Permission Matrix¶
This matrix is grounded in the current Solidity snapshot at /Users/marcos/Desktop/centurion_phase1_upgradeable_refactor. It documents privileged or operationally sensitive entrypoints; public view helpers are intentionally omitted.
Current-source correction
DepositContractCTN has no baselineVaultFactoryFrozen, freezeBaselineVaultFactory, setBaselineVaultFactory, setBaselineVaultRuntimeCodehash, setPhase1CustodyChecksEnabled, pubkeyAllowlistEnabled, pubkeyAllowlistDisabledForever, or ownerOnlyDepositorEnabled in the current source.
| Contract | Function | Access control condition | Authority variable or role | Recommended production holder | What it changes | Direct economic/security effect | Worst-case abuse scenario | Operational controls | Frequency | Pre-checks | Post-checks | Events to monitor | Class |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CenturionUpgradeGovernor | proposeRoleGrant | onlyRoleAdmin | roleAdmin | RoleAdmin Safe | Starts timelocked role grant | Future authority expansion | Attacker stages upgrade/executor/registrar role | Ticket, signer review, delay monitoring | Rare | Role need, account custody | pendingRoleGrant set | RoleGrantProposed | Routine/governance |
CenturionUpgradeGovernor | executeRoleGrant | onlyRoleAdmin after delay | roleAdmin | RoleAdmin Safe | Grants role | Activates authority | Malicious role becomes live | Final review at ready time | Rare | Delay elapsed, no incident | hasRole true | RoleGrantExecuted, RoleGranted | Routine/governance |
CenturionUpgradeGovernor | cancelRoleGrant | onlyRoleAdmin | roleAdmin | RoleAdmin Safe | Cancels pending role grant | Stops future authority | Blocks legitimate ops if abused | Change ticket and reason | Rare | Pending grant exists | Pending cleared | RoleGrantCancelled | Routine/emergency |
CenturionUpgradeGovernor | revokeRole | onlyRoleAdmin | roleAdmin | RoleAdmin Safe | Revokes role immediately and clears pending grant | Removes authority | Disrupts upgrades or disables guardian | Emergency playbook and replacement plan | Rare/emergency | Compromise or rotation evidence | hasRole false | RoleRevoked, possible RoleGrantCancelled | Emergency-capable |
CenturionUpgradeGovernor | transferRoleAdmin | onlyRoleAdmin | roleAdmin | RoleAdmin Safe | Stages role-admin transfer | Moves root authority after delay | Root takeover | Board-level approval, destination Safe proof | Very rare | Destination Safe verified | pendingRoleAdmin set | RoleAdminTransferStarted | Routine/governance |
CenturionUpgradeGovernor | cancelRoleAdminTransfer | onlyRoleAdmin | roleAdmin | RoleAdmin Safe | Cancels admin transfer | Preserves current root | Blocks intended rotation | Rotation ticket | Rare | Pending transfer exists | Pending cleared | RoleAdminTransferReadyAtUpdated | Routine/emergency |
CenturionUpgradeGovernor | acceptRoleAdmin | Caller must be pendingRoleAdmin and ready | pendingRoleAdmin | New RoleAdmin Safe | Completes admin transfer | New root authority | Wrong Safe becomes root | Acceptance ceremony | Very rare | Delay elapsed, signer proof | roleAdmin updated | RoleAdminTransferred | Routine/governance |
CenturionUpgradeGovernor | registerTransparentProxy | onlyRole(REGISTRAR_ROLE) notFinalFrozen | REGISTRAR_ROLE | Release/Registrar Safe | Registers proxy target kind | Enables policy assertions/upgrades | Wrong proxy trusted or target-kind drift | Runtime codehash/admin check, artifact ticket | Rare | Proxy admin is governor | Registration readback | TransparentProxyRegistered | Launch/routine |
CenturionUpgradeGovernor | registerBeacon | onlyRole(REGISTRAR_ROLE) notFinalFrozen | REGISTRAR_ROLE | Release/Registrar Safe | Registers beacon target kind | Enables beacon policy assertions/upgrades | Wrong beacon or authority trusted | Runtime codehash/authority check | Rare | Beacon authority is governor | Registered beacon count/list | BeaconRegistered | Launch/routine |
