Summary:
Access Control is Not Governance
DeFi Governance is a complex and nuanced topic. We find it surprisingly fascinating and ripe for innovation. It traditionally deals with the following:
- Proposing: How to make a proposal and how to discuss it. It could be as simple as a Discord channel. It can also be complex, for example a proposal could be the code change itself.
- Voting: Voting is getting complex very fast. Quorum? Who can vote? Vote lifetime? Is it YES/NO vote? If not, how do you count votes? Do you allow Abstained Votes? What is the threshold to accept a vote? Veto rights?
- Implementing: Most start out manually, where the core team implements winning proposals. There are several mechanisms for complete automation (out of scope of this doc).
So, we are not dealing with any of that at this point (Check Compoundβs Governor Bravo if you are in urgent need of a rabbit hole).
So What is Access Control?
Access control defines which address or contract gets to call privileged contract functions. For example, minting a new token or upgrading a contract. Access control is a must for governance, but not the other way around.
With governance out of scope, we have three goals in mind:
- Minimal level of trustlessness: mitigate authorized but rogue actors. Meaning, if we decide to go rogue, users can take out their funds, before it is too late.
- Security: prevent unauthorized access
- Simplicity: Or at least not too complex. Easy to understand, easy to implement on-chain.
What Approach Does Archimedes Take?
Trustlessness
All privileged function calls (like: proxy upgrade, change of admin, updating protocol fees) coming from an external address are *time-locked. There is no time lock if it is invoked by a smart contract or when setting the price of leverage. In addition, we have different *time lock periods for some specific actions such as minting lvUSD into our system.
This establishes a minimal level of trustlessness (users have time to withdraw the funds if we decide to do something nasty). It is also pretty simple.
Security
At Archimedes we take the approach of dividing controls into smaller more specific Roles instead of one βAdminβ role that controls everything. This increases security and follows βthe least privilegedβ principle.
Weβll define these βglobalβ roles (some contracts might have specific roles):
- ADMIN: Assigns and revokes roles (including the ADMIN role itself), but cannot do anything other than that. Also, upgrade contracts characteristics are:
- Have no more than one ADMIN at any point of time
- All assignments and revocations are *time locked (and emit an event)
- ADMIN is always an external multisig address
- Handles proxy upgrades
- GOVERNOR: Changes all privileged protocol parameters (like lvUSD cap).
- Cannot assign or revoke roles.
- There could be more than one GOVERNOR
- All privileged actions are *time locked
- All calls emit events GOVERNOR is ultimately controlled by a multi-sig, but we funnel everything through one contract ("Parameter Store" contract) to enforce audit log and *time lock in one place
- Only GOVERNOR can un-GUARDIAN
- EXECUTIVE: Cannot assign or revoke roles. Has access to all the privileged "day to day" actions (like: borrowing under an NFT).
- Cannot change protocol parameters
- Cannot assign or revoke roles.
- There could be more than one EXECUTIVE
- Not *time locked
- EXECUTIVE is only a contract. Cannot be a multisig
- GUARDIAN: Cannot assign or revoke roles. Designed to stop critical paths in case of emergency (like stop minting). Must be very limited in scope.
- Cannot assign or revoke roles.
- No more than one GUARDIAN at any point of time
- Not *time locked
- All calls emit events
- GUARDIAN is always an external multisig address
- Invoke liquidation. It cannot force liquidation, it just can call liquidator and ask this contract to check if a position should be liquidated
Contracts may have other roles, if it helps following βthe least privilegedβ principle and doesnβt add unnecessary complexity
Smart Contract Role Assignments
TLDR
- All contract upgrades and roles re-assignment having a *72 hours time lock. These are ADMIN actions
- Protocol parameters (fees, treasury address, vault addresses) are assigned to GOVERNOR and *72 hours time lock. Controlled by "Parameter Store" contract
- Raising the leverage cap has *24 hours time lock (MINTER)
- Day to day internal functions (functions we don't want external people to call) are assigned to EXECUTIVE without a time lock. For example: exchanging lvUSD for 3CRV on Curve.
- Zapper and Auction contracts donβt hold any special privileges or any user funds. therefor we do not need a time lock on admin roles for those contracts.
lvUSD (ERC20 token)
Archimedes stablecoin
MINTER: Can mint lvUSD. Minted lvUSD goes to a pre-defined destination ("Coordinator" contract.
