d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
proxmox/docs/07-ccip/CCIP_SECURITY_DOCUMENTATION.md
defiQUG 2a6d3cfc7f
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
Update submodule references and improve CI workflow 
- Update submodule references for explorer-monorepo and smom-dbis-138 to latest commits.
- Modify CI workflow to include shellcheck installation and enforce error severity for script checks.
- Update contract addresses in configuration and documentation to reflect the new canonical addresses for CCIPWETH9Bridge and CCIP Router.
- Revise integration test documentation to align with updated contract addresses and deployment statuses.

Made-with: Cursor
2026-03-24 22:50:52 -07:00

4.8 KiB
Raw Permalink Blame History

CCIP Security Documentation

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

Date: $(date)
Network: ChainID 138
Purpose: Security information for all CCIP contracts

🔐 Contract Access Control

CCIP Router

  • Address: 0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817
  • Access Control: Standard CCIP Router implementation
  • Owner Function: owner() function not available (may use different access control pattern)
  • Admin Functions: Standard CCIP Router admin functions
  • Pause Mechanism: Standard CCIP Router pause functionality (if implemented)

Note: Contract owner/admin addresses need to be retrieved from deployment transactions or contract storage.

CCIP Sender

  • Address: 0x105F8A15b819948a89153505762444Ee9f324684
  • Access Control: Standard CCIP Sender implementation
  • Owner Function: owner() function not available
  • Router Reference: 0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817

Note: Access control details need to be retrieved from contract source code or deployment logs.

CCIPWETH9Bridge

  • Address: Use env CCIPWETH9_BRIDGE_CHAIN138 (set after scripts/deploy-and-configure-weth9-bridge-chain138.sh); canonical: 0xcacfd227A040002e49e2e01626363071324f820a. Deprecated (do not use): 0x89dd12025bfCD38A168455A44B400e913ED33BE2 — old bridge with router mismatch. See CONTRACT_INVENTORY_AND_VERIFICATION.md.
  • Access Control: Bridge contract access control
  • Owner Function: owner() function not available
  • Admin Functions: Bridge-specific admin functions

Destination Chains Configured:

  • BSC: 0x9d70576d8E253BcF... (truncated, full address in storage)
  • Polygon: 0x383a1891AE1915b1... (truncated)
  • Avalanche: 0x594862Ae1802b3D5... (truncated)
  • Base: 0xdda641cFe44aff82... (truncated)
  • Arbitrum: 0x44aE84D8E9a37444... (truncated)
  • Optimism: 0x33d343F77863CAB8... (truncated)

CCIPWETH10Bridge

  • Address: 0xe0E93247376aa097dB308B92e6Ba36bA015535D0
  • Access Control: Bridge contract access control
  • Owner Function: owner() function not available
  • Admin Functions: Bridge-specific admin functions

Destination Chains Configured:

  • BSC: 0x9d70576d8E253BcF... (truncated, full address in storage)
  • Polygon: 0x383a1891AE1915b1... (truncated)
  • Avalanche: 0x594862Ae1802b3D5... (truncated)
  • Base: 0xdda641cFe44aff82... (truncated)
  • Arbitrum: 0x44aE84D8E9a37444... (truncated)
  • Optimism: 0x33d343F77863CAB8... (truncated)

🔍 How to Retrieve Admin/Owner Addresses

Method 1: From Deployment Transaction

# Get deployment transaction hash
cast tx <DEPLOYMENT_TX_HASH> --rpc-url $RPC_URL_138

# Extract deployer address from transaction
cast tx <DEPLOYMENT_TX_HASH> --rpc-url $RPC_URL_138 | grep "from"

Method 2: From Contract Storage

# Try common storage slots for owner addresses
cast storage <CONTRACT_ADDRESS> 0 --rpc-url $RPC_URL_138
cast storage <CONTRACT_ADDRESS> 1 --rpc-url $RPC_URL_138

Method 3: From Source Code

If contracts are verified on Blockscout, check the source code for:

  • Ownable pattern (OpenZeppelin)
  • Custom access control implementations
  • Multi-sig patterns

🛡️ Security Recommendations

1. Access Control Verification

  • Verify all admin/owner addresses
  • Document multi-sig requirements (if any)
  • Review access control mechanisms
  • ⚠️ Action Required: Retrieve and document actual owner addresses

2. Upgrade Mechanisms

  • ⚠️ Verify if contracts are upgradeable
  • ⚠️ Document upgrade procedures
  • ⚠️ Review upgrade authorization requirements

3. Pause Mechanisms

  • ⚠️ Verify pause functionality (if implemented)
  • ⚠️ Document pause procedures
  • ⚠️ Review pause authorization requirements

4. Emergency Procedures

  • ⚠️ Document emergency response procedures
  • ⚠️ Review circuit breakers (if implemented)
  • ⚠️ Document recovery procedures

📋 Security Checklist

  • Admin/owner addresses documented
  • Access control mechanisms reviewed
  • Upgrade procedures documented
  • Pause mechanisms documented
  • Emergency procedures documented
  • Multi-sig requirements documented (if applicable)
  • Key rotation procedures documented
  • Incident response plan documented

🔗 Related Documentation

Last Updated: $(date)
Status: ⚠️ INCOMPLETE - Owner addresses need to be retrieved

Reference in New Issue View Git Blame Copy Permalink