Smart Contract - Access Controls

The dedicated smart contracts powering Northstake Validator Marketplace are permissioned. The following section outlines how users' write access to the smart contracts methods is limited according to the role assigned to them.

1. Introduction

The smart contract access control system is a critical component of the validator marketplace. It ensures that security best practices and compliance with applicable regulatory requirements, particularly in relation to Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF). By employing strict role-based permissions, our system minimizes the risk of unauthorized access while ensuring traceable and auditable actions.

The following describes the smart contract access controls, including user roles, transaction workflows, disaster recovery policies, and best practices designed to protect and safeguard users’ funds.

2. Roles

Access controls assign specific roles to Ethereum addresses, each associated with particular permissions and functions within the economic model of Northstake Validator Marketplace. Below are the roles within the system and their corresponding access rights:

Default_Admin

The Default_Admin holds the highest level of control over the smart contract. Wallets with the Default_Admin_Role can call the same smart contract methods as Depositors (see below) and has full admin rights. Default_Admin can grant and revoke roles from/to other Ethereum addresses without being subject to the approval of other users. The role is usually assigned to a wallet controlled by depositors or their custodian of choice.

Typically, wallets with the Default_Admin_Role are held in cold storage for security purposes. Due to the sensitivity of this role, a time delay is enforced every time the role is transferred (see more about this below). The time delay is set when the dedicated smart contract is first deployed and can be changed by the Default_Admin (changes of the time delay are subject to the time delay).

Depositor_Role

Wallets that are assigned the Depositor_Role can deposit ETH in the contract to stake it (deposit), collect rewards ()collectRewards, set the wallet address where staking rewards are transferred ()setRewardsRecipient, exit validators via ()proposeExit and ()acceptExit, and withdraw ETH deposits that are not yet staked ()withdrawDeposit.

The Depositor_Role is assigned to operational wallets controlled by depositors.

Operator_Role

The Operator_Role is responsible for managing the creation of validators and proposing validator exits for the depositor's approval.

The operator proposes transactions or role changes (e.g., exiting a validator) but cannot directly execute them without the approval from a wallet with either Default_Admin_Role or Depositor_Role.

The Operator_Role is assigned to a wallet controlled by Northstake.

Oracle_Role

The Oracle_Role facilitates the communication between the Ethereum smart contract and the Beacon Chain. It tracks validator exits and ensures that full withdrawals are allocated to the right beneficiary.

The Oracle_Role is assigned to a wallet controlled by Northstake.

Role_Proposer_Role

Although not strictly necessary to smart contract operations, wallets can be assigned the Role_Proposer_Role. Wallets that have a Role_Proposers_Role can propose the assignment of roles to wallet addresses. Such role proposals are subject to the approval of wallets with Depositor_Role or Default_Admin_Role.

Role_Admin_Role

Operating the Default_Admin_Role role is a sensitive task. If adequate security measures are not observed, the improper use of the role could result in significant loss of funds. For this reason, it might be beneficial to have operational wallets with the right to grant and revoke one specific role (Depositor, Operator, and Oracle).

Depositor_Admin_Role, Operator_Admin_Role, and Oracle_Admin_Role can grant and revoke a specific role among the three. These are created to allow for more flexibility in the operation of the validator marketplace. The figure below provides a graphic representation of the relationships among roles.

Extra - Liquidity Providers (LPs)

While LPs do not hold a formal role in the access control system, they can receive validator withdrawals when their wallet address is designated as the beneficiary during validator exits. LPs cannot initiate or manage staking operations and can only claim the validator balance once the full withdrawal is processed. This hierarchical structure ensures that the smart contract maintains high security while remaining flexible for authorized operators and depositors.

3. Proposal and Approval Methodology

The proposal and approval mechanism is a key feature that simplifies the interaction between depositors and operators, ensuring operational efficiency and security.

Wallets that have a Role_Proposer_Role can propose role assignments and wallets that have Operator_Role can propose role assignments as well as full withdrawals of Ethereum validators ()Exit Proposals. These proposals are submitted to depositors for approval. Depositors can approve or reject proposals by calling the relevant smart contract method ()acceptExit, ()acceptRole from wallets with either Default_Admin_Role or Depositor_Role.

No action can proceed without explicit approval from the depositor.

The smart contract’s auditable proposal flow ensures that all proposed actions are logged, creating a clear audit trail and accounting record.

4. Disaster Recovery and Role Backup Mechanism

Default Admin:

The Default_Admin_Role holds the highest administrative control and can be used for disaster recovery. This role can remain dormant unless a recovery or critical system intervention is necessary. In such cases, the Default_Admin_Role can grant/revoke roles and make validator exits by proposing and accepting Exit Proposals.

The Default_Admin_Role can be transferred to another wallet, subject to a time delay. This delay acts as a safeguard against unauthorized role transfers caused by hacks or security breaches, giving time for the depositors to intervene. At the end of the time delay, the address that is receiving the Default_Admin_Role needs to actively accept the role via the smart contract method acceptRole to become the new admin.

Role Admin

Role Admin can help recover access to the smart contract by assigning specific roles to new addresses without the need to resort to the Default Admin.

5. Best Practices

To ensure that all participants, particularly institutional stakeholders, are protected against potential threats, the system incorporates a variety of security mechanisms and follows industry best practices.

Best Practices:

Assign the Depositor_Admin_Role: Due to the control and access that the Depositor_Role enjoys within the Validator Marketplace, it is recommended to set up a Depositor_Admin_Role to grant/revoke the Depositor_Role to/from wallet addresses. In case a wallet with the Depositor_Role is compromised, the Depositor_Admin_Role can revoke the role from the compromised wallet and assign it to a safe one.

Cold Storage: it is recommended to keep all wallets in cold storage with a digital asset custodian to reduce exposure to potential hacks. It is further recommended to keep Default_Admin_Role and Depositor_Admin_Role with different digital asset custodians, where Default_Admin_Role is held with the digital asset custodian used for daily operations.

Monitor Events: users and operators must regularly monitor events emitted by the smart contracts to spot and react timely to unusual transactions. Northstake commits to monitor events emitted from smart contracts and inform promptly users of unusual activity.

By adhering to these security protocols and best practices, the system provides robust protection against unauthorized actions, ensuring compliance with institutional requirements and minimizing operational risks.

6. Other Resources

For further details and technical insights, please refer to the following resources:

OpenZeppelin Access Control Documentation: Learn more about how the AccessControl library is implemented and best practices for secure role management: OpenZeppelin Access Control.

Example of Validator Marketplace contract: https://holesky.etherscan.io/address/0x3988DDE7356D0Bc4457D712C74B2Dee9E5062dA2#writeContract