Ctrlk

Compliance Features

Blocklists

Kiln DeFi vaults include built-in compliance controls to restrict interactions from specific addresses. These controls rely on two complementary mechanisms:

  • Sanction lists (external, e.g. Chainalysis or equivalent providers)

  • Blocklists (custom, vault-specific restrictions)

Blocklist architecture

When deploying a vault, it is linked to a pre-deployed blocklist contract. Each blocklist:

  • Is associated with an underlying sanction list provider (Chainalysis by default, but alternatives may be used)

  • Is managed by an admin, who controls configuration and permissions

  • Can be reused across multiple vaults

Integrators can operate multiple blocklists across different networks and vaults, depending on their compliance needs.

Roles and permissions

  • Admin role

    • Manages the blocklist contract

    • Defines operator

    • Typically controlled by the integrator

  • Operator role

    • By default the admin is also the Operator

    • Can update the blocklist by adding or removing addresses

    • Uses functions such as:

      • addToBlockList(address[])

    • Responsible for enforcing custom restrictions

Sanctioned vs Blocked addresses

Omnivaults differentiate between sanctioned and blocked addresses:

  • Sanctioned addresses (from the external provider chainalysis default) :

    • ❌ Cannot deposit

    • ❌ Cannot withdraw

  • Blocked addresses (from the integrator owned blocklist):

    • ❌ Cannot deposit

    • βœ… Can withdraw

This distinction ensures compliance while allowing users to exit positions when appropriate.

Permissionless force withdrawal

Any address that is blocked (not sanctioned) can be removed from a vault via a permissionless force withdrawal.

  • Any user can trigger this action by calling:

  • This mechanism ensures that:

    • Funds are not permanently locked

    • Vaults remain compliant without requiring admin intervention

Non-Transferable Vault Shares

Kiln DeFi vault shares are non-transferable to other addresses, by default. Only the original depositor can redeem the associated share(s) for assets held in the vault. Upon request, vault shares can be made fully transferable or transferable only to specified addresses.

PreviousSource codeNextKiln OmniVaults Direct FAQ

Last updated

Was this helpful?