explorer-monorepo/docs/CCIP_ACCESS_CONTROL.md

# CCIP Access Control Documentation

**Date**: 2025-01-12  
**Network**: ChainID 138

---

## Overview

This document describes the access control mechanisms for all CCIP contracts and components.

---

## Contract Ownership and Admin

### CCIP Router

**Address**: `0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817`

**Access Control**:
- **Owner/Admin**: Unknown (requires deployment transaction or contract storage query)
- **Public Functions**: `ccipSend()`, `getFee()`, `getOnRamp()`
- **Admin Functions**: Configuration changes (if any)

**Verification**:
```bash
# Try to get owner (if function exists)
cast call 0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817 "owner()" --rpc-url <rpc_url>

# Check deployment transaction for owner
# (requires transaction hash)
```

### CCIP Sender

**Address**: `0x105F8A15b819948a89153505762444Ee9f324684`

**Access Control**:
- **Owner/Admin**: Unknown
- **Public Functions**: Message sending functions
- **Admin Functions**: Configuration changes (if any)

### CCIPWETH9Bridge

**Address**: `0xcacfd227A040002e49e2e01626363071324f820a`

**Access Control**:
- **Owner/Admin**: Unknown
- **Public Functions**: `sendCrossChain()`, `destinations()`
- **Admin Functions**: `addDestination()`, `removeDestination()` (if exists)

**Verification**:
```bash
# Try to get owner
cast call 0xcacfd227A040002e49e2e01626363071324f820a "owner()" --rpc-url <rpc_url>
```

### CCIPWETH10Bridge

**Address**: `0xe0E93247376aa097dB308B92e6Ba36bA015535D0`

**Access Control**:
- **Owner/Admin**: Unknown
- **Public Functions**: `sendCrossChain()`, `destinations()`
- **Admin Functions**: `addDestination()`, `removeDestination()` (if exists)

---

## Function Access Levels

### Public Functions (Anyone Can Call)

#### Bridge Contracts

**`sendCrossChain(uint64, address, uint256)`**
- **Access**: Public
- **Requirements**: 
  - User must have approved bridge to spend tokens
  - User must have sufficient balance
  - Destination must be configured
  - Bridge must have sufficient LINK for fees

**`destinations(uint64)`**
- **Access**: Public (view function)
- **Returns**: Bridge address for destination chain

#### Router

**`ccipSend(...)`**
- **Access**: Public
- **Requirements**: Valid message, sufficient fees

**`getFee(uint64, bytes)`**
- **Access**: Public (view function)
- **Returns**: Fee amount

### Admin Functions (Owner/Admin Only)

#### Bridge Contracts

**`addDestination(uint64, address)`**
- **Access**: Owner/Admin only
- **Purpose**: Add destination chain to routing table
- **Security**: Critical - only owner should call

**`removeDestination(uint64)`** (if exists)
- **Access**: Owner/Admin only
- **Purpose**: Remove destination chain from routing table

---

## Access Control Patterns

### Ownable Pattern

Many contracts use OpenZeppelin's `Ownable` pattern:
- Single owner address
- `owner()` function returns owner
- `onlyOwner` modifier for admin functions
- `transferOwnership()` to change owner

### Role-Based Access Control (RBAC)

Some contracts may use role-based access:
- Multiple roles (admin, operator, etc.)
- `hasRole()` function to check roles
- `grantRole()` and `revokeRole()` functions

### Multi-Sig Pattern

For critical operations, multi-sig wallets may be used:
- Multiple owners required
- Threshold for operations
- Enhanced security

---

## Security Considerations

### Owner Address Security

1. **Private Key Protection**: Owner private key must be secured
2. **Multi-Sig**: Consider using multi-sig for owner
3. **Timelock**: Consider timelock for critical operations
4. **Monitoring**: Monitor owner changes

### Function Access Security

1. **Input Validation**: All functions should validate inputs
2. **Reentrancy Protection**: Use reentrancy guards
3. **Access Modifiers**: Properly use access modifiers
4. **Event Logging**: Log all admin operations

---

## Retrieving Owner Addresses

### Method 1: Contract Function

If contract implements `owner()`:
```bash
cast call <contract_address> "owner()" --rpc-url <rpc_url>
```

### Method 2: Deployment Transaction

1. Find deployment transaction hash
2. Decode transaction
3. Extract owner from constructor parameters

### Method 3: Contract Storage

1. Find owner storage slot
2. Read storage value
3. Convert to address

### Method 4: Contract Verification

1. Verify contract on Blockscout
2. Check verified source code
3. Identify owner from code

---

## Monitoring Access Control

### Recommended Monitoring

1. **Owner Changes**: Alert on ownership transfers
2. **Admin Operations**: Log all admin function calls
3. **Access Attempts**: Monitor failed access attempts
4. **Configuration Changes**: Track all configuration changes

### Monitoring Script

Create script to monitor access control:
```bash
# Monitor owner changes
# Monitor admin function calls
# Alert on suspicious activity
```

---

## Best Practices

1. **Document Owners**: Document all contract owners
2. **Secure Keys**: Use hardware wallets or secure key management
3. **Multi-Sig**: Use multi-sig for critical contracts
4. **Timelock**: Use timelock for important changes
5. **Monitoring**: Monitor all access control changes
6. **Regular Audits**: Regularly audit access control

---

## Related Documentation

- [CCIP Security Best Practices](./CCIP_SECURITY_BEST_PRACTICES.md) (Task 128)
- [CCIP Configuration Status](./CCIP_CONFIGURATION_STATUS.md)
- [Complete Task Catalog](./CCIP_COMPLETE_TASK_CATALOG.md)

---

**Last Updated**: 2025-01-12