explorer-monorepo/docs/CCIP_ACCESS_CONTROL.md

CCIP Access Control Documentation

Date: 2025-01-12
Network: ChainID 138

---

Overview

This document describes the access control mechanisms for all CCIP contracts and components.

---

Contract Ownership and Admin

CCIP Router

Address: 0x8078A09637e47Fa5Ed34F626046Ea2094a5CDE5e

Access Control:

• Owner/Admin: Unknown (requires deployment transaction or contract storage query)
• Public Functions: ccipSend(), getFee(), getOnRamp()
• Admin Functions: Configuration changes (if any)

Verification:

# Try to get owner (if function exists)
cast call 0x8078A09637e47Fa5Ed34F626046Ea2094a5CDE5e "owner()" --rpc-url <rpc_url>

# Check deployment transaction for owner
# (requires transaction hash)

CCIP Sender

Address: 0x105F8A15b819948a89153505762444Ee9f324684

Access Control:

• Owner/Admin: Unknown
• Public Functions: Message sending functions
• Admin Functions: Configuration changes (if any)

CCIPWETH9Bridge

Address: 0x89dd12025bfCD38A168455A44B400e913ED33BE2

Access Control:

• Owner/Admin: Unknown
• Public Functions: sendCrossChain(), destinations()
• Admin Functions: addDestination(), removeDestination() (if exists)

Verification:

# Try to get owner
cast call 0x89dd12025bfCD38A168455A44B400e913ED33BE2 "owner()" --rpc-url <rpc_url>

CCIPWETH10Bridge

Address: 0xe0E93247376aa097dB308B92e6Ba36bA015535D0

Access Control:

• Owner/Admin: Unknown
• Public Functions: sendCrossChain(), destinations()
• Admin Functions: addDestination(), removeDestination() (if exists)

---

Function Access Levels

Public Functions (Anyone Can Call)

Bridge Contracts

sendCrossChain(uint64, address, uint256)

• Access: Public
• Requirements:
  • User must have approved bridge to spend tokens
  • User must have sufficient balance
  • Destination must be configured
  • Bridge must have sufficient LINK for fees

destinations(uint64)

• Access: Public (view function)
• Returns: Bridge address for destination chain

Router

ccipSend(...)

• Access: Public
• Requirements: Valid message, sufficient fees

getFee(uint64, bytes)

• Access: Public (view function)
• Returns: Fee amount

Admin Functions (Owner/Admin Only)

Bridge Contracts

addDestination(uint64, address)

• Access: Owner/Admin only
• Purpose: Add destination chain to routing table
• Security: Critical - only owner should call

removeDestination(uint64) (if exists)

• Access: Owner/Admin only
• Purpose: Remove destination chain from routing table

---

Access Control Patterns

Ownable Pattern

Many contracts use OpenZeppelin's Ownable pattern:

• Single owner address
• owner() function returns owner
• onlyOwner modifier for admin functions
• transferOwnership() to change owner

Role-Based Access Control (RBAC)

Some contracts may use role-based access:

• Multiple roles (admin, operator, etc.)
• hasRole() function to check roles
• grantRole() and revokeRole() functions

Multi-Sig Pattern

For critical operations, multi-sig wallets may be used:

• Multiple owners required
• Threshold for operations
• Enhanced security

---

Security Considerations

Owner Address Security

1. Private Key Protection: Owner private key must be secured
2. Multi-Sig: Consider using multi-sig for owner
3. Timelock: Consider timelock for critical operations
4. Monitoring: Monitor owner changes

Function Access Security

1. Input Validation: All functions should validate inputs
2. Reentrancy Protection: Use reentrancy guards
3. Access Modifiers: Properly use access modifiers
4. Event Logging: Log all admin operations

---

Retrieving Owner Addresses

Method 1: Contract Function

If contract implements owner():

cast call <contract_address> "owner()" --rpc-url <rpc_url>

Method 2: Deployment Transaction

1. Find deployment transaction hash
2. Decode transaction
3. Extract owner from constructor parameters

Method 3: Contract Storage

1. Find owner storage slot
2. Read storage value
3. Convert to address

Method 4: Contract Verification

1. Verify contract on Blockscout
2. Check verified source code
3. Identify owner from code

---

Monitoring Access Control

Recommended Monitoring

1. Owner Changes: Alert on ownership transfers
2. Admin Operations: Log all admin function calls
3. Access Attempts: Monitor failed access attempts
4. Configuration Changes: Track all configuration changes

Monitoring Script

Create script to monitor access control:

# Monitor owner changes
# Monitor admin function calls
# Alert on suspicious activity

---

Best Practices

1. Document Owners: Document all contract owners
2. Secure Keys: Use hardware wallets or secure key management
3. Multi-Sig: Use multi-sig for critical contracts
4. Timelock: Use timelock for important changes
5. Monitoring: Monitor all access control changes
6. Regular Audits: Regularly audit access control

---

Related Documentation

• CCIP Security Best Practices (Task 128)
• CCIP Configuration Status
• Complete Task Catalog

---

Last Updated: 2025-01-12