CenturionUpgradeGovernor | recordGenesisImplementation | onlyRole(REGISTRAR_ROLE) notFinalFrozen | REGISTRAR_ROLE | Release/Registrar Safe | Approves genesis implementation | Establishes policy registry trust | Malicious implementation approved | Codehash, metadata, source review | Launch-only | Metadata and code hash verified | implementationPolicy readback | GenesisImplementationApproved | Launch-only |
CenturionUpgradeGovernor | sealGenesisApprovals | onlyRole(REGISTRAR_ROLE) notFinalFrozen | REGISTRAR_ROLE | Release/Registrar Safe | Seals genesis approval phase | Prevents further genesis approvals | Premature seal blocks launch fix | Release checklist | Once | All genesis impls approved | genesisApprovalsSealed true | GenesisApprovalsSealed | Launch-only |
CenturionUpgradeGovernor | proposeUpgrade | onlyRole(PROPOSER_ROLE) notFinalFrozen | PROPOSER_ROLE | Upgrade Operations Safe | Stores upgrade operation | Stages code change | Malicious implementation staged | Release review and operation-hash reproduction | Rare | Artifact, metadata, storage review | operationKnown and getOperation | UpgradeProposed | Routine/governance |
CenturionUpgradeGovernor | queueUpgrade | onlyRole(QUEUER_ROLE) notFinalFrozen | QUEUER_ROLE | Upgrade Operations Safe or Queue Safe | Starts timelock | Makes operation executable later | Bad op matures | Continuous monitoring and guardian readiness | Rare | Proposal decoded and approved | readyAt set | UpgradeQueued | Routine/governance |
CenturionUpgradeGovernor | cancelUpgrade | onlyRole(CANCELLER_ROLE) | CANCELLER_ROLE | Guardian/Canceller Safe | Cancels pending operation | Prevents execution | Blocks valid upgrade | Independent incident policy | Rare/emergency | Suspicion or failed review | Operation cancelled | UpgradeCancelled | Emergency-capable |
CenturionUpgradeGovernor | executeUpgrade | onlyRole(EXECUTOR_ROLE) notFinalFrozen after queue/delay | EXECUTOR_ROLE | Upgrade Operations Safe | Upgrades proxy or beacon | Replaces live logic | Fund/custody/accounting invariants bypassed | Final go/no-go, post asserts | Rare | readyAt, codehash, calldata, policy | Live implementation and initialized version | UpgradeExecuted, proxy/beacon events | Routine/governance |
CenturionUpgradeGovernor | finalFreeze | onlyRole(FREEZER_ROLE) | FREEZER_ROLE | Guardian/Canceller Safe | Calls freezeForever on registered beacons and sets finalFrozen | Irreversibly removes beacon upgrade path | Freezes fleet before needed fix | Board-level emergency approval | Never/incident | Registered beacon list complete | finalFrozen true and all beacons frozen | BeaconFrozenInFinalFreeze, FinalFreeze | Emergency-only |
DepositContractCTN | initialize | initializer | Deployment authority | Deployment Safe | Stores baseline references and allowlist admin | Defines deposit trust anchors | Wrong baseline admits unsafe route or halts deposits | Deployment ceremony and dry-run checks | Once | Component addresses/code, policy assertions | Baseline events and state reads | BaselineConfigured, BaselineMetadataConfigured, AllowlistAdminTransferred | Launch-only |
DepositContractCTN | addAllowedDeposit | onlyAllowlistAdmin | allowlistAdmin | Admission Safe | Adds default 32 CTN intent for admin as depositor | Opens admission | Admin address accidentally authorized | Use only when admin submits deposit | Occasional | Pubkey/WC verified | Intent read true | DepositIntentAllowed, DepositIntentAllowedFor | Routine |
DepositContractCTN | addAllowedDeposits | onlyAllowlistAdmin | allowlistAdmin | Admission Safe | Batch default intents | Opens admissions | Batch includes wrong validator | Batch reconciliation | Occasional | Arrays validated off-chain | Spot-check hashes | DepositIntentAllowedFor | Routine |
DepositContractCTN | addAllowedDepositFor | onlyAllowlistAdmin | allowlistAdmin | Admission Safe | Adds explicit amount/depositor intent | Opens exact caller admission | Wrong depositor or amount authorized | Two-person tuple review | Frequent onboarding | Pubkey, WC, amount, caller, epoch | Intent read true | DepositIntentAllowedFor | Routine |
