allocator
can sign messages authorizing the withdrawal of funds from the depository. As such the allocator
itself has to be trusted to only sign messages if the user’s intent was successfully filled.
The contract is not upgradable, meaning that once deployed, the code cannot be changed.