Access Control for Contract Messages
Each execute message in the Amplifier contracts is annotated with a permission scope. The vocabulary is defined by the
msgs-derive macro and a message can have any of the following:
Any: anyone can call it. Default for user-facing methods.Governance: only the configured governance address.Admin: only the configured admin address.Elevated: admin or governance.Specific(role): only an address that holds the named role. Common variants in this codebase:Specific(gateway),Specific(verifier),Specific(prover),Specific(authorized).Proxy(role): a single trusted contract may also call this on behalf of the named role. Used today forProxy(coordinator)so the coordinator can register chains/callers on behalf of governance.
Only execute messages with restricted access are listed below. Messages tagged Any are omitted.
Router
Governance
RegisterChain {
chain: ChainName,
gateway_address: Address,
msg_id_format: MessageIdFormat,
},
UpgradeGateway {
chain: ChainName,
contract_address: Address,
},
Elevated
FreezeChains {
chains: HashMap<ChainName, GatewayDirection>,
},
UnfreezeChains {
chains: HashMap<ChainName, GatewayDirection>,
},
DisableRouting,
EnableRouting,
Specific(gateway)
Only a registered chain gateway may call this:
RouteMessages(Vec<Message>)
Voting Verifier
Governance
UpdateVotingThreshold {
new_voting_threshold: MajorityThreshold,
}
Multisig Prover
Governance
UpdateSigningThreshold {
new_signing_threshold: MajorityThreshold,
},
UpdateAdmin {
new_admin_address: String,
}
Elevated
UpdateVerifierSet
Multisig
Governance
AuthorizeCallers {
contracts: HashMap<String, ChainName>,
}
Elevated
UnauthorizeCallers {
contracts: HashMap<String, ChainName>,
},
DisableSigning,
EnableSigning,
Specific(authorized)
Only a contract previously authorized via AuthorizeCallers may call this, and only for the chain name it was
authorized for:
StartSigningSession {
verifier_set_id: String,
msg: HexBinary,
chain_name: ChainName,
sig_verifier: Option<String>,
}
Service Registry
Governance
RegisterService {
service_name: String,
coordinator_contract: String,
min_num_verifiers: u16,
max_num_verifiers: Option<u16>,
min_verifier_bond: nonempty::Uint128,
bond_denom: String,
unbonding_period_days: u16,
description: String,
},
UpdateService {
service_name: String,
updated_service_params: UpdatedServiceParams,
},
AuthorizeVerifiers {
verifiers: Vec<String>,
service_name: String,
},
UnauthorizeVerifiers {
verifiers: Vec<String>,
service_name: String,
},
JailVerifiers {
verifiers: Vec<String>,
service_name: String,
}
Specific(verifier)
Called by the verifier address itself:
RegisterChainSupport {
service_name: String,
chains: Vec<ChainName>,
},
DeregisterChainSupport {
service_name: String,
chains: Vec<ChainName>,
}
Coordinator
Governance
RegisterProverContract {
chain_name: ChainName,
new_prover_addr: String,
}
Specific(prover)
Only a prover address that was previously registered via RegisterProverContract may call this, and only with respect
to the chain it was registered for:
SetActiveVerifiers {
verifiers: HashSet<String>,
}