# Compliance Features

## Blocklists

Kiln DeFi vaults include built-in compliance controls to restrict interactions from specific addresses. These controls rely on two complementary mechanisms:

* **Sanction lists** (external, e.g. Chainalysis or equivalent providers)
* **Blocklists** (custom, vault-specific restrictions)

**Blocklist architecture**

When deploying a vault, it is linked to a **pre-deployed blocklist contract**. Each blocklist:

* Is associated with an underlying **sanction list provider** (Chainalysis by default, but alternatives may be used)
* Is **managed by an admin**, who controls configuration and permissions
* Can be reused across multiple vaults

Integrators can operate multiple blocklists across different networks and vaults, depending on their compliance needs.

**Roles and permissions**

* **Admin role**
  * Manages the blocklist contract
  * Defines operator
  * Typically controlled by the integrator
* **Operator role**
  * By default the admin is also the Operator
  * Can update the blocklist by adding or removing addresses
  * Uses functions such as:
    * `addToBlockList(address[])`
  * Responsible for enforcing custom restrictions

**Sanctioned vs Blocked addresses**

Omnivaults differentiate between **sanctioned** and **blocked** addresses:

* **Sanctioned addresses** (from the external provider [chainalysis](https://www.chainalysis.com/) default) :
  * ❌ Cannot deposit
  * ❌ Cannot withdraw
* **Blocked addresses** (from the integrator owned blocklist):
  * ❌ Cannot deposit
  * ✅ Can withdraw

This distinction ensures compliance while allowing users to exit positions when appropriate.

## **Permissionless force withdrawal**

Any address that is blocked (not sanctioned) can be removed from a vault via a **permissionless force withdrawal**.

* Any user can trigger this action by calling:

```
function forceWithdraw(address blockedUser) public nonReentrant returns (uint256)
```

* This mechanism ensures that:
  * Funds are not permanently locked
  * Vaults remain compliant without requiring admin intervention

## Non-Transferable Vault Shares

Kiln DeFi vault shares are non-transferable to other addresses, by default. Only the original depositor can redeem the associated share(s) for assets held in the vault. Upon request, vault shares can be made fully transferable or transferable only to specified addresses.