Skip to main content

Model

  • Isolated custody: Every user gets their own Gnosis Safe. No pooled funds, no shared risk.
  • Permissioned execution: Automation can only call whitelisted functions through approved modules and roles.
  • Transaction guards: Every transaction passes through pre- and post-execution checks, with system-wide pause support.
  • Immutable core: Core contracts behave predictably and can be audited on-chain.
Automation cannot move funds beyond whitelisted, user‑authorized actions.

Components

  • RolesGuard: pause + tx checks
  • RolesReceiver/Broadcaster: cross‑chain coordination
  • Market wrappers/adapters: slippage and oracle validation
Emergency controls allow fast pause across chains while preserving withdrawal access from the Safe.
See also: Risk
Developers: explore the SDKs for programmatic access with strict types and Safe‑aware workflows.

Security Flow

Defense in Depth

Layer 1: Safe Isolation

  • Per-user Safes: Each user has their own Gnosis Safe with full custody
  • No Pooled Funds: Zero risk of cross-user contamination
  • Direct Withdrawal: Users can always withdraw directly from their Safe

Layer 2: Access Control

  • Role-based Permissions: OpenZeppelin AccessControl with PAUSER_ROLE
  • Executor Validation: Only authorized executors can trigger strategy operations
  • Delegatecall Security: Controllers can only execute within Safe context

Layer 3: Transaction Guards

  • RolesGuard: Validates all transactions against pause state and permissions
  • Slippage Protection: Oracle-based validation with configurable limits
  • Input Validation: Full parameter validation across all adapters

Layer 4: Emergency Controls

  • System-wide Pause: Can halt all non-owner transactions instantly
  • Cross-chain Coordination: Pause state synchronized across all chains
  • Safe Owner Override: Safe owners retain full control even during pauses

Layer 5: Economic Security

  • Inflation Attack Protection: Dual-layer defense in MarketWrapper
  • Flashloan Security: Atomic operations with proper authorization
  • Oracle Integration: Real-time price validation for all operations

Rate-Limited Extraction

Even if an attacker compromised the automation layer for a single Safe, the vault action cooldown limits how fast they can act. Each Safe enforces a cooldown period between vault actions. This means an attacker can only execute a handful of actions in any given window, and each action is bounded by slippage guards that revert transactions exceeding acceptable price impact. Bridge transfers are confined to the owner’s Safe fleet. Funds bridged from your Safe on one chain can only arrive at your Safe on another chain. An attacker can’t use bridges to move funds to an external address. The cooldown transforms what would be an instant drain into a slow, observable leak. Detection systems flag unusual activity well before meaningful extraction occurs.

Regulatory Alignment

Blend’s SMA architecture is structurally aligned with the direction of stablecoin and crypto custody regulation across the US, EU, and global markets. Each user gets their own isolated Safe. Funds are never pooled. All contracts are non-upgradable with no admin keys. For a full breakdown of how Blend maps to specific regulations, see Regulatory Alignment for Neobanks.
Last modified on March 20, 2026