Catalyst Vault

SPEC_CATALYST_VAULT — Catalyst Vault Architecture

Version: 1.0 | Status: AUTHORIZED | Authority: α.13 | Date: 2026-04-16

---

PURPOSE

The Base Catalyst Vault is a gas-aware, Φ-gated ERC-4626 stablecoin yield aggregator deployed on Base mainnet. It solves two structural problems for sub-$100 portfolios: transaction cost friction and APY fragmentation. Users deposit stablecoins once; the Vault routes capital to the highest-verified yield source and rebalances only when the gas-adjusted net gain justifies movement. The Vault enforces the CGNT-1 coherence constant Φ = 0.042 as a structural safety margin on every rebalance decision. Deployment is Phase 3 — authorized in design (2026-04-05), deployment follows the 100-day TMM challenge.

---

INPUTS

• User deposit: USDC or USDbC on Base mainnet
• APY feed: current basis-point yield per strategy, updated by keeper every 15 minutes
• Gas price feed: current Base gas price in wei, updated by keeper every 15 minutes
• Rebalance request: issued by keeper when Φ-Gate logic passes
• Strategy allowlist: maintained by NOUS via addStrategy() / removeStrategy()
• NOUS authorization: required for allowlist changes, pause/unpause, TVL cap changes

---

OUTPUTS

• ERC-4626 vault shares issued to depositors (proportional to USDC/USDbC deposited)
• Yield accrued in active strategy; reflected in rising share price
• Rebalance events: capital moved from old strategy to new strategy (only when Φ-Gate passes)
• Vault state telemetry: active strategy, current APY, Φ-Gate status, share price
• vault_keeper.log entries: every APY poll, gas estimate, gate evaluation, and rebalance decision
• ALERT.log entry: on any adapter.isHealthy() failure

---

INVARIANTS

1. Φ-Gate is mandatory before every rebalance. No strategy switch occurs unless (newAPY - currentAPY) × capital × timeHorizonDays/365 > gasCost × (1 + Φ) passes. PHI = 42 (representing 0.042) is a compile-time constant in CatalystVault.sol. It cannot be changed at runtime.

1. No single strategy exceeds (1 − Φ) = 95.8% of vault AUM. Concentration above this threshold violates the Φ risk ceiling. The vault may not route more than 95.8% of total assets to any single adapter.

1. Only allowlisted strategies are active. activeStrategy must always be a member of strategyAllowlist. The StrategyRouter cannot route to an address not on the allowlist. Allowlist changes require NOUS (Ownable2Step owner).

1. Paymaster gas funded from yield only, never from principal. Gas sponsorship (when AA is active) is deducted from earned interest spread. The deposited principal is never consumed for operational costs.

1. TVL cap enforced at deposit. deposit() reverts if totalAssets() + assets > tvlCap. TVL cap changes require NOUS authorization. Initial cap: $500 USDC equivalent.

1. Keeper cannot withdraw or modify allowlist. The keeper's on-chain privileges are limited to calling rebalance() (a permissioned function that still requires Φ-Gate to pass). addStrategy() / removeStrategy() / pause() are NOUS-only.

1. Phased rollout is sequential — no phase skipped. Crawl (Moonwell only) → Walk (+ Compound V3 at Day 30 if stable) → Run (+ Aerodrome at Day 60 if stable) → Research (RWA on Sisters' recommendation + NOUS approval). "Stable" = no exploits, no material APY anomalies, no keeper failures during the preceding phase.

1. Allowlist inclusion criteria are invariant. A strategy may not be added without: (a) ≥6 months live on Base mainnet without exploit, (b) TVL > $5M at time of addition, (c) ≥2 independent audits, (d) explicit NOUS approval.

---

VERIFICATION CRITERIA

1. Φ-Gate simulation: Run gas scenario tests with known APY deltas and gas costs. Test must pass: (a) gate BLOCKS rebalance when gain < gas × 1.042, (b) gate ALLOWS rebalance when gain > gas × 1.042, (c) at $100 AUM with $0.05 gas, minimum APY delta to trigger is ≈ 73 bps/year. Σ.✓ iff all three cases verified.

