Institutional DeFi - Control Architecture v2

yields.digital

Institutional DeFi - Control & Role Architecture

Consolidated design · Technology, InfoSec, Asset Management & Risk Management frameworks applied

MiCA + DORA ALIGNED

Click role cards to view permissions

Governance & Oversight Layer

Applies to all tiers below

Owner - Board Level

Geographically distributed signers. Independent of investment function. Multi-sig 3-of-5 + HSM.

Upgrade authorityRole assignmentEmergency pause

Independent Risk Committee

Separate from investment team. Sets risk limits. Approves mandate changes. Art. 68 compliance (governance & record-keeping) - reviewed quarterly.

Sets limitsMandate approvalArt. 68 review

IAM / PAM Layer

Privileged Access Management for all signing roles. Mandatory MFA. Quarterly access reviews. Joiners/Movers/Leavers enforced.

PAM systemAccess reviewsMFA required

DORA ICT Framework

ICT risk management. 4-hour NCA incident notification. TLPT testing cadence. Third-party ICT risk register maintained.

4hr notifyTLPTICT register

Investment Decision & Execution Workflow

Pre-trade → Execution → Post-trade

1. Investment Decision

Portfolio Manager forms thesis. Mandate boundary check. Asset on approved list?

2. Pre-Trade Risk Gate

yields.digital risk scores validate: asset MiCA status, concentration limits, protocol risk score, and mandate boundary. Execution blocked if any threshold breached.

3. Four-Eyes Approval

Transactions above threshold require dual sign-off. Risk Manager independently confirms. MPC policy enforces.

4. Signing Layer

MPC custody policy executes. MEV protection via private mempool. Address verified on hardware.

5. On-Chain Execution

Transaction broadcast via redundant RPC nodes. On-chain audit log updated.

6. Post-Trade

Reconciliation against on-chain state. NAV administrator updates share price independently. yields.digital evidence trail updated - Art. 68 record complete.

Key Management

EOA (single private key) is not acceptable for any operational role managing client assets. All operational signing requires MPC minimum.

On-Chain Multi-sig

Multi-sig Platform

3-of-5 threshold. Signers geographically distributed. Each signer independent.

Owner operations only

HSM

Hardware Security Module. HSM Provider. Air-gapped environment.

High-value signing + key storage

Off-Chain MPC

MPC Custody Provider

Off-chain key split. Presents as single signer on-chain. Policy-enforced.

Signing layer - Admin + Portfolio Mgr

Secondary MPC Provider

Secondary / failover MPC provider. Reduces concentration on single vendor.

Backup signing + qualified custody

Smart Account

On-chain programmable policy. Enforces spend limits, whitelists, time delays at contract level.

Automated parameter enforcement

Other Providers

Custody

Qualified CustodianQualified custody

Compliance

On-chain AnalyticsOn-chain analytics

Compliance ScreeningCompliance screening

Assurance

Smart Contract Auditor ASmart contract audit

Smart Contract Auditor BSmart contract audit

NAV AdministratorIndependent NAV calc

Legal CounselMiCA auth. opinion

Control Hierarchy

Tier 1

Institutional Allocator

Pension fund · Family office · Crypto hedge fund

Sets mandate Approves risk limits Receives independent NAV Conducts quarterly DD Direct yields.digital reporting

⇅

Tier 2 - CASP · Arts. 59, 66, 68, 81

Crypto Asset Manager

REGULATED

OWNER

Board / Legal Entity

Multi-sig 3-of-5 + HSM

▼ PERMISSIONS

RISK MANAGER

Independent Risk Function

MPC - observe, pause & risk limits

▼ PERMISSIONS

PORTFOLIO MGR

Investment Team

MPC -2-of-N policy

▼ PERMISSIONS

⇅

Signing & Execution Layer

MPC Custody Provider (Primary) · MPC Custody Provider (Failover)

Sits between Manager & Vault

MPC Policy Engine

Velocity limits, whitelist enforcement, dual-approval above threshold

MEV Protection

Private mempool provider. Prevents front-running of large vault transactions.

