logo

Access Control

Summary:

Access Control is Not Governance

DeFi Governance is a complex and nuanced topic. We find it surprisingly fascinating and ripe for innovation. It traditionally deals with the following:
  • Proposing: How to make a proposal and how to discuss it. It could be as simple as a Discord channel. It can also be complex, for example a proposal could be the code change itself.
  • Voting: Voting is getting complex very fast. Quorum? Who can vote? Vote lifetime? Is it YES/NO vote? If not, how do you count votes? Do you allow Abstained Votes? What is the threshold to accept a vote? Veto rights?
  • Implementing: Most start out manually, where the core team implements winning proposals. There are several mechanisms for complete automation (out of scope of this doc).
So, we are not dealing with any of that at this point (Check Compound’s Governor Bravo if you are in urgent need of a rabbit hole).

So What is Access Control?

Access control defines which address or contract gets to call privileged contract functions. For example, minting a new token or upgrading a contract. Access control is a must for governance, but not the other way around.
With governance out of scope, we have three goals in mind:
  • Minimal level of trustlessness: mitigate authorized but rogue actors. Meaning, if we decide to go rogue, users can take out their funds, before it is too late.
  • Security: prevent unauthorized access
  • Simplicity: Or at least not too complex. Easy to understand, easy to implement on-chain.

What Approach Does Archimedes Take?

Trustlessness

All privileged function calls (like: proxy upgrade, change of admin, updating protocol fees) coming from an external address are *time-locked. There is no time lock if it is invoked by a smart contract or when setting the price of leverage. In addition, we have different *time lock periods for some specific actions such as minting lvUSD into our system.
This establishes a minimal level of trustlessness (users have time to withdraw the funds if we decide to do something nasty). It is also pretty simple.

Security

At Archimedes we take the approach of dividing controls into smaller more specific Roles instead of one “Admin” role that controls everything. This increases security and follows “the least privileged” principle.
We’ll define these “global” roles (some contracts might have specific roles):
  • ADMIN: Assigns and revokes roles (including the ADMIN role itself), but cannot do anything other than that. Also, upgrade contracts characteristics are:
    • Have no more than one ADMIN at any point of time
    • All assignments and revocations are *time locked (and emit an event)
    • ADMIN is always an external multisig address
    • Handles proxy upgrades
  • GOVERNOR: Changes all privileged protocol parameters (like lvUSD cap).
    • Cannot assign or revoke roles.
    • There could be more than one GOVERNOR
    • All privileged actions are *time locked
    • All calls emit events GOVERNOR is ultimately controlled by a multi-sig, but we funnel everything through one contract ("Parameter Store" contract) to enforce audit log and *time lock in one place
    • Only GOVERNOR can un-GUARDIAN
  • EXECUTIVE: Cannot assign or revoke roles. Has access to all the privileged "day to day" actions (like: borrowing under an NFT).
    • Cannot change protocol parameters
    • Cannot assign or revoke roles.
    • There could be more than one EXECUTIVE
    • Not *time locked
    • EXECUTIVE is only a contract. Cannot be a multisig
  • GUARDIAN: Cannot assign or revoke roles. Designed to stop critical paths in case of emergency (like stop minting). Must be very limited in scope.
    • Cannot assign or revoke roles.
    • No more than one GUARDIAN at any point of time
    • Not *time locked
    • All calls emit events
    • GUARDIAN is always an external multisig address
    • Invoke liquidation. It cannot force liquidation, it just can call liquidator and ask this contract to check if a position should be liquidated
Contracts may have other roles, if it helps following “the least privileged” principle and doesn’t add unnecessary complexity

Smart Contract Role Assignments

TLDR
  • All contract upgrades and roles re-assignment having a *72 hours time lock. These are ADMIN actions
  • Protocol parameters (fees, treasury address, vault addresses) are assigned to GOVERNOR and *72 hours time lock. Controlled by "Parameter Store" contract
  • Raising the leverage cap has *24 hours time lock (MINTER)
  • Day to day internal functions (functions we don't want external people to call) are assigned to EXECUTIVE without a time lock. For example: exchanging lvUSD for 3CRV on Curve.
  • Zapper and Auction contracts don’t hold any special privileges or any user funds. therefor we do not need a time lock on admin roles for those contracts.

lvUSD (ERC20 token)

