| Liquidator | Liquidate / settle bad debt when rules allow | Touch solvent positions |
| Oracle lib | Halt on bad feeds | Mint on divergent feeds |
Keep vault [admin in value path]¶
| Role | Can | Cannot |
|---|---|---|
STRATEGY_MANAGER |
Add strategies, set max_debt, weights |
Directly steal via CDP (no CDP access) |
DEFAULT_ADMIN |
Governance ops | Should be timelock/multisig |
ALLOCATOR_ROLE (GaugeWeightRouter) |
set_allocations only |
Add malicious strategy |
Critical distinction
TARE engine trust ≠ Keep vault trust. Marketing "no admin in value path" is engine-only per composition audit TARE-8.
Coil¶
| Role | Can | Cannot |
|---|---|---|
| Whitelisted solver | Submit batches | Forge signatures without keys |
| Admin | Fees, token allowlist | Access TareEngine custody |
veForge¶
| Role | Can | Cannot |
|---|---|---|
| Voter | Steer allocations within caps | Move CDP collateral |
| Owner | Gauge types, kill switch | Direct Keep withdrawal |
Routers (least privilege)¶
| Router | Moves |
|---|---|
| CoilFeeRouter | Harvested USDC fees only |
| SurplusSplitter | Engine surplus only |
| GaugeWeightRouter | Allocation weights only |
What can go wrong¶
Residual risks
- Keep admin compromise
- Solver censorship / liveness
- Smart contract bugs — not externally audited for mainnet
See Audit status.
Source: TARE-Stablecoin/SPEC.md, khomdev-keep/docs/SECURITY.md, composition review