1. ERC-4626 share math: Deposit $1 USDC → receive correct share count. Withdraw shares → receive correct USDC amount. Share price increases monotonically as yield accrues. Σ.✓ iff testnet deposit/withdraw round-trip passes.

1. Allowlist access control: A non-NOUS address calling addStrategy() or removeStrategy() must revert. A non-NOUS address calling pause() must revert. Σ.✓ iff access control tests pass on testnet.

1. Keeper isolation: Keeper calling rebalance() with a failing Φ-Gate must revert. Keeper calling addStrategy() must revert (not owner). Σ.✓ iff keeper privilege boundary tests pass.

1. TVL cap enforcement: Deposit that would push totalAssets() above cap must revert. Σ.✓ iff cap boundary test passes on testnet.

1. isHealthy() alert path: Simulate adapter.isHealthy() returning false. Σ.✓ iff keeper writes entry to ALERT.log within one polling cycle (15 min).

1. Frontend Sentinel integration: Frontend must pass CGNT1_Frontend_Sentinel_v1.0.js integrity check before enabling Web3 interaction. Σ.✓ iff sentinel blocks Web3 on tampered frontend and allows on clean.

---

FAILURE MODES

1. Φ-Gate bypass (Σ.☠ — CRITICAL): Any path that allows rebalance() to execute without passing the gate. Cause: upgrade or delegatecall attack on vault logic. Mitigation: Ownable2Step + ReentrancyGuard + immutable PHI constant + external audit.

1. APY oracle manipulation (Σ.⊖): Keeper's APY feed is spoofed, triggering rebalance to a suboptimal or malicious strategy. Mitigation: APY data is advisory only — gate still requires economic gain. Even if APY is faked upward, the gate comparison uses capital × APY delta, limiting blast radius. Allowlist prevents routing to non-approved adapters.

1. Strategy adapter exploit (Σ.☠): A protocol wrapped by an adapter is compromised (hack, rug, governance attack). Symptom: isHealthy() returns false; APY drops to 0 or goes negative. Mitigation: pause() + single-strategy withdrawal; underlying assets remain in audited protocols; $500 TVL cap limits initial blast radius.

1. Keeper key compromise (Σ.⊖): Attacker gains keeper private key. Capability: can call rebalance() — Φ-Gate still applies, allowlist still applies. Cannot withdraw funds or modify allowlist. Limited blast radius by design.

1. Frontend DNS hijack (Σ.☠): Attacker redirects client-name.42sisters.ai to malicious frontend. Mitigation: CGNT1_Frontend_Sentinel_v1.0.js + CGNT1_Interface_Guard_v1.0.sol integrity checks. Malicious frontend cannot bypass on-chain allowlist.

1. Phase promotion without stability (Σ.⊖): Walk or Run phase activated before "stable" criteria are met. Cause: keeper threshold not enforced; NOUS approves prematurely. Result: higher-risk strategy active before trust established. Mitigation: stability criteria are explicit in architecture; NOUS approval required per phase.

1. TVL cap removed prematurely (Σ.⊖): Cap raised or removed before audit confidence warrants it. Cause: demand pressure overrides caution. Result: larger AUM at risk in unaudited vault. Mitigation: cap changes require NOUS authorization; audit completion is gating criterion.

1. Paymaster principal drain (Σ.☠ — CRITICAL): Gas costs incorrectly debited from principal instead of yield spread. Cause: accounting bug in paymaster integration. Result: depositor principal eroded. Mitigation: explicit yield-only funding rule in architecture; must be verified in AA integration audit before activation.

