Permissions & KYC

Kasu lending pools are permissioned. All Liquidity Providers must pass KYC verification before depositing. The system uses role-based access control for all administrative and operational functions.

KYC Verification

Kasu uses Compilot (formerly NexeraID) for KYC/KYB signature gating.

How It Works

1. The Liquidity Provider initiates a deposit through the Kasu frontend

2. The frontend calls the Compilot API with the user's address, chain ID, and function details

3. If the user is KYC-verified, Compilot signs the request

4. The frontend appends the signature and block expiration to the transaction calldata

5. On-chain, KasuAllowList.verifyUserKyc() validates the signature via TxAuthDataVerifierUpgradeable

6. If valid, the deposit proceeds

The signature verification is managed by the NexeraIDSignerManager contract deployed by Compilot on each supported chain.

Manual Allowlisting

The Kasu Admin can manually add addresses to the allowlist via KasuAllowList.allowUser(), bypassing the KYC process. This is used for institutional participants or special arrangements.

Blocklisting

The blocklist supersedes all allowlisting and KYC verification. Any address on the blocklist is prevented from depositing, regardless of KYC status. The Kasu Admin manages the blocklist via KasuAllowList.blockUser() and KasuAllowList.unblockUser().

Role-Based Access Control

All roles are managed through the KasuController contract, which extends OpenZeppelin's AccessControl. System-wide roles are granted/revoked by the Kasu Admin. Lending pool-specific roles are granted by the Pool Admin for each pool.

See the Roles & Access Control page for the complete role matrix.

Contracts Involved

• KasuController.sol — Role management, system pause/unpause

• KasuAllowList.sol — KYC verification, manual allowlisting, blocklisting (extends TxAuthDataVerifierUpgradeable)

• vendor/nexera/ — Vendored NexeraID signature verification contracts