d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
2a6d3cfc7f765252f92066b511c898e957ebc546
proxmox/docs/07-ccip/CCIP_SECURITY_DOCUMENTATION.md
defiQUG 2a6d3cfc7f
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
Update submodule references and improve CI workflow 
- Update submodule references for explorer-monorepo and smom-dbis-138 to latest commits.
- Modify CI workflow to include shellcheck installation and enforce error severity for script checks.
- Update contract addresses in configuration and documentation to reflect the new canonical addresses for CCIPWETH9Bridge and CCIP Router.
- Revise integration test documentation to align with updated contract addresses and deployment statuses.

Made-with: Cursor
2026-03-24 22:50:52 -07:00

141 lines
4.8 KiB
Markdown
Raw Blame History

# CCIP Security Documentation
**Last Updated:** 2026-01-31
**Document Version:** 1.0
**Status:** Active Documentation
---
**Date**: $(date)
**Network**: ChainID 138
**Purpose**: Security information for all CCIP contracts
---
## 🔐 Contract Access Control
### CCIP Router
- **Address**: `0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817`
- **Access Control**: Standard CCIP Router implementation
- **Owner Function**: `owner()` function not available (may use different access control pattern)
- **Admin Functions**: Standard CCIP Router admin functions
- **Pause Mechanism**: Standard CCIP Router pause functionality (if implemented)
**Note**: Contract owner/admin addresses need to be retrieved from deployment transactions or contract storage.
### CCIP Sender
- **Address**: `0x105F8A15b819948a89153505762444Ee9f324684`
- **Access Control**: Standard CCIP Sender implementation
- **Owner Function**: `owner()` function not available
- **Router Reference**: `0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817`
**Note**: Access control details need to be retrieved from contract source code or deployment logs.
### CCIPWETH9Bridge
- **Address**: Use env `CCIPWETH9_BRIDGE_CHAIN138` (set after `scripts/deploy-and-configure-weth9-bridge-chain138.sh`); canonical: `0xcacfd227A040002e49e2e01626363071324f820a`. **Deprecated (do not use):** `0x89dd12025bfCD38A168455A44B400e913ED33BE2` — old bridge with router mismatch. See [CONTRACT_INVENTORY_AND_VERIFICATION.md](../11-references/CONTRACT_INVENTORY_AND_VERIFICATION.md).
- **Access Control**: Bridge contract access control
- **Owner Function**: `owner()` function not available
- **Admin Functions**: Bridge-specific admin functions
**Destination Chains Configured**:
- ✅ BSC: `0x9d70576d8E253BcF...` (truncated, full address in storage)
- ✅ Polygon: `0x383a1891AE1915b1...` (truncated)
- ✅ Avalanche: `0x594862Ae1802b3D5...` (truncated)
- ✅ Base: `0xdda641cFe44aff82...` (truncated)
- ✅ Arbitrum: `0x44aE84D8E9a37444...` (truncated)
- ✅ Optimism: `0x33d343F77863CAB8...` (truncated)
### CCIPWETH10Bridge
- **Address**: `0xe0E93247376aa097dB308B92e6Ba36bA015535D0`
- **Access Control**: Bridge contract access control
- **Owner Function**: `owner()` function not available
- **Admin Functions**: Bridge-specific admin functions
**Destination Chains Configured**:
- ✅ BSC: `0x9d70576d8E253BcF...` (truncated, full address in storage)
- ✅ Polygon: `0x383a1891AE1915b1...` (truncated)
- ✅ Avalanche: `0x594862Ae1802b3D5...` (truncated)
- ✅ Base: `0xdda641cFe44aff82...` (truncated)
- ✅ Arbitrum: `0x44aE84D8E9a37444...` (truncated)
- ✅ Optimism: `0x33d343F77863CAB8...` (truncated)
---
## 🔍 How to Retrieve Admin/Owner Addresses
### Method 1: From Deployment Transaction
```bash
# Get deployment transaction hash
cast tx <DEPLOYMENT_TX_HASH> --rpc-url $RPC_URL_138
# Extract deployer address from transaction
cast tx <DEPLOYMENT_TX_HASH> --rpc-url $RPC_URL_138 | grep "from"
```
### Method 2: From Contract Storage
```bash
# Try common storage slots for owner addresses
cast storage <CONTRACT_ADDRESS> 0 --rpc-url $RPC_URL_138
cast storage <CONTRACT_ADDRESS> 1 --rpc-url $RPC_URL_138
```
### Method 3: From Source Code
If contracts are verified on Blockscout, check the source code for:
- `Ownable` pattern (OpenZeppelin)
- Custom access control implementations
- Multi-sig patterns
---
## 🛡️ Security Recommendations
### 1. Access Control Verification
- ✅ Verify all admin/owner addresses
- ✅ Document multi-sig requirements (if any)
- ✅ Review access control mechanisms
- ⚠️ **Action Required**: Retrieve and document actual owner addresses
### 2. Upgrade Mechanisms
- ⚠️ Verify if contracts are upgradeable
- ⚠️ Document upgrade procedures
- ⚠️ Review upgrade authorization requirements
### 3. Pause Mechanisms
- ⚠️ Verify pause functionality (if implemented)
- ⚠️ Document pause procedures
- ⚠️ Review pause authorization requirements
### 4. Emergency Procedures
- ⚠️ Document emergency response procedures
- ⚠️ Review circuit breakers (if implemented)
- ⚠️ Document recovery procedures
---
## 📋 Security Checklist
- [ ] Admin/owner addresses documented
- [ ] Access control mechanisms reviewed
- [ ] Upgrade procedures documented
- [ ] Pause mechanisms documented
- [ ] Emergency procedures documented
- [ ] Multi-sig requirements documented (if applicable)
- [ ] Key rotation procedures documented
- [ ] Incident response plan documented
---
## 🔗 Related Documentation
- [CCIP Sender Contract Reference](./CCIP_SENDER_CONTRACT_REFERENCE.md)
- [CCIP Sender Contract Reference](./CCIP_SENDER_CONTRACT_REFERENCE.md)
- [Contract Addresses Reference](../11-references/CONTRACT_ADDRESSES_REFERENCE.md) (bridge and CCIP addresses)
---
**Last Updated**: $(date)
**Status**: ⚠️ **INCOMPLETE** - Owner addresses need to be retrieved
Reference in New Issue View Git Blame Copy Permalink