DepositContractCTN | addAllowedDepositsFor | onlyAllowlistAdmin | allowlistAdmin | Admission Safe | Batch explicit intents | Opens admissions | Batch poison or mismatch | CSV/hash reconciliation | Frequent onboarding | Array lengths and tuple review | Spot-check hashes | DepositIntentAllowedFor | Routine |
DepositContractCTN | removeAllowedDeposit | onlyAllowlistAdmin | allowlistAdmin | Admission Safe | Clears default active intent | Blocks deposit | Blocks valid onboarding | Ticketed removal | Occasional | Confirm intent target | Intent read false | DepositIntentRemoved, DepositIntentRemovedFor | Routine |
DepositContractCTN | removeAllowedDepositFor | onlyAllowlistAdmin | allowlistAdmin | Admission Safe | Clears explicit active intent | Blocks deposit | Removes correct user intent | Ticketed removal | Occasional | Confirm tuple | Intent read false | DepositIntentRemovedFor | Routine |
DepositContractCTN | transferAllowlistAdmin | onlyAllowlistAdmin | allowlistAdmin | Admission Safe | Stages admission-admin transfer | Moves admission authority | Wrong admin staged | Destination Safe review | Rare | New Safe verified | Pending admin set | AllowlistAdminTransferStarted | Routine/governance |
DepositContractCTN | acceptAllowlistAdmin | Caller must be pendingAllowlistAdmin | pendingAllowlistAdmin | New Admission Safe | Completes transfer and increments allowlistEpoch | Invalidates old intents | Attacker becomes admission admin | Acceptance ceremony | Rare | Pending admin and epoch noted | allowlistAdmin, epoch changed | AllowlistAdminTransferred | Routine/governance |
DepositContractCTN | cancelAllowlistAdminTransfer | onlyAllowlistAdmin | allowlistAdmin | Admission Safe | Cancels pending transfer | Preserves current admin | Blocks intended rotation | Rotation ticket | Rare | Pending transfer exists | Pending cleared | AllowlistAdminTransferCancelled | Routine |
CenturionVaultFactory | initialize | initializer | Deployment authority | Deployment Safe | Sets owner, controller, exit contract, governor, beacon, hashes | Defines vault deployment trust anchors | Wrong beacon/governor/controller binds fleet | Deployment ceremony | Once | Runtime codehash and authority checks | State readback | OwnershipTransferred | Launch-only |
CenturionVaultFactory | transferOwnership | onlyOwner | owner | Factory Ops Safe | Stages factory owner transfer | Moves vault-deploy authority | Wrong deployer gains control | Two-step review | Rare | New Safe verified | Pending owner set | OwnershipTransferStarted | Routine/governance |
CenturionVaultFactory | cancelOwnershipTransfer | onlyOwner | owner | Factory Ops Safe | Cancels owner transfer | Preserves authority | Blocks intended rotation | Ticketed cancel | Rare | Pending exists | Pending cleared | OwnershipTransferCancelled | Routine |
CenturionVaultFactory | acceptOwnership | Caller must be pendingOwner | pendingOwner | New Factory Ops Safe | Completes owner transfer | Moves vault-deploy authority | Wrong owner accepts | Acceptance ceremony | Rare | Pending and Safe verified | Owner readback | OwnershipTransferred | Routine/governance |
CenturionVaultFactory | setPolicyBootstrapOpen | onlyOwner | owner | Factory Ops Safe | Toggles bootstrap flag | Deposit readiness rejects if open | Deposits halted or unsafe bootstrap allowed | Change window and deposit pause | Rare | Launch state reviewed | Router flag readback | PolicyBootstrapOpenSet | Launch/routine |
CenturionVaultFactory | deployVault | onlyOwner | owner | Factory Ops Safe | Deploys vault and initializes controller seat | Creates custody route | Wrong beneficiary/destination/params | Validator onboarding review | Per validator | Pubkey, beneficiary, destination, caps | Vault mapping and seat state | VaultDeployed, SeatInitialized | Routine |
CenturionEconomicController | initialize | initializer | Deployment authority | Deployment Safe | Sets owner, exit contract, hashes, initial modes | Defines economic control plane | Wrong owner or exit contract | Deployment ceremony | Once | Exit contract code, hashes | State readback | OwnershipTransferred | Launch-only |
