Skip to content

docs: security permission matrix #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
4 commits merged into from
Mar 25, 2026
Merged

docs: security permission matrix #174

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c38635e
add security permission matrix doc
vishalchangrani Feb 19, 2026
25fd067
docs: highlight EPosition over-grant risk in permission matrix
vishalchangrani Feb 19, 2026
7a1ea97
docs: restructure matrix by actor to expose beta over-grant clearly
vishalchangrani Feb 19, 2026
2780290
docs: clarify EPositionAdmin is user acting on own positions via storage
vishalchangrani Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions docs/security-permission-matrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
# Security Permission Matrix

Maps each entitlement to the operations it permits. For audit/security review.

## Entitlements → Actors

| Entitlement | Actor | How granted |
|---|---|---|
| `EParticipant` | User | Published capability (`publish_beta_cap.cdc`) |
| `EPosition` | ⚠️ Protocol operator (NOT end users) | Published capability (`publish_beta_cap.cdc`) ← **over-grant** |
| `ERebalance` | Rebalancer contract | Rebalancer setup |
| `EPositionAdmin` | User (own positions only) | Storage ownership of `PositionManager` — cannot be delegated |
| `EGovernance` | Protocol admin | Admin account |
| `EImplementation` | Protocol internals | Never issued externally |

## Actor Capability Matrix

| Operation | Description | User (EParticipant) | ⚠️ User w/ EPosition (current beta) | Rebalancer (ERebalance) | User — own positions only (EPositionAdmin) | Governance (EGovernance) | Protocol Internal (EImplementation) |
|---|---|---|---|---|---|---|---|
| `createPosition` | Open a new position | ✅ | ✅ | | | | |
| `depositToPosition` | Deposit collateral | ✅ | ✅ | | | | |
| `withdraw` | ⚠️ Withdraw from **any** position by ID | | ✅ | | | | |
| `withdrawAndPull` | ⚠️ Withdraw from **any** position + pull top-up | | ✅ | | | | |
| `depositAndPush` | ⚠️ Push funds from **any** position | | ✅ | | | | |
| `lockPosition` | ⚠️ Freeze **any** position | | ✅ | | | | |
| `unlockPosition` | ⚠️ Unfreeze **any** position | | ✅ | | | | |
| `rebalancePosition` | Rebalance a position's health | | ✅ | ✅ | | | |
| `rebalance` (Position) | Rebalance this position | | ✅ | ✅ | | | |
| `setTargetHealth` | Set target health ratio | | | | ✅ | | |
| `setMinHealth` | Set min health before auto-borrow | | | | ✅ | | |
| `setMaxHealth` | Set max health before auto-repay | | | | ✅ | | |
| `provideSink` | Configure drawdown sink | | | | ✅ | | |
| `provideSource` | Configure top-up source | | | | ✅ | | |
| `addPosition` (Manager) | Add position to manager | | | | ✅ | | |
| `removePosition` (Manager) | Remove position from manager | | | | ✅ | | |
| `borrowAuthorizedPosition` | Borrow position with withdrawal rights¹ | | | | ✅ | | |
| `pausePool` / `unpausePool` | Halt or resume all pool operations | | | | | ✅ | |
| `addSupportedToken` | Add a new collateral/borrow token | | | | | ✅ | |
| `setInterestCurve` | Configure interest rate model | | | | | ✅ | |
| `setInsuranceRate` | Set the insurance fee rate | | | | | ✅ | |
| `setStabilityFeeRate` | Set the stability fee rate | | | | | ✅ | |
| `setLiquidationParams` | Configure liquidation thresholds | | | | | ✅ | |
| `setPauseParams` | Configure pause conditions | | | | | ✅ | |
| `setDepositLimitFraction` | Cap deposits as fraction of pool | | | | | ✅ | |
| `collectInsurance` | Sweep insurance fees to treasury | | | | | ✅ | |
| `withdrawStabilityFund` | Withdraw from stability reserve | | | | | ✅ | |
| `setDEX` / `setPriceOracle` | Set liquidation DEX or price feed | | | | | ✅ | |
| `asyncUpdate` | Process queued state updates | | | | | | ✅ |
| `asyncUpdatePosition` | Process queued update for one position | | | | | | ✅ |
| `regenerateAllDepositCapacities` | Recalculate all deposit caps | | | | | | ✅ |
| `setRecurringConfig` (Rebalancer) | Change rebalance schedule | `Configure`² | | | | | |
| `delete` (RebalancerPaid) | Stop and remove paid rebalancer | `Delete`² | | | | | |

¹ `borrowAuthorizedPosition` requires `FungibleToken.Withdraw + EPositionAdmin` — both required (conjunction).
² Contract-local entitlements in `FlowALPRebalancerv1` / `FlowALPRebalancerPaidv1`, not part of the FlowALPv0 hierarchy.

## ⚠️ Known Issue: Beta Capability Over-Grant

`publish_beta_cap.cdc` grants `EParticipant + EPosition` to beta users (the "⚠️ User w/ EPosition" column above).

`EPosition` is **not needed** for normal user actions (create/deposit). The ⚠️ rows above are all unlocked for beta users, meaning any beta user can withdraw funds from or freeze **any other user's position**.

**Fix:** Remove `EPosition` from the beta capability — grant `EParticipant` only.

## Audit Notes

- `rebalancePosition` / `rebalance` use `EPosition | ERebalance` — **either** entitlement is sufficient (union, not conjunction)
- `EImplementation` maps to `Mutate + FungibleToken.Withdraw` via the `ImplementationUpdates` entitlement mapping — never issued externally
Loading