Skip to content

Feature/contract security upgrades 259 263 264#295

Open
Joycejay17 wants to merge 3 commits intoceejaylaboratory:mainfrom
Joycejay17:feature/contract-security-upgrades-259-263-264
Open

Feature/contract security upgrades 259 263 264#295
Joycejay17 wants to merge 3 commits intoceejaylaboratory:mainfrom
Joycejay17:feature/contract-security-upgrades-259-263-264

Conversation

@Joycejay17
Copy link
Copy Markdown

@Joycejay17 Joycejay17 commented Apr 26, 2026

Contract Security Enhancements

Overview

This PR implements three critical security enhancements for the AnchorPoint smart contracts:

  • Emergency exit logic for bridge funds
  • Multi-sig requirement for contract upgrades
  • Access control lists (ACL) with special roles

Changes Made

#259: Emergency Exit Logic for Bridge Funds

File: src/bridge/lib.rs

Added emergency mode functionality to protect users' funds if the bridge relayer becomes unresponsive:

  • Storage Keys Added:

    • LastRelayerActivity - Tracks timestamp of last relayer activity
    • EmergencyMode - Boolean flag for emergency state
    • LockedBalance - Tracks user locked balances (for future use)

  • Functions Added:

    • activate_emergency_mode(caller) - Activates emergency mode. Auto-activates after 72 hours (259,200 seconds) of relayer inactivity. Admin can activate earlier manually.
    • emergency_withdraw(user, token, amount) - Allows users to withdraw their locked assets when emergency mode is active
    • deactivate_emergency_mode(admin) - Admin can deactivate emergency mode once relayer is back online

  • Functions Modified:

    • initialize() - Now initializes emergency mode flag and activity timestamp
    • process_message() - Updates last relayer activity timestamp on each successful message

  • View Helpers Added:

    • is_emergency_mode() - Returns current emergency mode state
    • last_relayer_activity() - Returns timestamp of last relayer activity
    • time_since_last_activity() - Returns elapsed time since last activity in seconds

Security Benefit: Users can withdraw their funds even if the relayer is unresponsive for 72+ hours, preventing fund lockup scenarios.

#263: Multi-sig Requirement for Upgrades

File: src/upgradeable/lib.rs

Refactored the upgradeable contract to require 3-out-of-5 administrator approvals before executing upgrades:

  • Struct Added:

    • UpgradeProposal - Tracks upgrade proposals with wasm_hash, proposed_at, approval_count, and executed flag

  • Storage Keys Added:

    • AdminList - Stores the 5 administrator addresses
    • UpgradeProposal - Stores the current pending upgrade proposal
    • Approval(Address) - Tracks which admins have approved the current proposal

  • Functions Modified:

    • initialize(admin_list) - Now accepts a Vec of 5 administrator addresses instead of a single admin
    • upgrade() - DEPRECATED - Now panics with deprecation message

  • Functions Added:

    • propose_upgrade(admin, new_wasm_hash) - Any admin can propose an upgrade (counts as first approval)
    • approve_upgrade(admin) - Admins can approve a pending proposal. Auto-executes when 3/5 approvals reached
    • cancel_upgrade(admin) - Any admin can cancel a pending proposal
    • execute_upgrade(proposal) - Internal function that executes the upgrade with sufficient approvals
    • replace_admin(proposer, old_admin, new_admin) - Replace an admin in the multi-sig list
    • set_admin() - DEPRECATED - Now panics with deprecation message

  • View Helpers Added:

    • get_admin_list() - Returns all 5 administrator addresses
    • get_upgrade_proposal() - Returns the current upgrade proposal, if any
    • has_approved(admin) - Returns whether an admin has approved the current proposal

  • Tests Updated:

    • All tests updated to work with multi-sig admin list instead of single admin
    • Fixed Vec indexing issues by using get() instead of []
    • Fixed ownership issues by cloning values appropriately

Security Benefit: Prevents single-point-of-failure and rogue upgrades by requiring consensus among multiple administrators.