CenturionEconomicController | transferOwnership | onlyOwner | owner | Operational/Risk Safe | Stages owner transfer | Moves economic authority | Wrong Safe gains risk/funds controls | Two-step governance review | Rare | Destination Safe verified | Pending owner set | OwnershipTransferStarted | Routine/governance |
CenturionEconomicController | cancelOwnershipTransfer | onlyOwner | owner | Operational/Risk Safe | Cancels owner transfer | Preserves authority | Blocks intended rotation | Ticketed cancel | Rare | Pending exists | Pending cleared | OwnershipTransferCancelled | Routine |
CenturionEconomicController | acceptOwnership | Caller must be pendingOwner | pendingOwner | New Operational/Risk Safe | Completes owner transfer | Moves economic authority | Wrong Safe becomes owner | Acceptance ceremony | Rare | Pending verified | Owner readback | OwnershipTransferred | Routine/governance |
CenturionEconomicController | setUpgradeGovernor | onlyOwner, one-shot | owner | Governance/Risk Safe | Binds governor for gatekeeper validation | Establishes gatekeeper policy root | Wrong governor trusted | Address/code/policy assertion review | Once | Governor registered gatekeeper | upgradeGovernor readback | UpgradeGovernorBound | Launch-only |
CenturionEconomicController | bindClaimGatekeeper | onlyOwner, gatekeeper unset | owner | Governance/Risk Safe | Binds claim gatekeeper | Controls claim authorization path | Wrong gatekeeper controls pending claims | Governor policy assertion | Once | Governor set, metadata valid | Gatekeeper readback | ClaimGatekeeperBound | Launch-only |
CenturionEconomicController | setFactory | onlyOwner, factory unset | owner | Governance/Risk Safe | Binds factory | Defines valid vault registry | Wrong registry admits wrong vaults | Factory address review | Once | Gatekeeper bound, factory code | Factory readback | FactorySet | Launch-only |
CenturionEconomicController | setRiskFreshnessWindow | onlyOwner | owner | Risk Safe | Updates stale-observation window | Claim availability and safety | Stale data accepted or good data blocked | Risk committee approval | Rare | Window bounds and feed SLA | Window readback | RiskFreshnessWindowUpdated | Routine |
CenturionEconomicController | setAggregateExposureCapBps | onlyOwner | owner | Risk Safe | Updates smoothing exposure cap | Reserve exposure | Over-advances reserve smoothing | Phase cap review | Rare | Phase cap and exposure | Cap readback | No dedicated event found in current source; archive state readback | Routine |
CenturionEconomicController | setFinalModelModes | onlyOwner | owner | Governance/Risk Safe | Requires all final modes enabled | Model enforcement | Disabled strict accounting if code changed | Should remain all true | Very rare | All booleans true | Behavior smoke test | No dedicated event found in current source; archive state readback | Deprecated/routine guard |
CenturionEconomicController | hardenNetworkPhase | onlyOwner | owner | Governance/Risk Safe | Advances network phase only forward | Changes risk/exposure policy | Premature hardening changes limits | Governance decision | Rare | Phase impact review | Phase readback | NetworkPhaseChanged | Routine/governance |
CenturionEconomicController | setClaimExecutorGrant | onlyOwner | owner | Ops Safe | Grants executor scope/expiry through gatekeeper | Allows assisted claims | Executor drains allowed claim capacity | Short expiry and scope review | Occasional | Vault seat and executor verified | Grant readback | ClaimExecutorGrantSet | Routine |
CenturionEconomicController | setClaimExecutorsPaused | onlyOwner | owner | Ops/Guardian Safe | Pauses/unpauses executor claims | Affects claim availability | Blocks assistance or hides executor abuse | Incident/change ticket | Incident/rare | Reason and affected vaults | Pause readback | ClaimExecutorsPausedSet | Emergency-capable |
CenturionEconomicController | revokeClaimExecutorGrant | onlyOwner | owner | Ops Safe | Revokes executor grant | Removes assisted claim authority | Blocks legitimate executor | Ticketed revoke | Occasional | Grant exists | Grant removed | ClaimExecutorGrantRevoked | Routine/emergency |
