Vault and Treasury Protection

The goal of this Lossless feature is to allow project owners (token creators) to protect their treasury wallets, liquidity pools or any other addresses that own large amounts of liquidity. Vault and Treasury Protection allows mitigating damage that can be done by exploits on particular types of addresses, for example:

  • Treasury. This could be any externally owned account or contract that does transfers only to addresses that can be known in advance. This could protect the team's multi-sig wallet, ICO contract, or any other vesting / long-term investment contract.

  • Liquidity pool. This could be a DeFi vault, DEX liquidity pool, cross-chain bridge vault, or any other address that is used by retail users and recipients are not known in advance.

To protect these types of addresses we implement strategies that allow mitigating the risks associated with each type of address. These strategies are:

  • Treasury Protection Strategy. The main purpose of this strategy is to allow transferring tokens only to whitelisted addresses.

  • Liquidity Protection Single Limit Strategy. The main purpose of this strategy is to allow project owners to set limits on how many tokens can be transferred out of a protected address in a given period of time.

Technical overview

Vault and Treasury Protection is a system of smart contracts deployed by lossless. These contracts then provide tailored protection to a LERC20 token through parameters specific to each token.

Vault and Treasury Protection is implemented through a system of smart contracts. These contracts are:

You can find all of these contracts here:

Here is a high level smart contracts architecture.

In order to make use of Vault and Treasury Protection, a token has to integrate the Lossless Controller and become a LERC20 token, for example, by using the lossless Token Generator.

Before a LERC20 token can start using any of the protections, it must first be verified by the lossless team. Furthermore, before a verified LERC20 token can have a protected address, that particular address must first be verified by the lossless team. Please reach out to the lossless team through or if you are an LERC20 token admin and would like to accomplish these steps.

Besides admin roles described in the LERC20 standard, a role called protectionAdmin is defined for each LERC20 token (see LosslessGuardian for more details). The token admin can choose which address becomes protectionAdmin. The protectionAdmin is allowed to configure protections for the verified addresses by calling functions such as setLimit in LiquidityProtectionSingleLimitStrategy and setProtectedAddress in TreasuryProtectionStrategy.

When a token transfer is attempted, isTransferAllowed function of LiquidityProtectionSingleLimitStrategy and TreasuryProtectionStrategy contracts is called by LosslessControllerV2. If the attempted transfer violates the conditions set out by protectionAdmin, such a transfer is reverted.

Last updated