Access Control Handoff
Dispatcher ownership
The owner of the Dispatcher
is the canonical global admin for the protocol, persisting across releases (how the release implements that authority is up to the release).
When the Dispatcher
is deployed, the deployer (Avantgarde Core) is its initial owner
.
After configuring the protocol for the first release (both persistent and release-level contracts), Avantgarde Core initiates the first nomination-claim procedure to transfer Dispatcher
ownership to the ETC:
Current
owner
callsDispatcher.setNominatedOwner()
with the ETC multi-sig addressThe ETC votes to call
Dispatcher.claimOwnership()
owner
is set to the ETC multi-sig
This process can be repeated in the case that the ETC needs to change multi-sigs, or in the more extreme case of a governance model change.
FundDeployer ownership
For this release, the owner of the FundDeployer
is taken to be the admin of release-level protocol contracts.
The owner of FundDeployer
is set dynamically:
when its
relaseStatus
isPreLaunch
, the owner is the contract's deployer, i.e., Avantgarde Corewhen the
releaseStatus
is set toLive
(which is only changeable by theDispatcher
owner), the contract then defers ownership to the owner ofDispatcher
This essentially creates a similar model at the release-level of a handoff between Avantgarde Core and the Enzyme Council.
Extensions and plugins ownership
Extensions (FeeManager
, PolicyManager
, IntegrationManager
) and plugins (fees, policies, integration adapters) that require ownership for access control defer ownership to the current FundDeployer
owner. This is accomplished by inheriting a FundDeployerOwnerMixin
contract.
Thus when the owner of the FundDeployer
becomes the ETC, so does the owner of all contracts that implement this mixin.
Infrastructure ownership
Price feeds, the ValueInterpreter, and any other future infrastructure that can potentially persist between multiple releases inherit a DispatcherOwnerMixin
, if ownership is necessary. This contract operates exactly like FundDeployerOwnerMixin
, but defers ownership to the Dispatcher
owner.
This is necessary to leave infrastructure completely decoupled from any specific release.
---
These patterns of handing-off access control gives maximum flexibility for deployment and configuration, while assuring that the ETC will end up with complete admin privileges once the protocol is taken liven.
Last updated