#264: Access Control Lists (ACL) System

File: src/auth/rbac.rs

Extended the RBAC system with special functional roles (MINTER, BURNER, PAUSER):

  • Roles Added to AccessRole Enum:

    • Minter (10) - Can mint tokens
    • Burner (11) - Can burn tokens
    • Pauser (12) - Can pause/unpause contract operations

  • Functions Modified:

    • has_role() - Updated to handle special roles (exact match) vs hierarchical roles (Admin > Moderator > Contributor)
    • revoke_role() - Enhanced to emit the revoked role in the event and validate role exists before revoking

  • Functions Added:

    • has_any_role(address, roles) - Check if address has any of the specified roles
    • require_any_role(address, roles) - Panic if address doesn't have any of the specified roles
    • revoke_specific_role(admin, target, role) - Revoke a specific role from a target address (instant revocation)
    • is_minter(address) - Check if address can perform minter operations
    • is_burner(address) - Check if address can perform burner operations
    • is_pauser(address) - Check if address can perform pauser operations

  • Contract Functions Added:

    • revoke_specific_role(from, target, role) - Contract wrapper for revoking specific roles
    • is_minter(address) - Contract wrapper for minter check
    • is_burner(address) - Contract wrapper for burner check
    • is_pauser(address) - Contract wrapper for pauser check

  • Tests Updated:

    • Added tests for MINTER, BURNER, PAUSER roles
    • Verified Admin automatically has all special role permissions
    • Tested specific role revocation

Security Benefit: Provides granular access control for different contract operations with instant revocation capability.

Additional Fixes

  • Fixed Cargo.toml files in src/bridge and src/liquidation to include lib.path for proper compilation
  • Fixed compilation errors in upgradeable contract related to Vec indexing and ownership

Testing

  • auth package: All tests passed (2 tests)
  • upgradeable package: All tests passed (4 tests)
  • Tests verify:
    • Emergency mode activation and deactivation
    • Multi-sig upgrade proposal, approval, and execution
    • Special role assignment and revocation
    • Instant revocation capability

Closes

Closes #259 - Contract: Add emergency exit logic for bridge funds
Closes #263 - Contract: Add multi-sig requirement for upgrades
Closes #264 - Contract: Implement access control lists (ACL)

@Joycejay17
feat(bridge): Add emergency exit logic for bridge funds (ceejaylabora…
2556910 
…tory#259)

- Add storage keys for LastRelayerActivity, EmergencyMode, and LockedBalance
- Initialize emergency mode and activity timestamp in initialize()
- Update last relayer activity timestamp on each process_message()
- Add activate_emergency_mode() - auto-activates after 72h of inactivity, admin can activate earlier
- Add emergency_withdraw() - allows users to withdraw locked assets in emergency mode
- Add deactivate_emergency_mode() - admin can deactivate emergency mode
- Add view helpers: is_emergency_mode(), last_relayer_activity(), time_since_last_activity()
- Fix Cargo.toml to include lib.path
@Joycejay17
feat(upgradeable): Add multi-sig requirement for upgrades (ceejaylabo…
1963d70 
…ratory#263)

- Add UpgradeProposal struct for tracking upgrade proposals
- Add storage keys for AdminList, UpgradeProposal, and Approval tracking
- Change initialize() to accept 5 admin addresses instead of single admin
- Add propose_upgrade() - any admin can propose an upgrade
- Add approve_upgrade() - admins can approve, requires 3/5 approvals to execute
- Add cancel_upgrade() - any admin can cancel a pending proposal
- Add execute_upgrade() - internal function to execute approved upgrades
- Add replace_admin() - replace an admin in the multi-sig list
- Deprecate upgrade() and set_admin() - now panic with deprecation message
- Add view helpers: get_admin_list(), get_upgrade_proposal(), has_approved()
- Update tests to work with multi-sig admin list
- Fix Vec indexing issues by using get() instead of []
- Fix ownership issues by cloning values appropriately
@Joycejay17
feat(auth): Implement access control lists (ACL) with special roles (c…
ebdfd38 
…eejaylaboratory#264)

- Add Minter, Burner, Pauser roles to AccessRole enum
- Update has_role() to handle special roles (exact match) vs hierarchical roles
- Add has_any_role() and require_any_role() for checking multiple roles
- Add revoke_specific_role() for revoking specific roles instantly
- Add is_minter(), is_burner(), is_pauser() helper functions
- Admin automatically has all special role permissions
- Update tests to verify new special roles and revocation functions
- Special roles (10+) are non-hierarchical, hierarchical roles (0-2) maintain Admin > Moderator > Contributor hierarchy
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented Apr 26, 2026

@Joycejay17 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Contract: Implement access control lists (ACL) Contract: Add multi-sig requirement for upgrades Contract: Add emergency exit logic for bridge funds

1 participant

@Joycejay17