Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.usecompassai.com/llms.txt

Use this file to discover all available pages before exploring further.

The trust model in Compass is the contract, not the operator. The agent is bounded by code your smart account enforces — it cannot withdraw, cannot upgrade itself into withdrawing, and cannot route outside the rules you wrote.
This page is the answer to one question: “What is the worst thing the Compass team — or a compromised LLM, or a malicious agent operator — can do to my funds?” The short version: route inside your rules, or stop working. Nothing else. trust security diagram Three signers, three different scopes. The owner has total authority. The agent and the upgrade authority each have narrow, on-chain-enforced powers — and the cells marked in red are not policy promises, they are call-graph restrictions that revert if attempted.

What the agent can do

Your smart account grants the agent a scoped session key — a key with explicit on-chain limits on what it can call. The agent can:
  • Call whitelisted protocol functions on whitelisted venues — for example, supply and withdraw on a whitelisted lending protocol.
  • Initiate cross-chain transfers of USDC between supported chains via Circle Gateway.
  • Spend up to a per-route cap and per-day cap that you set.
The session key is checked at the contract level on every call. Out-of-policy calls revert before they execute. See Session keys.

What the agent cannot do

The agent cannot:
  • Withdraw to any address other than your owner address. Only the owner EOA can withdraw funds. The session key has no permission for this path.
  • Add new protocols or chains to its own whitelist. Whitelist changes are owner-only and require an owner signature.
  • Upgrade the account to remove restrictions. See “Upgrade authority” below.
  • Pause withdrawals. The owner can always exit, even if the agent is offline, paused, or rejecting plans.
These are not policy promises. They are call-graph restrictions enforced by the Diamond account’s Security and Ownership facets. See Diamond account.

Upgrade authority — Add-only, owner-revocable

Compass uses a custom ERC-2535 Diamond. A multisig-controlled authority can ship new facets to your account — for example, support for a new venue like Morpho or Curve — without the team taking custody. The authority’s power is cryptographically bounded:
  • Add-only. The authority can register new selectors. It cannot Replace or Remove existing ones.
  • No reach into core facets. It cannot touch Security, Ownership, DiamondCut, Loupe, or its own selectors.
  • No owner change. It cannot transfer ownership of your account.
  • No fund movement. It has no path to call USDC transfer from your account.
If you do not want this — even with the limits above — you call userRevokeUpgradeAuthority on your account. From that point your Diamond is upgrade-frozen and reverts to plain EIP-2535 behavior. See Authority & upgrade model.

What happens when things go wrong

A safety-first design means liveness fails before safety fails:
  • Chain outage mid-route. The cross-chain step uses an EIP-712 BurnIntent, not a broadcast transaction. The intent can be retried after the chain recovers. Compass pauses rather than rerouting mid-flight.
  • Indexer lag. The deterministic loop assumes lag and retries on a 60-second window. Plans are idempotent.
  • LLM produces something wrong. The plan is rejected by the policy engine, never broadcast. The LLM cannot bypass the engine because the LLM does not sign transactions.
  • Agent operator goes down. Your funds stay in your smart account. You withdraw from the dashboard or directly from your owner EOA.

Trust assumptions, stated plainly

What you do have to trust:
  • The Diamond’s Security and Ownership facets are correct. These enforce the rules above. They have not been audited yet. See Status below.
  • Circle Gateway settles correctly. Compass uses Gateway as the cross-chain primitive. Trust in Gateway is trust in Circle.
  • The deployed contracts match the published source. Compass publishes source and addresses for all account facets.
What you do not have to trust:
  • The Compass team’s intentions over time. Revoke upgrade authority and you are on plain EIP-2535.
  • The agent operator’s uptime. Your funds are not in their custody.
  • The LLM’s reasoning. It does not sign transactions.

Status

Compass is on Arc Testnet. Contracts have not yet been audited. Funds are testnet only. Audit and mainnet timing track Arc’s mainnet launch. The trust model above is the design — this page will be updated with audit reports as they land.

Next steps

Diamond account

The smart account architecture and facet boundaries.

Session keys

On-chain enforcement of the agent’s permissions.

Authority & upgrade model

Add-only authority, what it can ship, and how to revoke it.

Audit trail

Every decision the agent makes, logged and replayable.