---

DEPENDENCIES

• Base mainnet — deployment chain; L2 gas economics are the design basis
• OpenZeppelin ERC4626, Ownable2Step, ReentrancyGuard, Pausable — inherited security primitives
• CGNT1_Frontend_Sentinel_v1.0.js + CGNT1_Interface_Guard_v1.0.sol — frontend integrity layer
• keeper_catalyst.py — off-chain APY feed, gas feed, Φ-Gate evaluator, rebalance trigger
• DefiLlama API + live protocol calls — APY data sources for keeper
• Moonwell, Compound V3 Base, Aerodrome — allowlisted yield strategies (phased)
• NOUS (α.13) — governance authority for allowlist, cap, pause, phase promotion
• Sisters (ι + ε) — RWA strategy research and recommendation via TASK_QUEUE

---

DEPENDENTS

• CGNT-1 trading operations — Catalyst Vault is the primary yield vehicle for stablecoin AUM
• Phase 3 deployment plan — vault deployment is gated on 100-day TMM challenge outcome
• Sisters' DeFi domain rotation — RWA adapter research is a Sisters responsibility
• vault_keeper.log — operational record read by GAMMA and C.L.O.D. for health monitoring

---

GAPS

1. [GAP — needs design] Formal smart contract audit engagement: Audit firm not yet selected. Vault cannot deploy to mainnet without audit completion. Open item from deployment checklist.

1. [GAP — needs design] AA (Account Abstraction) integration timing: Base AA roadmap integration (Paymaster, stablecoin gas fees, batch operations) is architected but not activated. Activation requires NOUS approval + separate AA audit. No spec for transition from non-AA to AA operation.

1. [GAP — needs design] TVL cap raise criteria: Architecture states cap is raised "as assets grow and audit confidence increases" — no quantitative criteria specified. At what AUM, audit count, or time horizon does NOUS approve a cap raise?

1. [GAP — needs design] RWA adapter specification: RWA strategy is listed as "Future; pending Sisters' research output." No target protocols, risk parameters, or allowlist criteria for RWA yield sources are defined.

1. [GAP — needs design] Emergency withdrawal path: If the vault is paused (NOUS calls pause()), what is the process for users to recover principal? ERC-4626 withdraw() on a paused contract — behavior undefined in this architecture doc.

1. [GAP — needs design] Keeper uptime SLA: If keeper_catalyst.py goes offline, APY feeds and rebalance triggers stop. No watchdog, fallback keeper, or alert path for keeper downtime is specified.

1. [GAP — needs design] Phase rollback: If Compound V3 (Walk phase) shows instability after activation, is there a defined rollback path to Crawl (Moonwell only)? Rollback criteria and authorization not specified.

---

EXAMPLES

Φ-Gate calculation — rebalance blocked:

AUM = $100 USDC
currentAPY = 5.0% (Moonwell)
newAPY = 5.4% (Compound V3)
APY delta = 0.4% = 0.004
gasCost = $0.05
timeHorizon = 30 days

gain = 0.004 × 100 × (30/365) = $0.0329
gate threshold = 0.05 × 1.042 = $0.0521

$0.0329 < $0.0521 → GATE BLOCKS rebalance

Φ-Gate calculation — rebalance allowed:

AUM = $100 USDC
currentAPY = 5.0% (Moonwell)
newAPY = 7.0% (Aerodrome stable)
APY delta = 2.0% = 0.020
gasCost = $0.02
timeHorizon = 30 days

gain = 0.020 × 100 × (30/365) = $0.164
gate threshold = 0.02 × 1.042 = $0.0208

$0.164 > $0.0208 → GATE PASSES — keeper calls rebalance()

---

REFERENCES

• /home/nous/memories/CGNT1_CatalystVault_Architecture_v1.0.md — source design doc (C.L.O.D., 2026-04-05)
• /home/nous/CLAUDE.md — governance; NOUS authorization requirements
• /home/nous/memories/SPEC_TMM_FORMULA.md — TMM coherence formula; Φ = 0.042 origin
• CGNT1_Interface_Guard_v1.0.sol — frontend integrity contract (Base mainnet)
• CGNT1_Frontend_Sentinel_v1.0.js — frontend integrity script

Φ 0.042. Structure persists.

---

Jeremy Zlabis

Chronogeometer · Visionary · Disruptor · Chief

42 Sisters AI · East York, Toronto

🍁 Φ 0.042