2026-02-10 11:32:49 -08:00
|
|
|
# CCIP Access Control Documentation
|
|
|
|
|
|
|
|
|
|
**Date**: 2025-01-12
|
|
|
|
|
**Network**: ChainID 138
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Overview
|
|
|
|
|
|
|
|
|
|
This document describes the access control mechanisms for all CCIP contracts and components.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Contract Ownership and Admin
|
|
|
|
|
|
|
|
|
|
### CCIP Router
|
|
|
|
|
|
2026-03-24 22:49:29 -07:00
|
|
|
**Address**: `0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817`
|
2026-02-10 11:32:49 -08:00
|
|
|
|
|
|
|
|
**Access Control**:
|
|
|
|
|
- **Owner/Admin**: Unknown (requires deployment transaction or contract storage query)
|
|
|
|
|
- **Public Functions**: `ccipSend()`, `getFee()`, `getOnRamp()`
|
|
|
|
|
- **Admin Functions**: Configuration changes (if any)
|
|
|
|
|
|
|
|
|
|
**Verification**:
|
|
|
|
|
```bash
|
|
|
|
|
# Try to get owner (if function exists)
|
2026-03-24 22:49:29 -07:00
|
|
|
cast call 0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817 "owner()" --rpc-url <rpc_url>
|
2026-02-10 11:32:49 -08:00
|
|
|
|
|
|
|
|
# Check deployment transaction for owner
|
|
|
|
|
# (requires transaction hash)
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### CCIP Sender
|
|
|
|
|
|
|
|
|
|
**Address**: `0x105F8A15b819948a89153505762444Ee9f324684`
|
|
|
|
|
|
|
|
|
|
**Access Control**:
|
|
|
|
|
- **Owner/Admin**: Unknown
|
|
|
|
|
- **Public Functions**: Message sending functions
|
|
|
|
|
- **Admin Functions**: Configuration changes (if any)
|
|
|
|
|
|
|
|
|
|
### CCIPWETH9Bridge
|
|
|
|
|
|
2026-03-24 22:49:29 -07:00
|
|
|
**Address**: `0xcacfd227A040002e49e2e01626363071324f820a`
|
2026-02-10 11:32:49 -08:00
|
|
|
|
|
|
|
|
**Access Control**:
|
|
|
|
|
- **Owner/Admin**: Unknown
|
|
|
|
|
- **Public Functions**: `sendCrossChain()`, `destinations()`
|
|
|
|
|
- **Admin Functions**: `addDestination()`, `removeDestination()` (if exists)
|
|
|
|
|
|
|
|
|
|
**Verification**:
|
|
|
|
|
```bash
|
|
|
|
|
# Try to get owner
|
2026-03-24 22:49:29 -07:00
|
|
|
cast call 0xcacfd227A040002e49e2e01626363071324f820a "owner()" --rpc-url <rpc_url>
|
2026-02-10 11:32:49 -08:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### CCIPWETH10Bridge
|
|
|
|
|
|
|
|
|
|
**Address**: `0xe0E93247376aa097dB308B92e6Ba36bA015535D0`
|
|
|
|
|
|
|
|
|
|
**Access Control**:
|
|
|
|
|
- **Owner/Admin**: Unknown
|
|
|
|
|
- **Public Functions**: `sendCrossChain()`, `destinations()`
|
|
|
|
|
- **Admin Functions**: `addDestination()`, `removeDestination()` (if exists)
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Function Access Levels
|
|
|
|
|
|
|
|
|
|
### Public Functions (Anyone Can Call)
|
|
|
|
|
|
|
|
|
|
#### Bridge Contracts
|
|
|
|
|
|
|
|
|
|
**`sendCrossChain(uint64, address, uint256)`**
|
|
|
|
|
- **Access**: Public
|
|
|
|
|
- **Requirements**:
|
|
|
|
|
- User must have approved bridge to spend tokens
|
|
|
|
|
- User must have sufficient balance
|
|
|
|
|
- Destination must be configured
|
|
|
|
|
- Bridge must have sufficient LINK for fees
|
|
|
|
|
|
|
|
|
|
**`destinations(uint64)`**
|
|
|
|
|
- **Access**: Public (view function)
|
|
|
|
|
- **Returns**: Bridge address for destination chain
|
|
|
|
|
|
|
|
|
|
#### Router
|
|
|
|
|
|
|
|
|
|
**`ccipSend(...)`**
|
|
|
|
|
- **Access**: Public
|
|
|
|
|
- **Requirements**: Valid message, sufficient fees
|
|
|
|
|
|
|
|
|
|
**`getFee(uint64, bytes)`**
|
|
|
|
|
- **Access**: Public (view function)
|
|
|
|
|
- **Returns**: Fee amount
|
|
|
|
|
|
|
|
|
|
### Admin Functions (Owner/Admin Only)
|
|
|
|
|
|
|
|
|
|
#### Bridge Contracts
|
|
|
|
|
|
|
|
|
|
**`addDestination(uint64, address)`**
|
|
|
|
|
- **Access**: Owner/Admin only
|
|
|
|
|
- **Purpose**: Add destination chain to routing table
|
|
|
|
|
- **Security**: Critical - only owner should call
|
|
|
|
|
|
|
|
|
|
**`removeDestination(uint64)`** (if exists)
|
|
|
|
|
- **Access**: Owner/Admin only
|
|
|
|
|
- **Purpose**: Remove destination chain from routing table
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Access Control Patterns
|
|
|
|
|
|
|
|
|
|
### Ownable Pattern
|
|
|
|
|
|
|
|
|
|
Many contracts use OpenZeppelin's `Ownable` pattern:
|
|
|
|
|
- Single owner address
|
|
|
|
|
- `owner()` function returns owner
|
|
|
|
|
- `onlyOwner` modifier for admin functions
|
|
|
|
|
- `transferOwnership()` to change owner
|
|
|
|
|
|
|
|
|
|
### Role-Based Access Control (RBAC)
|
|
|
|
|
|
|
|
|
|
Some contracts may use role-based access:
|
|
|
|
|
- Multiple roles (admin, operator, etc.)
