Skip to main content

Roles & Permissions

BCO Protocol uses OpenZeppelin's AccessControlDefaultAdminRules for role management. Admin transfer requires a 2-step process with a configurable delay, and admin renouncement is permanently blocked.

Role Matrix

RoleContractAssigned ToPurpose
DEFAULT_ADMIN_ROLEAllMulti-sig 3/5Manage roles, 2-step transfer with delay
MINTER_ROLEBCOTokenDeedRegistry contractMint BCO on deed registration
BURNER_ROLEBCOTokenDeedRegistry contractBurn BCO on deed deactivation
PAUSER_ROLEAllMulti-sig 3/5Emergency pause (no delay)
UPGRADER_ROLEDeedRegistry, BCOStakingMulti-sig via timelockAuthorize UUPS upgrades
REGISTRAR_ROLEDeedRegistryMulti-sig 3/5Register and deactivate deeds
REWARD_MANAGER_ROLEBCOStakingMulti-sig 3/5Fund and configure reward periods

Wallets

WalletPurpose
TreasuryReceives minted BCO, funds staking rewards
Company Multi-sigAdmin permissions only — holds no tokens

The separation ensures that the admin wallet (Company Multi-sig) never holds tokens, reducing the impact of a potential compromise.

Admin Safety

2-Step Admin Transfer

Changing the admin requires two transactions separated by a mandatory delay:

1. Current admin calls beginDefaultAdminTransfer(newAdmin)
2. Wait for delay period (48h)
3. New admin calls acceptDefaultAdminTransfer()
4. Old admin loses access automatically

This prevents accidental or malicious instant admin transfers.

Renouncement Blocked

beginDefaultAdminTransfer(address(0)) → reverts AdminRenounceBlocked()

The admin can transfer to any valid address but can never renounce. This prevents permanent governance death — there will always be an admin capable of responding to emergencies.

Emergency Pause

All three contracts support pause() and unpause(). The pause function has no delay — it can be executed immediately by the PAUSER_ROLE for emergencies. When paused:

  • BCOToken: All transfers are blocked
  • DeedRegistry: No new registrations or deactivations
  • BCOStaking: No deposits, withdrawals, or claims