- This is the technical implementation of "raising the leverage cap" and mint lvUSD only if there is an OUSD to back it: Newly minted lvUSD are not cycling freely. They are kept with the contract and released only when there is an OUSD to back them
ADMIN: Can change minting destination and grant MINT role
Privileged actions
Action | Role | *Time lock |
Mint lvUSD | MINTER | 24 hours |
Change lvUSD mint destination address | ADMIN | 72 hours |
Revoke/Assign MINTER | ADMIN | 72 hours |
Revoke/Assign ADMIN | ADMIN | 72 hours |
OUSD Vault OUSD (ERC-4626)
Holds the deposited OUSD and OUSD interest payments
EXECUTIVE: Can deposit and withdraw lvUSD and OUSD
Privileged actions
Action | Role | *Time lock |
Deposit/Redeem OUSD | EXECUTIVE | N/A |
Upgrade contract | ADMIN | 72 hours |
Revoke/Assign ADMIN/EXECUTIVE/GUARDIAN | ADMIN | 72 hours |
Expired OUSD Vault (ERC-4626)
Holds OUSD from expired positions. Includes collateral AND earnings of expired positions
Action | Role | *Time lock |
Upgrade contract | ADMIN | 72 hours |
Revoke/Assign ADMIN/EXECUTIVE/GUARDIAN | ADMIN | 72 hours |
Position Token (ERC721 token)
The NFT position token
EXECUTIVE: Can burn and mint NFTs
Privileged actions
Action | Role | *Time lock |
Mint / Burn NFT | EXECUTIVE | N/A |
Upgrade contract | ADMIN | 72 hours |
Revoke/Assign ADMIN/EXECUTIVE | ADMIN | 72 hours |
ARCH Token
Protocolβs native token
No access control. No privileged roles
Coordinator: Coordinating vault, lvUSD and leverage engine
EXECUTIVE: Can borrow lvUSD and write balance against NFT. Invoked by "Leverage Engine" contract (which is an "end user facing" contract)
Privileged actions
Action | Role | *Time lock |
Open (borrow) a position and close (repay) a position | EXECUTIVE | N/A |
Upgrade contract | ADMIN | 72 hours |
Revoke/Assign ADMIN/EXECUTIVE | ADMIN | 72 hours |
Leverage Engine
Runs the leverage cycles and writes debt under NFT instead of a EOA
Privileged actions
Action | Role | *Time lock |
Upgrade contract | ADMIN | 72 hours |
Revoke/Assign ADMIN | ADMIN | 72 hours |
CDPosition
Holds ledgers and directs rebasing
EXECUTIVE: Manage CDP information (the bookkeeper)
Privileged actions
Action | Role | *Time lock |
Add/delete/update position based on user interaction with Leverage Engine | EXECUTIVE | N/A |
Upgrade contract | ADMIN | 72 hours |
Revoke/Assign ADMIN/EXECUTIVE | ADMIN | 72 hours |
Exchange Coordinator
Deals with Curve and OUSD contracts
EXECUTIVE: Swap lvUSD<>OUSD. This is an "internal" contract. It doesn't interface with the end user.
Privileged actions
Action | Role | *Time lock |
Swap | EXECUTIVE | N/A |
Upgrade contract | ADMIN | 72 hours |
Revoke/Assign ADMIN/EXECUTIVE | ADMIN | 72 hours |
Parameter Store
Controls all sensitive protocol parameters
GOVERNOR: Set protocol parameters
Privileged actions
Action | Role | *Time lock |
Upgrade contract | ADMIN | 72 hours |
Revoke/Assign roles | ADMIN | 72 hours |
Max leverage allowed | GOVERNOR | 72 hours |
Origination fee rate | GOVERNOR | 72 hours |
Collateral rate required | GOVERNOR | 72 hours |
Protocol fees (out of interest payments) | GOVERNOR | 72 hours |
Curve max slippage allowed | GOVERNOR | 72 hours |
How much leverage 1 ARCH buys (in lvUSD) | GOVERNOR | 72 hours |
Change Treasury address | GOVERNOR | 72 hours |
Access control review doc (v1)
google sheet with current roles and owners (as of April 27, 2023)
Working with Time-locks
- The multi-sig admin is the only proposer for all Archimedes time locks.
- Anyone can execute an approved proposal on Archimedes time locks.
- Video exploration of how to use time locks with Open Zepplinβs Defender
Archimedes is an experimental protocol and carries significant risks: Smart contract risk, economic model risk, risk that the assets Archimedes introduces and many other types of known and unknown risks.
Archimedes' team never provides investment advice. This article is NOT financial advice. DYOR.
Participate at your own risk.