# Security Divigent v1 includes a narrow set of controls. The design constraint is that emergency controls protect new inflows and operational recovery paths without granting an admin the ability to withdraw user funds. ## Deposit Pause The emergency multisig can pause new deposits. When paused: * `deposit()` and `depositWithPermit()` revert. * `withdraw()` remains fully available. This means the pause cannot trap user funds. Users can always exit even when the protocol stops accepting new capital. ## TVL Caps Divigent uses phased TVL caps for controlled launch growth. | Phase | TVL Cap | Active From | | -------- | -------------- | ----------- | | Initial | 500,000 USDC | Launch | | Expanded | 2,000,000 USDC | Day 31 | | Removed | No cap | Day 91 | The cap is checked against post-deposit total assets. Deposits that would push TVL above the active cap revert. ## Oracle Freshness Deposits revert if the oracle has not been updated within 2 hours. This prevents routing decisions from being made on stale data, especially if oracle observations stop being recorded due to gas conditions or operator inactivity. The router attempts to record a fresh observation as part of every deposit, which keeps the oracle current during normal protocol use. ## Slippage Bounds * `deposit()` accepts `minSharesOut`. The call reverts if minted dvUSDC falls below this floor. * `withdraw()` accepts `minUsdcOut`. The call reverts if net USDC delivered to the wallet falls below this floor. Both bounds protect against unexpected share-price movement between transaction submission and execution. ## No Proxy Upgrade Path Core external integrations are immutable. The router, oracle, fee collector, and dvUSDC are not deployed behind upgradeable proxies. New protocol versions ship as new deployments. This trades upgrade flexibility for stronger guarantees about behaviour over time. ## Treasury Rotation Controls Fee treasury rotation uses: * a 7-day timelock between proposal and execution; * a 14-day grace window after the timelock; * the emergency multisig as the authorising path. See [Fees](/divigent-docs/protocol/fees.md). ## Reentrancy Protection * `deposit()` and `withdraw()` use `nonReentrant`. * `withdraw()` updates internal state (cost basis reduction, dvUSDC burn) before any external vault calls. This combination prevents reentrant withdrawal calls from manipulating state mid-call. ## Risk Surfaces Divigent Does Not Eliminate {% hint style="warning" %} Divigent routes into external venues. Smart contract logic enforces accounting and routing gates, but it cannot remove: * external protocol risk in Aave or Morpho; * Morpho vault liquidity risk under stress conditions; * Base network execution risk. Integrators should understand each of these before deploying capital. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://divigent.gitbook.io/divigent-docs/protocol/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.