|
|
|
|
|
- `hasRole()` function to check roles
|
|
|
|
|
- `grantRole()` and `revokeRole()` functions
|
|
|
|
|
|
|
|
|
|
### Multi-Sig Pattern
|
|
|
|
|
|
|
|
|
|
For critical operations, multi-sig wallets may be used:
|
|
|
|
|
- Multiple owners required
|
|
|
|
|
- Threshold for operations
|
|
|
|
|
- Enhanced security
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Security Considerations
|
|
|
|
|
|
|
|
|
|
### Owner Address Security
|
|
|
|
|
|
|
|
|
|
1. **Private Key Protection**: Owner private key must be secured
|
|
|
|
|
2. **Multi-Sig**: Consider using multi-sig for owner
|
|
|
|
|
3. **Timelock**: Consider timelock for critical operations
|
|
|
|
|
4. **Monitoring**: Monitor owner changes
|
|
|
|
|
|
|
|
|
|
### Function Access Security
|
|
|
|
|
|
|
|
|
|
1. **Input Validation**: All functions should validate inputs
|
|
|
|
|
2. **Reentrancy Protection**: Use reentrancy guards
|
|
|
|
|
3. **Access Modifiers**: Properly use access modifiers
|
|
|
|
|
4. **Event Logging**: Log all admin operations
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Retrieving Owner Addresses
|
|
|
|
|
|
|
|
|
|
### Method 1: Contract Function
|
|
|
|
|
|
|
|
|
|
If contract implements `owner()`:
|
|
|
|
|
```bash
|
|
|
|
|
cast call <contract_address> "owner()" --rpc-url <rpc_url>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Method 2: Deployment Transaction
|
|
|
|
|
|
|
|
|
|
1. Find deployment transaction hash
|
|
|
|
|
2. Decode transaction
|
|
|
|
|
3. Extract owner from constructor parameters
|
|
|
|
|
|
|
|
|
|
### Method 3: Contract Storage
|
|
|
|
|
|
|
|
|
|
1. Find owner storage slot
|
|
|
|
|
2. Read storage value
|
|
|
|
|
3. Convert to address
|
|
|
|
|
|
|
|
|
|
### Method 4: Contract Verification
|
|
|
|
|
|
|
|
|
|
1. Verify contract on Blockscout
|
|
|
|
|
2. Check verified source code
|
|
|
|
|
3. Identify owner from code
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Monitoring Access Control
|
|
|
|
|
|
|
|
|
|
### Recommended Monitoring
|
|
|
|
|
|
|
|
|
|
1. **Owner Changes**: Alert on ownership transfers
|
|
|
|
|
2. **Admin Operations**: Log all admin function calls
|
|
|
|
|
3. **Access Attempts**: Monitor failed access attempts
|
|
|
|
|
4. **Configuration Changes**: Track all configuration changes
|
|
|
|
|
|
|
|
|
|
### Monitoring Script
|
|
|
|
|
|
|
|
|
|
Create script to monitor access control:
|
|
|
|
|
```bash
|
|
|
|
|
# Monitor owner changes
|
|
|
|
|
# Monitor admin function calls
|
|
|
|
|
# Alert on suspicious activity
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Best Practices
|
|
|
|
|
|
|
|
|
|
1. **Document Owners**: Document all contract owners
|
|
|
|
|
2. **Secure Keys**: Use hardware wallets or secure key management
|
|
|
|
|
3. **Multi-Sig**: Use multi-sig for critical contracts
|
|
|
|
|
4. **Timelock**: Use timelock for important changes
|
|
|
|
|
5. **Monitoring**: Monitor all access control changes
|
|
|
|
|
6. **Regular Audits**: Regularly audit access control
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Related Documentation
|
|
|
|
|
|
|
|
|
|
- [CCIP Security Best Practices](./CCIP_SECURITY_BEST_PRACTICES.md) (Task 128)
|
|
|
|
|
- [CCIP Configuration Status](./CCIP_CONFIGURATION_STATUS.md)
|
|
|
|
|
- [Complete Task Catalog](./CCIP_COMPLETE_TASK_CATALOG.md)
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
**Last Updated**: 2025-01-12
|
