Skip to content

[Architecture] Admin address has no upgrade path — a compromised admin key permanently compromises all three contracts #389

Description

@fati-Onchain

Contract: contracts/payment/src/lib.rs, contracts/escrow/src/lib.rs, contracts/refund/src/lib.rs

Description

Each contract stores a single DataKey::Admin → Address with no rotation mechanism and no multisig support. If the admin private key is compromised, an attacker gains permanent control over all contracts with no on-chain remedy.

Fix

Implement a two-step admin rotation: propose_admin(new_admin) (current admin only) sets DataKey::PendingAdmin, then accept_admin() (new admin only) finalizes the transition. Optionally add an admin_multisig_threshold for M-of-N admin keys.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions