explorer-monorepo/docs/TOKENFACTORY138_CRITICAL_ISSUE.md

TokenFactory138 Critical Issue - Role Permissions

Date: 2025-12-24
Severity: ⚠️ CRITICAL - Will cause deployment failures

---

🚨 Problem

TokenFactory138 calls PolicyManager functions that require POLICY_OPERATOR_ROLE:

// In TokenFactory138.deployToken() - lines 85-88
IPolicyManager(policyManager).setLienMode(token, config.defaultLienMode);
IPolicyManager(policyManager).setBridgeOnly(token, config.bridgeOnly);
IPolicyManager(policyManager).setBridge(token, config.bridge);

But PolicyManager requires POLICY_OPERATOR_ROLE:

// In PolicyManager
function setLienMode(...) external override onlyRole(POLICY_OPERATOR_ROLE)
function setBridgeOnly(...) external override onlyRole(POLICY_OPERATOR_ROLE)
function setBridge(...) external override onlyRole(POLICY_OPERATOR_ROLE)

Current deployment script (DeployChain138.s.sol line 122) grants the role to config.policyOperator (a person/address), NOT to TokenFactory138 contract itself.

---

✅ Solution

The deployment script needs to grant POLICY_OPERATOR_ROLE to TokenFactory138:

// After deploying TokenFactory138 (around line 122)
policyManager.grantRole(policyManager.POLICY_OPERATOR_ROLE(), address(factory));

---

🔧 Fix Required

Update script/emoney/DeployChain138.s.sol:

Current (line 122):

policyManager.grantRole(policyManager.POLICY_OPERATOR_ROLE(), config.policyOperator);

Should be (add after line 121):

// Grant POLICY_OPERATOR_ROLE to TokenFactory138 so it can configure tokens
policyManager.grantRole(policyManager.POLICY_OPERATOR_ROLE(), address(factory));
// Also grant to policyOperator for manual operations
policyManager.grantRole(policyManager.POLICY_OPERATOR_ROLE(), config.policyOperator);

---

✅ Compilation Test

Before fixing, test compilation:

cd /home/intlc/projects/proxmox/smom-dbis-138

# Test compilation
forge build --via-ir --contracts contracts/emoney/TokenFactory138.sol

# If successful, check for the role issue in deployment script
grep -A 5 "POLICY_OPERATOR_ROLE" script/emoney/DeployChain138.s.sol

---

📋 Action Items

1. ✅ Test compilation (use --via-ir)
2. ⏳ Fix deployment script to grant role to TokenFactory138
3. ⏳ Test deployment script (dry run)
4. ⏳ Deploy TokenFactory138

---

Last Updated: 2025-12-24