CenturionEconomicController | proposeExitRequestFallback | onlyOwner | owner | Governance/Risk Safe | Stages exit fallback after 24h | Changes exit route | Bad fallback blocks exits | Endpoint/codehash review | Rare | Contract code and behavior | Pending fallback readback | ExitFallbackUpdateProposed | Routine |
CenturionEconomicController | cancelExitRequestFallbackProposal | onlyOwner | owner | Governance/Risk Safe | Cancels pending fallback | Preserves exit route | Blocks intended fallback | Ticketed cancel | Rare | Pending exists | Pending cleared | ExitFallbackUpdateCanceled | Routine |
CenturionEconomicController | activateExitRequestFallback | onlyOwner after delay | owner | Governance/Risk Safe | Activates fallback | Changes exit route | Bad fallback receives exit requests | Final endpoint review | Rare | Delay elapsed, code valid | Fallback readback and vault sync | ExitFallbackUpdated | Routine |
CenturionEconomicController | initializeSeat | onlyFactory | factory | Factory only | Creates seat config | Enables vault economics | Wrong beneficiary/destination | Factory deployment checklist | Per validator | Factory-only caller, params | Seat readback | SeatInitialized | Launch/routine |
CenturionEconomicController | setTriggerArmed | onlyOwner | owner | Risk Safe | Toggles claim trigger | Enables/disables running claims | Claims enabled during unsafe state | Risk review | Occasional | Observation/readiness | Claim state readback | TriggerArmedSet, possible ClaimCancelled | Routine/emergency |
CenturionEconomicController | setReserveCoverage | onlyOwner | owner | Risk/Treasury Safe | Sets reserve limits/proof | Enables deposit/claim safety | Fake reserve coverage | Proof review and reconciliation | Regular | Proof hash, limits, vault | Readiness/coverage readback | ReserveCoverageSet, possible ClaimCancelled | Routine |
CenturionEconomicController | setClearedSafeEpoch | onlyOwner | owner | Oracle/Risk Safe | Advances safe receipt epoch | Affects receipt classification | Unsafe receipts classified as rewards | Finality/source proof | Regular | Epoch proof | Claimability readback | ClearedSafeEpochSet, possible ClaimCancelled | Routine |
CenturionEconomicController | clearReserveCoverage | onlyOwner | owner | Risk Safe | Clears reserve coverage | Disables reserve-backed readiness | Halts deposits/claims | Incident ticket | Incident/rare | Reason and affected vault | Coverage zero/readiness false | ReserveCoverageReleased, possible ClaimCancelled | Emergency-capable |
CenturionEconomicController | updateRiskObservationFinalModel | onlyOwner | owner | Oracle/Risk Safe or service Safe | Records risk observation and delta | Drives claim state/smoothing | False oracle data enables or blocks claims | Signed feeds and source ids | High frequency | Finality, source uniqueness | Risk/claim state readback | RiskObservationAccepted, conflict events | Routine |
CenturionEconomicController | recordVaultReceipt | onlyOwner | owner | Receipt Ops Safe | Records receipt with default source id | Moves economic buckets | Misclassified funds | Receipt proof and epoch review | Regular | Receipt id uniqueness | Ledger readback | VaultReceiptRecorded, ReceiptClassified | Routine |
CenturionEconomicController | recordVaultReceiptFinalModel | onlyOwner | owner | Receipt Ops Safe | Records receipt with source group | Moves economic buckets and source ledger | Double count or wrong source kind | Source-group reconciliation | Regular | Source group uniqueness | Ledger/source flags | VaultReceiptRecorded, ReceiptClassified | Routine |
CenturionEconomicController | applyReserveTopUp | onlyOwner, payable | owner | Risk/Treasury Safe | Sends reserve top-up into vault | Repairs principal deficit | Misapplied reserve funds | Treasury approval and amount check | Occasional | Deficit and receipt id | Vault balance/ledger | ReserveTopUpApplied | Routine/emergency |
