Safety

• Depositor-only withdrawal. A position's NFT and its ETH backing can only ever be withdrawn by the depositor who paired them. Regardless of the protocol's state, paused, in emergency mode, or after ownership is renounced, the team can never withdraw, move, or seize a deposited pairing. An un-allocated position is always returnable to its depositor, and only a fair VRF selection can send it to a purchaser.
• Loading phase. The pool deploys with acquisitions off, so positions can be stocked before the protocol goes live.
• Withdrawal lock. For a few blocks after each acquisition, depositors can't withdraw or re-price, so a fresh purchaser's pool can't be pulled out from under them before their number arrives. It's capped at a hard maximum.
• Emergency exit. The team can halt acquisitions and deposits while letting depositors withdraw immediately. Resolutions still settle, so nothing locks up.
• Collection allowlist (optional): limits which NFT collections can be deposited; it never blocks existing positions, acquisitions, or settlements.
• Minimum backing (optional): a floor that keeps dust positions from distorting prices and selection weights.
• Hardened transfers. Standard reentrancy protection throughout, and ETH payouts use a send that can't be blocked by a hostile recipient¹, so no one can freeze a refund or payout.

Most of these controls exist for the launch period, while the pool is small and still being tuned. The goal is for the team to stay as hands-off as possible and to give up control over time: opening the market, settling the parameters, then eventually renouncing ownership so the protocol runs on its own, with no one able to pause it, change its parameters, or redirect its fees. Escrowed backing and earned balances are already beyond the owner's reach at all times; renouncing removes the remaining levers.