Archimedes stablecoin
MINTER: Can mint lvUSD. Minted lvUSD goes to a pre-defined destination ("Coordinator" contract.
  • This is the technical implementation of "raising the leverage cap" and mint lvUSD only if there is an OUSD to back it: Newly minted lvUSD are not cycling freely. They are kept with the contract and released only when there is an OUSD to back them
ADMIN: Can change minting destination and grant MINT role
Privileged actions
Action
Role
*Time lock
Mint lvUSD
MINTER
24 hours
Change lvUSD mint destination address
ADMIN
72 hours
Revoke/Assign MINTER
ADMIN
72 hours
Revoke/Assign ADMIN
ADMIN
72 hours

OUSD Vault OUSD (ERC-4626)

Holds the deposited OUSD and OUSD interest payments
EXECUTIVE: Can deposit and withdraw lvUSD and OUSD
Privileged actions
Action
Role
*Time lock
Deposit/Redeem OUSD
EXECUTIVE
N/A
Upgrade contract
ADMIN
72 hours
Revoke/Assign ADMIN/EXECUTIVE/GUARDIAN
ADMIN
72 hours

Expired OUSD Vault (ERC-4626)

Holds OUSD from expired positions. Includes collateral AND earnings of expired positions
Action
Role
*Time lock
Upgrade contract
ADMIN
72 hours
Revoke/Assign ADMIN/EXECUTIVE/GUARDIAN
ADMIN
72 hours

Position Token (ERC721 token)

The NFT position token
EXECUTIVE: Can burn and mint NFTs
Privileged actions
Action
Role
*Time lock
Mint / Burn NFT
EXECUTIVE
N/A
Upgrade contract
ADMIN
72 hours
Revoke/Assign ADMIN/EXECUTIVE
ADMIN
72 hours

ARCH Token

Protocol’s native token
No access control. No privileged roles
Coordinator: Coordinating vault, lvUSD and leverage engine
EXECUTIVE: Can borrow lvUSD and write balance against NFT. Invoked by "Leverage Engine" contract (which is an "end user facing" contract)
Privileged actions
Action
Role
*Time lock
Open (borrow) a position and close (repay) a position
EXECUTIVE
N/A
Upgrade contract
ADMIN
72 hours
Revoke/Assign ADMIN/EXECUTIVE
ADMIN
72 hours

Leverage Engine

Runs the leverage cycles and writes debt under NFT instead of a EOA
Privileged actions
Action
Role
*Time lock
Upgrade contract
ADMIN
72 hours
Revoke/Assign ADMIN
ADMIN
72 hours

CDPosition

Holds ledgers and directs rebasing
EXECUTIVE: Manage CDP information (the bookkeeper)
Privileged actions
Action
Role
*Time lock
Add/delete/update position based on user interaction with Leverage Engine
EXECUTIVE
N/A
Upgrade contract
ADMIN
72 hours
Revoke/Assign ADMIN/EXECUTIVE
ADMIN
72 hours

Exchange Coordinator

Deals with Curve and OUSD contracts
EXECUTIVE: Swap lvUSD<>OUSD. This is an "internal" contract. It doesn't interface with the end user.
Privileged actions
Action
Role
*Time lock
Swap
EXECUTIVE
N/A
Upgrade contract
ADMIN
72 hours
Revoke/Assign ADMIN/EXECUTIVE
ADMIN
72 hours

Parameter Store

Controls all sensitive protocol parameters
GOVERNOR: Set protocol parameters
Privileged actions
Action
Role
*Time lock
Upgrade contract
ADMIN
72 hours
Revoke/Assign roles
ADMIN
72 hours
Max leverage allowed
GOVERNOR
72 hours
Origination fee rate
GOVERNOR
72 hours
Collateral rate required
GOVERNOR
72 hours
Protocol fees (out of interest payments)
GOVERNOR
72 hours
Curve max slippage allowed
GOVERNOR
72 hours
How much leverage 1 ARCH buys (in lvUSD)
GOVERNOR
72 hours
Change Treasury address
GOVERNOR
72 hours

Access control review doc (v1)

google sheet with current roles and owners (as of April 27, 2023)

Working with Time-locks

  1. The multi-sig admin is the only proposer for all Archimedes time locks.
  1. Anyone can execute an approved proposal on Archimedes time locks.
  1. Video exploration of how to use time locks with Open Zepplin’s Defender
🚨
Archimedes is an experimental protocol and carries significant risks: Smart contract risk, economic model risk, risk that the assets Archimedes introduces and many other types of known and unknown risks. Archimedes' team never provides investment advice. This article is NOT financial advice. DYOR. Participate at your own risk.