CenturionEconomicController | recordExitAccepted | onlyOwner | owner | Ops/Risk Safe | Marks exit accepted | Moves validator lifecycle | Premature exit state | Consensus evidence | Occasional | Exit acceptance proof | Seat/risk readback | ExitAcceptedRecorded | Routine |
CenturionEconomicController | proposeSettlementWithGuard | onlyOwner | owner | Governance/Risk Safe | Proposes settlement | Starts settlement delay/path | Bad settlement snapshot | Multi-party review | Occasional | Exit/funds evidence | Settlement readback | SettlementProposed, possible ClaimCancelled | Routine/emergency |
CenturionEconomicController | cancelEmergencySettlement | onlyOwner | owner | Governance/Risk Safe | Cancels emergency settlement | Restores non-emergency path | Blocks needed emergency | Incident review | Rare | Emergency proposal exists | Settlement state readback | EmergencySettlementCancelled | Emergency-capable |
CenturionEconomicController | finalizeSettlement | onlyOwner | owner | Governance/Risk Safe | Finalizes settlement accounting | Determines principal/reward/excess | Wrong payout ordering | Settlement checklist | Occasional | Delay, ledger, reserve state | Settlement finalized | SettlementFinalized | Routine/emergency |
CenturionEconomicController | claimPrincipal | onlyOwner, non-reentrant | owner | Treasury/Governance Safe | Transfers claimable principal | Moves principal funds | Principal misrouted | Destination allowlist | Occasional | Settlement finalized and destination | Vault/ledger readback | PrincipalClaimed | Routine |
CenturionEconomicController | drainRemainder | onlyOwner, non-reentrant | owner | Governance Safe | Drains post-settlement remainder | Moves remaining vault funds | Funds misallocated | Post-settlement audit | Rare | Drain delay and destination | Vault balance | RemainderDrained | Routine |
CenturionEconomicController | initiateClaim | Public path through gatekeeper policy | Beneficiary or scoped executor | Beneficiary/executor as policy allows | Starts pending running reward claim | Reserves future reward payout | Starts claim for wrong amount if state/caps wrong | Claim eligibility review | Regular | Claim mode, amount, caps, executor scope | Pending claim readback | Gatekeeper pending-claim events | Routine |
CenturionEconomicController | finalizeClaim | Public path through gatekeeper policy, non-reentrant | Beneficiary or scoped executor | Beneficiary/executor as policy allows | Finalizes pending running reward claim and transfers ETH | Moves reward funds | Premature or unauthorized payout if gatekeeper/controller state wrong | Pending-delay and amount recheck | Regular | Pending claim ready, reward bucket available | Reward bucket consumed and vault transfer | Gatekeeper finalize events, vault ETHTransferred | Routine |
CenturionEconomicController | cancelClaim | Public path through gatekeeper cancellation policy | Beneficiary, executor, owner, or policy-allowed caller | Beneficiary/operator as policy allows | Cancels pending claim | Blocks pending payout | Griefing or hides suspicious pending claim | Reason capture and affected vault review | Occasional | Pending claim exists, caller right checked | Pending cleared | Gatekeeper cancel events | Routine/emergency |
CenturionEconomicController | claimSettlementRewards | Public path through policy | Caller/gatekeeper rules | Beneficiary/executor as policy allows | Claims settlement rewards | Moves reward funds | Unauthorized executor if grant wrong | Gatekeeper caps and scopes | Occasional | Pending/available rewards | Ledger/balance | SettlementRewardsClaimed | Routine |
CenturionEconomicController | requestValidatorExitDynamic | Public path through controller checks | Controller seat policy | Operator/automation with fee | Requests validator exit using live fee | Changes validator lifecycle | Premature exit if policy wrong | Exit runbook and pubkey proof | Occasional | Trigger/risk/fee/pubkey | exitSubmitted, state | ExitRequested | Routine/emergency |