Address Verification

Hardware confirmation of destination address before broadcast. Prevents substitution attacks.

Redundant RPC

Self-hosted nodes with redundant provider failover. No single RPC dependency. DORA ICT resilience.

⇅

Tier 3 - Smart Contract Layer

Vault 7540 - Contract Components

Vault 7540 - Core Contract

Share issuance, redemption accounting, deposit and withdrawal interface

Strategy Contracts

Protocol interactions isolated per strategy. Separate audit surface per deployment.

Fee Contract

Independent fee calculation and extraction. Auditable. Prevents undocumented extraction.

Withdrawal Queue

Manages redemption sequencing for illiquid positions. Defines notice periods for allocator.

Upgrade proxy (UUPS) 72h time-lock minimum On-chain audit log Audited: Independent Smart Contract Auditors Board approval required pre-upgrade

⇅

Oracle & NAV Layer

Price Feeds · NAV Calculation · Independent Verification

Primary Price Oracle

Decentralised price feeds. Cross-validates against secondary feed. Deviation alert if >0.5%.

Secondary Price Oracle

High-frequency institutional feeds. Independent of primary feed. Manipulation cross-check.

NAV Administrator (Independent)

Calculates share price from verified feeds. Reports direct to allocator. Not via asset manager.

⇅

Tier 4 - DeFi Protocol Layer

Lending

Aave

Compound

Morpho

Spark

Gearbox

AMM / DEX

Curve

Uniswap

Balancer

Liquid Staking

Lido

Rocket Pool

Yield / Structured

Pendle

Governance risk note: Each protocol has its own governance token and voting process. External governance decisions (e.g. AAVE parameter changes) can affect vault positions without asset manager action. Risk monitoring must track protocol governance activity.

yields.digital

Independent Risk Intelligence Infrastructure

ARCHITECTURALLY INDEPENDENT

yields.digital provides independent, time-series risk scoring and intelligence across crypto-assets, protocols, pools, and chains. Operating entirely outside the control chain - with no asset-movement, parameter-change, or key-holding capability - our scores and reports carry the independence regulators and institutional allocators require. All data is sourced directly from on-chain state, not via the asset manager, ensuring no intermediation of the evidence trail.

MiCA Art. 68 MiCA Art. 66 MiCA Art. 81 DORA Art. 6

Continuous Risk Scoring & Art. 68 Evidence Trail

REGULATORY

Proprietary risk scores updated continuously across every asset, protocol, pool, and chain under management. Each score is timestamped and immutably logged, forming the auditable evidence trail Art. 68 demands. Available to NCA on request without requiring asset manager intermediation.

MiCA Art. 68MiCA Art. 66MiCA Art. 81

Risk ManagerCompliance TeamPortfolio Manager

Pre-Trade Risk Gate Intelligence

RISK CONTROLS

Real-time risk scores feed directly into the pre-trade compliance gate before any execution is permitted. Validates asset MiCA eligibility, protocol risk score, concentration limits, and mandate boundary - giving the Portfolio Manager and Risk Manager a single, evidenced risk signal at the point of decision.

MiCA Art. 68MiCA Art. 66MiCA Art. 81

Portfolio ManagerRisk Manager

MiCA Asset & Protocol Eligibility

COMPLIANCE

Every asset and protocol in scope is assessed against MiCA Arts. 4–6 (white paper obligation and content) and Art. 16(1) (ART authorisation). Eligibility status is continuously monitored and updated - including when protocol governance changes affect compliance standing. Provides the documented asset-level matrix FIN-FSA and other NCAs request in supervisory reviews.

