Skip to content

CenturionUpgradeGovernor

Source: CenturionUpgradeGovernor.sol

Purpose

Timelocked governance authority for transparent-proxy and beacon upgrades, plus implementation approval registry.

Deployment Role

  • Proxy admin for registered transparent proxies.
  • Upgrade authority for registered beacons.
  • Live approval registry queried by policy assertions.

Upgradeability Status

This contract itself is not implemented as a proxy in the inspected source. It governs upgradeable targets.

Key State

  • roleAdmin, pendingRoleAdmin, pendingRoleAdminReadyAt
  • role memberships in hasRole
  • minDelay (minimum 7 days)
  • operations and operationKnown
  • implementationApprovals
  • target registration maps for transparent proxies and beacons
  • genesisApprovalsSealed, finalFrozen

Key Functions

  • role lifecycle: proposeRoleGrant, executeRoleGrant, revokeRole, transferRoleAdmin, acceptRoleAdmin
  • registration: registerTransparentProxy, registerBeacon
  • approval registry: recordGenesisImplementation, sealGenesisApprovals
  • upgrades: proposeUpgrade, queueUpgrade, cancelUpgrade, executeUpgrade
  • freeze: finalFreeze
  • policy checks: assertTransparentProxyPolicy, assertBeaconPolicy

Access Control Model

Roles:

  • PROPOSER_ROLE
  • QUEUER_ROLE
  • EXECUTOR_ROLE
  • CANCELLER_ROLE
  • FREEZER_ROLE
  • REGISTRAR_ROLE

roleAdmin controls role transfer and role grants/revocations.

External Dependencies

  • CenturionTransparentProxy runtime and accessors
  • CenturionUpgradeableBeacon runtime and implementation access
  • target implementations exposing metadata (implementationVersion, economicPolicyHash, contractKind)

Critical Invariants

  • minDelay is never below 7 days.
  • only registered targets can be upgraded.
  • execution requires queued operation and ready timestamp.
  • implementation metadata must match proposed kind/version/policy.
  • final freeze iterates registered beacons and freezes all.

Misconfiguration Risks

  • wrong role assignment can permit unauthorized upgrade operations.
  • weak roleAdmin key custody collapses governance trust boundary.
  • registering wrong target kind causes later proposal/execution failures.
  • unmonitored queue can allow malicious proposals to mature and execute.

Operational Notes

  • treat roleAdmin compromise as protocol-critical incident.
  • require signer playbooks per role.
  • monitor UpgradeProposed, UpgradeQueued, and RoleAdminTransferStarted continuously.