Concept
How Elyx works.
Without trusting a third party.
Elyx is the combination of two mature primitives: a Gnosis Safe holds your assets, and a Zodiac Roles modifier restricts the bot wallet to a tightly defined list of allowed actions. The bot makes rebalance decisions — but it can never extract your funds.
Architecture
Three layers, each with a clear purpose and an independent trust model.
Safe vault — your property
A Gnosis Safe (the industry standard for multi-sig on Ethereum) holds every token. You are the sole owner. With one click in the Safe UI you can at any moment send any token to any address — including disabling the bot module immediately.
Zodiac Roles — permission gate
A Zodiac Roles modifier sits between the bot EOA and the Safe. It checks every tx attempt against an allowlist of targets and function selectors. Example: USDC.approve() is allowed; USDC.transfer() is forbidden — even if the bot key is stolen, no one can extract tokens.
Bot EOA — hot wallet with minimal rights
A separate hot wallet reads market data, computes drift against the target, decides whether a rebalance is needed, and sends the tx through the Roles gate. The key for this wallet sits offline in macOS Keychain on the bot host. Loss = no damage, because Roles limits the action surface.
How an investment runs
Deploy your Safe
Through the official Safe UI (app.safe.global) you create a single-owner Safe on Base. Owner wallet = your hardware wallet (Ledger recommended).
Install Zodiac Roles
The Roles module is enabled as a Safe module and configured with an allowlist: KyberSwap aggregator (for trades) + ERC20.approve (for token approvals) + bridge adapters (for later multi-chain strategies).
Register bot EOA as a member
A separate hot wallet is added as a Roles member. It can only run the allowlisted actions. You retain owner rights to swap out or disable the bot wallet.
Pick a strategy + deposit USDC
You pick a risk profile (Preserve, Conservative, Aggressive) and transfer USDC from your owner wallet into the Safe.
Bot starts the autonomous loop
The bot reads the Safe state periodically (e.g. hourly), computes asset drift vs the target, fetches quotes from the KyberSwap aggregator, and triggers trades when drift crosses the threshold — all autonomous, fully on-chain.
Snapshots + dashboard
Every tick produces a JSON snapshot with NAV, composition, drift, trade hashes. Your dashboard reads those snapshots and visualises NAV history, allocation, drawdown, trade history.
What the bot can — and cannot — do
What the bot can do (allowlist)
- Swap USDC, WETH, cbBTC via the KyberSwap aggregator
- Set token approvals for the aggregator router
- Read snapshots of the Safe state
- Send trade tx to the Roles modifier address
What the bot CANNOT do
- Transfer tokens to external addresses — only back to the Safe itself
- Change Safe owner rights or disable Safe modules
- Add new targets to the allowlist — only the Safe owner can
- Move funds into pools / lending protocols not in the Roles config
No provider lock-in
You don't run through a custody platform, no central API, no multi-sig that holds us in. Safe and Zodiac are open source and built on Ethereum standards. If Reto Grau Consulting disappeared tomorrow, your vault keeps running — you can swap out the bot at any time because you still hold owner rights to the Safe.