Access Control Handoff

Dispatcher ownership

The owner of the Dispatcher is the canonical global admin for the protocol, persisting across releases (how the release implements that authority is up to the release).

When the Dispatcher is deployed, the deployer (Avantgarde Core) is its initial owner.

After configuring the protocol for the first release (both persistent and release-level contracts), Avantgarde Core initiates the first nomination-claim procedure to transfer Dispatcher ownership to the ETC:

  1. Current owner calls Dispatcher.setNominatedOwner() with the ETC multi-sig address

  2. The ETC votes to call Dispatcher.claimOwnership()

  3. owner is set to the ETC multi-sig

This process can be repeated in the case that the ETC needs to change multi-sigs, or in the more extreme case of a governance model change.

FundDeployer ownership

For this release, the owner of the FundDeployer is taken to be the admin of release-level protocol contracts.

The owner of FundDeployer is set dynamically:

  • when its relaseStatus is PreLaunch, the owner is the contract's deployer, i.e., Avantgarde Core

  • when the releaseStatus is set to Live (which is only changeable by the Dispatcher owner), the contract then defers ownership to the owner of Dispatcher

This essentially creates a similar model at the release-level of a handoff between Avantgarde Core and the Enzyme Council.

Extensions and plugins ownership

Extensions (FeeManager, PolicyManager, IntegrationManager) and plugins (fees, policies, integration adapters) that require ownership for access control defer ownership to the current FundDeployer owner. This is accomplished by inheriting a FundDeployerOwnerMixin contract.

Thus when the owner of the FundDeployer becomes the ETC, so does the owner of all contracts that implement this mixin.

Infrastructure ownership

Price feeds, the ValueInterpreter, and any other future infrastructure that can potentially persist between multiple releases inherit a DispatcherOwnerMixin, if ownership is necessary. This contract operates exactly like FundDeployerOwnerMixin, but defers ownership to the Dispatcher owner.

This is necessary to leave infrastructure completely decoupled from any specific release.


These patterns of handing-off access control gives maximum flexibility for deployment and configuration, while assuring that the ETC will end up with complete admin privileges once the protocol is taken liven.

Last updated