d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0ca14deb4cc9102e088f4d7b86fbcd05abd3d0a0
explorer-monorepo/docs/CCIP_ACCESS_CONTROL.md
defiQUG d02ee71cf6 Update CCIP Router and Bridge Addresses for ChainID 138 
- Changed CCIP Router address from `0x8078A09637e47Fa5Ed34F626046Ea2094a5CDE5e` to `0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817` across multiple documentation files.
- Updated WETH9 Bridge address from `0x89dd12025bfCD38A168455A44B400e913ED33BE2` to `0xcacfd227A040002e49e2e01626363071324f820a`.
- Ensured all references to the new addresses are consistent throughout the documentation.

This update reflects the latest deployment configurations and ensures accurate contract references for ChainID 138.
2026-03-24 22:49:29 -07:00

225 lines
5.3 KiB
Markdown
Raw Blame History

# CCIP Access Control Documentation
**Date**: 2025-01-12
**Network**: ChainID 138
---
## Overview
This document describes the access control mechanisms for all CCIP contracts and components.
---
## Contract Ownership and Admin
### CCIP Router
**Address**: `0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817`
**Access Control**:
- **Owner/Admin**: Unknown (requires deployment transaction or contract storage query)
- **Public Functions**: `ccipSend()`, `getFee()`, `getOnRamp()`
- **Admin Functions**: Configuration changes (if any)
**Verification**:
```bash
# Try to get owner (if function exists)
cast call 0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817 "owner()" --rpc-url <rpc_url>
# Check deployment transaction for owner
# (requires transaction hash)
```
### CCIP Sender
**Address**: `0x105F8A15b819948a89153505762444Ee9f324684`
**Access Control**:
- **Owner/Admin**: Unknown
- **Public Functions**: Message sending functions
- **Admin Functions**: Configuration changes (if any)
### CCIPWETH9Bridge
**Address**: `0xcacfd227A040002e49e2e01626363071324f820a`
**Access Control**:
- **Owner/Admin**: Unknown
- **Public Functions**: `sendCrossChain()`, `destinations()`
- **Admin Functions**: `addDestination()`, `removeDestination()` (if exists)
**Verification**:
```bash
# Try to get owner
cast call 0xcacfd227A040002e49e2e01626363071324f820a "owner()" --rpc-url <rpc_url>
```
### CCIPWETH10Bridge
**Address**: `0xe0E93247376aa097dB308B92e6Ba36bA015535D0`
**Access Control**:
- **Owner/Admin**: Unknown
- **Public Functions**: `sendCrossChain()`, `destinations()`
- **Admin Functions**: `addDestination()`, `removeDestination()` (if exists)
---
## Function Access Levels
### Public Functions (Anyone Can Call)
#### Bridge Contracts
**`sendCrossChain(uint64, address, uint256)`**
- **Access**: Public
- **Requirements**:
- User must have approved bridge to spend tokens
- User must have sufficient balance
- Destination must be configured
- Bridge must have sufficient LINK for fees
**`destinations(uint64)`**
- **Access**: Public (view function)
- **Returns**: Bridge address for destination chain
#### Router
**`ccipSend(...)`**
- **Access**: Public
- **Requirements**: Valid message, sufficient fees
**`getFee(uint64, bytes)`**
- **Access**: Public (view function)
- **Returns**: Fee amount
### Admin Functions (Owner/Admin Only)
#### Bridge Contracts
**`addDestination(uint64, address)`**
- **Access**: Owner/Admin only
- **Purpose**: Add destination chain to routing table
- **Security**: Critical - only owner should call
**`removeDestination(uint64)`** (if exists)
- **Access**: Owner/Admin only
- **Purpose**: Remove destination chain from routing table
---
## Access Control Patterns
### Ownable Pattern
Many contracts use OpenZeppelin's `Ownable` pattern:
- Single owner address
- `owner()` function returns owner
- `onlyOwner` modifier for admin functions
- `transferOwnership()` to change owner
### Role-Based Access Control (RBAC)
Some contracts may use role-based access:
- Multiple roles (admin, operator, etc.)
- `hasRole()` function to check roles
- `grantRole()` and `revokeRole()` functions
### Multi-Sig Pattern
For critical operations, multi-sig wallets may be used:
- Multiple owners required
- Threshold for operations
- Enhanced security
---
## Security Considerations
### Owner Address Security
1. **Private Key Protection**: Owner private key must be secured
2. **Multi-Sig**: Consider using multi-sig for owner
3. **Timelock**: Consider timelock for critical operations
4. **Monitoring**: Monitor owner changes
### Function Access Security
1. **Input Validation**: All functions should validate inputs
2. **Reentrancy Protection**: Use reentrancy guards
3. **Access Modifiers**: Properly use access modifiers
4. **Event Logging**: Log all admin operations
---
## Retrieving Owner Addresses
### Method 1: Contract Function
If contract implements `owner()`:
```bash
cast call <contract_address> "owner()" --rpc-url <rpc_url>
```
### Method 2: Deployment Transaction
1. Find deployment transaction hash
2. Decode transaction
3. Extract owner from constructor parameters
### Method 3: Contract Storage
1. Find owner storage slot
2. Read storage value
3. Convert to address
### Method 4: Contract Verification
1. Verify contract on Blockscout
2. Check verified source code
3. Identify owner from code
---
## Monitoring Access Control
### Recommended Monitoring
1. **Owner Changes**: Alert on ownership transfers
2. **Admin Operations**: Log all admin function calls
3. **Access Attempts**: Monitor failed access attempts
4. **Configuration Changes**: Track all configuration changes
### Monitoring Script
Create script to monitor access control:
```bash
# Monitor owner changes
# Monitor admin function calls
# Alert on suspicious activity
```
---
## Best Practices
1. **Document Owners**: Document all contract owners
2. **Secure Keys**: Use hardware wallets or secure key management
3. **Multi-Sig**: Use multi-sig for critical contracts
4. **Timelock**: Use timelock for important changes
5. **Monitoring**: Monitor all access control changes
6. **Regular Audits**: Regularly audit access control
---
## Related Documentation
- [CCIP Security Best Practices](./CCIP_SECURITY_BEST_PRACTICES.md) (Task 128)
- [CCIP Configuration Status](./CCIP_CONFIGURATION_STATUS.md)
- [Complete Task Catalog](./CCIP_COMPLETE_TASK_CATALOG.md)
---
**Last Updated**: 2025-01-12
Reference in New Issue View Git Blame Copy Permalink