The policy controller is an intermediate layer that sits between DAO governance and the DEX contract itself. Policy is coordinated by the CrocPolicy smart contract which has direct administrative authority over the DEX contract. Governance decisions are called as resolutions in the policy contract, which directly pass through an arbitrary protocol commands to the DEX contract interface.

Protocol commands can be invoked with or without escalated privilege (sudo mode). Sudo mode is required for all major operations in the CrocSwapDexcontract, including upgrading code, transferring authority to a new controller or disbursing accumulated protocol fees. Only the treasury and emergency multisigs can call protocol commands in sudo mode.

The policy layer can also delegate a restricted set of administrative controls on the CrocSwapDex contract to external policy oracles. Governance can install a policy conduit which defines a narrow mapping between a fixed address and a narrow subset of protocol commands. The policy oracle can then independently and directly invoke these protocol commands.

The purpose of a policy oracle is to dynamically extend the base capabilities of the protocol in a modular, safely contained and pre-defined avenue without having to directly upgrade the underlying DEX contract code. An example of a policy oracle is a smart contract that dynamically adjusts the liquidity fee in a pool based on market conditions. This allows governance to offload that responsibility to a deterministic oracle.