CenturionEconomicController | requestValidatorExitWithManualFee | Public path through controller checks | Controller seat policy | Operator/automation with fee | Requests validator exit using manual fee | Changes validator lifecycle | Fee misuse or premature exit | Manual-fee approval | Occasional | Fee proof/pubkey | exitSubmitted, refund | ExitRequested | Routine/emergency |
CenturionClaimGatekeeper | initialize | initializer | Deployment authority | Deployment Safe | Sets controller | Defines only controller | Wrong controller owns claims | Deployment review | Once | Controller code/address | Controller readback | No dedicated event found in current source; archive state readback | Launch-only |
CenturionClaimGatekeeper | setClaimExecutorGrant | onlyController | controller | Controller only | Stores executor grant | Enables assisted claims | Unauthorized executor drains caps | Controller owner controls | Occasional | Scope/expiry/vault | Grant readback | No gatekeeper event found in current source; archive controller wrapper event or state readback | Routine |
CenturionClaimGatekeeper | setClaimExecutorsPaused | onlyController | controller | Controller only | Pauses executors | Claim availability | Blocks assisted claims | Incident policy | Rare | Pause reason | Readback | No gatekeeper event found in current source; archive controller wrapper event or state readback | Emergency-capable |
CenturionClaimGatekeeper | revokeClaimExecutorGrant | onlyController | controller | Controller only | Removes grant | Removes assisted claim authority | Blocks executor | Controller runbook | Occasional | Grant exists | Grant gone | No gatekeeper event found in current source; archive controller wrapper event or state readback | Routine |
CenturionClaimGatekeeper | authorizeAndCheckClaim | onlyController | controller | Controller only | Checks/consumes claim period caps | Enforces claim limits | Bad controller can consume caps | Controller-only invariant | Regular | Cap and beneficiary | Period state | No dedicated event found in current source; archive state readback | Routine |
CenturionClaimGatekeeper | initiatePendingClaim | onlyController | controller | Controller only | Creates pending claim | Starts claim delay | Forced/blocked pending claim if controller compromised | Controller claim checks | Regular | Claim state and amount | pendingClaim readback | No dedicated event found in current source; archive state readback | Routine |
CenturionClaimGatekeeper | finalizePendingClaim | onlyController | controller | Controller only | Finalizes pending claim and caps | Authorizes payout | Premature payout if controller compromised | Controller recheck before transfer | Regular | Ready time and caps | Pending cleared | No dedicated event found in current source; archive state readback | Routine |
CenturionClaimGatekeeper | cancelPendingClaim | onlyController | controller | Controller only | Cancels pending claim | Blocks payout | Malicious cancel griefing | Controller reason/event | Occasional | Pending exists and caller rights | Pending cleared | No dedicated event found in current source; archive state readback | Routine/emergency |
CenturionClaimGatekeeper | clearPendingClaimIfAny | onlyController | controller | Controller only | Clears pending claim if present | Invalidates stale claim | Griefing if controller compromised | Controller transition checks | Occasional | Risk/receipt/settlement transition | Pending cleared | No dedicated event found in current source; archive state readback | Routine |
CenturionClaimGatekeeper | forceSetPendingClaim | onlyController | controller | Controller only, migration/emergency only | Directly sets pending claim | Powerful state override | Fabricated pending claim | Use only with migration proof | Deprecated/emergency | Explicit migration evidence | Pending state and audit log | No dedicated event found in current source; archive state readback | Deprecated/emergency-only |
CenturionWithdrawalVault | initialize | initializer | Factory deployment | Factory only | Sets factory, controller, pubkey, exit route | Defines vault custody identity | Wrong controller/pubkey binding | Factory deploy checks | Per vault | Factory input reviewed | Vault metadata | No dedicated event found in current source; archive state readback | Launch/routine |
