Skip to main content

Olla Protocol Overview

Olla is a liquid staking protocol for Aztec. The protocol is organised into five contract groups:

  • Olla VaultOllaVault (ERC-7540/ERC-4626 vault that holds user assets, mints stAztec, and tracks async redemption requests in-place) and StAztec.
  • Olla CoreOllaCore (orchestration and accounting engine that coordinates rebalancing, staking, and fee computation), SafetyModule (deposit/withdrawal circuit breakers), and RewardsAccumulator.
  • Olla StakingStakingManager (stake/unstake/harvest against the Aztec rollup) and StakingProviderRegistry (attester key management).
  • Olla GovernanceOllaGovernance, a TimelockController that owns Core and Vault and holds DEFAULT_ADMIN_ROLE on the satellite contracts.
  • Cross-Chain BridgeStAztecOFTAdapter on the home chain and StAztecOFT on destination chains, built on LayerZero V2.

OllaVault and OllaCore are the central pair: OllaCore instructs OllaVault via CORE_ROLE during rebalance cycles, while OllaVault delegates pricing to OllaCore via view calls. The withdrawal queue lives entirely inside OllaVault.

Architecture overview

Contract architecture

Roles

User

No special role required. Any address can call these functions. Users interact with OllaVault, which implements ERC-7540 (async redemptions) and ERC-4626 (sync deposits).

Permissionless Operations

No special role required. Anyone can call these functions (rebalance is cooldown-gated).

Guardian

Requires GUARDIAN_ROLE on OllaCore, OllaVault, and SafetyModule.

Staking Provider Admin

Requires STAKING_PROVIDER_ADMIN_ROLE on StakingProviderRegistry.

Governance

The governance admin wallet holds the timelock's proposer, executor, and canceller roles on OllaGovernance, which inherits TimelockControllerUpgradeable. All parameter changes, upgrades, and governance handovers must be scheduled, wait for the timelock delay, and then executed. The OllaGovernance contract itself is the owner() of OllaCore and OllaVault (via Ownable2Step) and holds DEFAULT_ADMIN_ROLE on every satellite contract.

The two emergency entry points (emergencyPauseAll() / emergencyUnpauseAll()) skip the timelock and are gated by an explicit governanceAdmin check so they can fire immediately during an incident.

Action references