MiCA Art. 4MiCA Art. 5MiCA Art. 6MiCA Art. 16(1)MiCA Art. 68MiCA Art. 66

Compliance TeamRisk ManagerPortfolio Manager

Real-Time Alerts & Circuit Breaker

RISK OVERSIGHT

Threshold-based alerts trigger automatically on protocol risk events, liquidity deterioration, smart contract anomalies, or compliance breaches. Defined critical scenarios route directly to the vault circuit breaker via the Risk Manager role - with sub-block latency - without requiring human intervention. Protects client capital faster than any manual process.

MiCA Art. 68MiCA Art. 66DORA Art. 10DORA Art. 17

Risk ManagerBoard / OwnerCompliance Team

Protocol & Chain Risk Intelligence

RISK INTELLIGENCE

Proprietary risk scores across every integrated protocol and chain - covering smart contract risk, liquidity depth, counterparty concentration, governance activity, and cross-chain bridge exposure. Scores are segmented by protocol category (lending, AMM, liquid staking, structured yield) reflecting the distinct risk profile of each. Enables the Risk Manager and Portfolio Manager to make and evidence decisions with a consistent, independent risk methodology.

MiCA Art. 68MiCA Art. 66MiCA Art. 81DORA Art. 6

Portfolio ManagerRisk ManagerCompliance Team

Institutional Reporting & AUM Support

AUM & OVERSIGHT

Automatically generates the institutional-grade documentation allocators require during due diligence: documented risk methodology, asset-level scoring history, decision rationale, and continuous monitoring evidence. The Art. 81 portfolio management suitability record is built as a byproduct of normal operations - not as a separate compliance exercise. Supports AUM growth by demonstrating the governance standard institutional capital demands.

MiCA Art. 68MiCA Art. 66MiCA Art. 81

Portfolio ManagerCompliance TeamInstitutional Allocator

Reporting Architecture

All lines direct - NOT via investment team

yields.digital→ Risk Manager

Art. 68 evidence trail + circuit breaker

yields.digital→ Allocator

Independent portfolio monitoring

yields.digital→ NCA / FIN-FSA

Regulatory submissions on request

NAV Administrator→ Allocator

Independent share price - not via asset manager

The Four Questions Serious Allocators Ask

1 - Who can move assets?

Portfolio Manager role within Owner-set limits. MPC 2-of-N policy. Four-eyes approval above threshold. Every movement on-chain, timestamped, captured in Art. 68 evidence trail.

2 - Who can change parameters?

Risk Manager role - independent of investment team, within board-approved ranges. Smart account policy enforces limits on-chain. Portfolio Manager cannot change risk parameters.

3 - Who can pause activity?

Risk Manager (circuit breaker - automatic on defined triggers) and Owner (multi-sig). Portfolio Manager cannot pause. yields.digital critical alerts feed directly into circuit breaker.

4 - Who can upgrade contracts?

Owner only. Multi-sig 3-of-5 with geographically distributed signers. 72-hour time-lock minimum. Fresh security audit required before execution. Board-level approval documented.

DORA & Regulatory Compliance Layer

DORA (EU) 2022/2554 + MiCA (EU) 2023/1114

ICT Incident Reporting

Major ICT incidents: 4-hour initial notification to NCA (from classification). 24-hour initial report. 72-hour intermediate report. 1-month final report (from resolution). Pipeline pre-built, not ad hoc.

Threat-Led Pen Testing (TLPT)

DORA mandates TLPT for entities identified by competent authorities (Art. 26). Signing infrastructure, vault contracts, and RPC layer in scope. Minimum cadence: every 3 years.

ICT Third-Party Risk Register

All critical ICT providers documented. Concentration risk assessed. Exit plans for critical providers required.

Business Continuity / DR

RTO and RPO defined for each system. Failover to secondary MPC provider if primary unavailable. Self-hosted RPC nodes as primary. Incident playbook documented.

yields.digital · Institutional DeFi Risk Infrastructure

v2.3 · 20 April 2026 · Audit-verified (S52)