CenturionWithdrawalVault | setExitRequestFallback | onlyController | controller | Controller only | Sets vault fallback endpoint | Changes exit route | Bad fallback blocks exit | Controller fallback policy | Rare | Fallback code valid | Vault fallback readback | ExitRequestFallbackUpdated | Routine/emergency |
CenturionWithdrawalVault | transferETH | onlyController, non-reentrant | controller | Controller only | Transfers ETH out | Direct fund movement | Funds sent to wrong destination | Controller payout policy | Regular | Amount/destination/claim state | Vault balance and controller ledger | ETHTransferred | Routine |
CenturionWithdrawalVault | requestExit | onlyController, payable | controller | Controller only | Calls exit request contract | Validator exit lifecycle | Premature exit or fee trap | Controller exit checks | Occasional | Pubkey and fee proof | exitSubmitted true | ExitRequested | Routine/emergency |
CenturionTransparentProxy | changeAdmin | ifAdmin | EIP-1967 admin | Governor only | Changes proxy admin | Moves upgrade authority | Proxy escapes governor | Should not be routine; governor does not expose direct arbitrary call here | Deprecated/emergency | Governance design review | proxyAdmin readback | AdminChanged | Deprecated/emergency-only |
CenturionTransparentProxy | upgradeToAndCall | ifAdmin | EIP-1967 admin | Governor | Upgrades implementation and calls init | Replaces logic | Malicious implementation | Governor timelock lifecycle | Rare | Governor operation checks | Implementation/version readback | Upgraded, governor UpgradeExecuted | Routine/governance |
CenturionUpgradeableBeacon | upgradeTo | onlyAuthority | upgradeAuthority | Governor | Replaces vault implementation | Fleet-wide vault behavior change | All vaults compromised | Governor timelock lifecycle | Rare | Beacon operation checks | Beacon implementation readback | BeaconUpgraded, governor UpgradeExecuted | Routine/governance |
CenturionUpgradeableBeacon | freezeForever | onlyAuthority | upgradeAuthority | Governor via finalFreeze | Permanently freezes beacon | Removes upgrade path | Prevents future fix | Emergency final-freeze approval | Never/incident | Registered beacon list | frozen true | BeaconFrozenForever, FinalFreeze | Emergency-only |
| ## Four-Layer Review Rule |
| Layer | Permission-matrix use |
|---|---|
| Upgrade governance | Identify roles that decide which implementation, proxy, or beacon policy is official. |
| Deposit permissioning | Identify the allowlistAdmin and exact admission functions that decide who may deposit. |
| Custody/readiness | Identify factory, controller, vault, beacon, and readiness functions that make the route safe or unsafe. |
| Economic/claim safety | Identify controller and gatekeeper functions that move, classify, reserve, settle, or authorize value. |
A row in this matrix is intentionally operational, not just syntactic. If a generated privileged candidate is omitted, the omission must be because the candidate is a pure/view helper, an internal library routine represented by a public controller wrapper, or a compatibility surface with no direct operational caller.
Intentional Exclusions From Operational Rows¶
| Generated candidate | Exclusion reason |
|---|---|
CenturionConsensusSmoothingLib.applyConsensusDeltaSmoothing | Public library routine used by controller accounting flows; operational authority is represented by controller observation/receipt rows. |
CenturionReceiptAccountingLib.recordReceipt | Public library routine used by controller receipt wrappers; operational authority is represented by recordVaultReceipt and recordVaultReceiptFinalModel. |
CenturionUpgradeGovernor.registeredBeaconCount | Read-only inventory helper; no state change. |
CenturionUpgradeGovernor.registeredBeaconAt | Read-only inventory helper; no state change. |
CenturionInitializable.initializedVersion | Read-only initializer-state helper; no operational authority. |