Skip to content

Authority Flow

flowchart TD
    RA[RoleAdmin Safe]
    UO[Upgrade Operations Safe]
    GU[Guardian / Canceller Safe]
    RR[Release / Registrar Safe]
    OR[Operational / Risk Safe]

    GOV[CenturionUpgradeGovernor]
    CTRL[CenturionEconomicController owner]
    DEP[Deposit allowlistAdmin]
    FAC[CenturionVaultFactory owner]

    RA -->|propose/execute/revoke role grants| GOV
    UO -->|PROPOSER_ROLE QUEUER_ROLE EXECUTOR_ROLE| GOV
    GU -->|CANCELLER_ROLE FREEZER_ROLE| GOV
    RR -->|REGISTRAR_ROLE| GOV
    OR -->|risk, receipts, exits, reserve controls| CTRL
    OR -->|admission intents| DEP
    OR -->|vault deployment / bootstrap flag| FAC

    GOV -->|proxy admin| TP[Transparent proxies]
    GOV -->|beacon authority| BE[Vault beacon]
    CTRL -->|controller-only calls| CG[Claim gatekeeper and vaults]

Core Reality

CenturionUpgradeGovernor is the upgrade authority contract. roleAdmin is an address inside that authority model. The governor can be correct while a compromised roleAdmin Safe still becomes the path to future compromise by assigning roles, revoking defenders, or transferring root role administration.

Role Separation Requirement

Recommended production custody:

  • RoleAdmin Safe for roleAdmin only;
  • Upgrade Operations Safe for PROPOSER_ROLE, QUEUER_ROLE, and EXECUTOR_ROLE;
  • Guardian/Canceller Safe for CANCELLER_ROLE and, if retained operationally, FREEZER_ROLE;
  • Release/Registrar Safe for REGISTRAR_ROLE;
  • Operational/Risk Safe for controller owner, factory owner, and admission admin only if those powers are intentionally colocated.

A single multisig controlling everything is weaker because one signing incident can propose, queue, execute, register, cancel defenders, and mutate operations. Role separation gives monitoring time and creates an independent cancel path.

EOA custody

EOAs should not hold production roles. The handbook assumes hardened multisigs or equivalent governance-controlled accounts with hardware-backed signers, out-of-band payload review, and signer rotation procedures.

Events To Watch

Monitor RoleGrantProposed, RoleGrantExecuted, RoleRevoked, RoleAdminTransferStarted, RoleAdminTransferred, UpgradeProposed, UpgradeQueued, UpgradeExecuted, UpgradeCancelled, TransparentProxyRegistered, BeaconRegistered, GenesisImplementationApproved, GenesisApprovalsSealed, and FinalFreeze.

Operating Notes

Authority reviews must name the layer being changed before any transaction is signed. Upgrade governance changes implementation trust. Deposit permissioning changes who can enter the validator set. Custody/readiness changes whether the vault route is safe enough to accept funds. Economic/claim safety changes whether accounting, reserves, claims, exits, or settlement can move value.

If an authority path crosses layers, split the review into separate evidence packets. Rotating allowlistAdmin is not a controller-risk change, and approving a new controller implementation is not proof that any pending claim is safe. The operator should archive the role or owner readback, intended holder, multisig threshold, event log, and runbook approval for each authority transition.