Keeper Bounties
The flywheel runs itself because anyone can call the maintenance instructions — claiming fees, swapping to PYUSD, depositing to Kamino, harvesting yield — and earn a small, bounded bounty for doing it. This is what makes the protocol permissionless: it doesn't depend on the team being online.
The bounties
| Action | Rule | Cap |
|---|---|---|
claimFees() | 0.25% of claimed fees | $20 |
swapToPYUSD() | 0.25% of swapped amount | $20 |
depositToKamino() | fixed bounty | $1 |
harvestYield() | 1% of harvested yield | $10 |
Each bounty is capped, so a keeper can never extract more than a small, predictable amount per call regardless of how large the underlying flow is.
Where the keeper budget comes from
The flywheel's 15% keeper leg funds this automation (see The Flywheel). The fee-share and other modules likewise reserve a keeper/automation slice. The bounties are the incentive that keeps independent operators calling the crank.
Keepers can't drain
A keeper triggers protocol work; it is never a custodian:
- All funds live in program PDAs; only the program's hardcoded logic moves them.
- A keeper's only economic output is the capped bounty for the specific action.
- The secondary-marketplace keeper (a Cloudflare cron) likewise only detects deposits and
triggers settlement — the
ions_marketprogram/PDA is the sole fund authority and the keeper cannot redirect funds. See Marketplace Architecture.
Single-flighting
The marketplace keeper is single-flighted — never two runs racing the same deposit — and payouts are two-phase (owed → paid) with signature-keyed idempotency so a settlement can never double-pay. See the fund-safety invariants.
Permissionless + bounded + non-custodial is the design: the machine keeps spinning, anyone can spin it, and nobody can steal from it.