The Callora Vault implements role-based access control for deposit operations to ensure only authorized parties can increase the vault balance.
- Owner: Set during contract initialization. Exclusive authority to manage allowed depositors, withdraw funds, and propose revenue pool changes.
- Allowed Depositor: Addresses approved by the owner to handle automated deposits.
- Authorized Caller: Optional address permitted to trigger
deductoperations. - Pending Owner: Nominee awaiting acceptance of the owner role.
- Pending Admin: Nominee awaiting acceptance of the admin role.
- Admin / Multisig Admin: Current admin address. If this address is a Stellar multisig account, native thresholds and signer weights are enforced by
require_auth. - Pending Revenue Pool: Proposed revenue pool address awaiting acceptance.
| Function | Owner | Allowed Depositor | Authorized Caller | Pending Owner | Others |
|---|---|---|---|---|---|
deposit |
✅ | ✅ | ❌ | ❌ | ❌ |
withdraw |
✅ | ❌ | ❌ | ❌ | ❌ |
withdraw_to |
✅ | ❌ | ❌ | ❌ | ❌ |
deduct |
❌ | ❌ | ✅ | ❌ | ❌ |
batch_deduct |
❌ | ❌ | ✅ | ❌ | ❌ |
set_allowed_depositor |
✅ | ❌ | ❌ | ❌ | ❌ |
clear_allowed_depositors |
✅ | ❌ | ❌ | ❌ | ❌ |
set_authorized_caller |
✅ | ❌ | ❌ | ❌ | ❌ |
transfer_ownership |
✅ | ❌ | ❌ | ❌ | ❌ |
accept_ownership |
❌ | ❌ | ❌ | ✅ | ❌ |
cancel_ownership_transfer |
✅ | ❌ | ❌ | ❌ | ❌ |
set_admin |
✅ | ❌ | ❌ | ❌ | ❌ |
accept_admin |
❌ | ❌ | ❌ | ❌ | ✅ |
cancel_admin_transfer |
❌ | ❌ | ❌ | ❌ | ✅ |
propose_revenue_pool |
✅ | ❌ | ❌ | ❌ | ❌ |
accept_revenue_pool |
❌ | ❌ | ❌ | ❌ | ✅ |
cancel_revenue_pool |
✅ | ❌ | ❌ | ❌ | ❌ |
pause |
✅ | ❌ | ❌ | ❌ | ❌ |
nuclear_pause |
❌ | ❌ | ❌ | ❌ | Admin only |
unpause |
✅ | ❌ | ❌ | ❌ | ❌ |
- Two-Step Owner Rotation: Prevents accidental loss of control by requiring the nominee to explicitly accept the role.
- Two-Step Admin Rotation: Prevents accidental loss of control by requiring the nominee to explicitly accept the role.
- Cancellation Safety: Provides
cancel_ownership_transferandcancel_admin_transferfunctions to abort mistaken nominations before acceptance. - Restricted Depositors: Only owner and explicitly allowed depositors can increase vault balance.
- Multisig-Guarded Nuclear Pause:
nuclear_pause(caller)accepts only the current admin address and callscaller.require_auth(), so deployments that set admin to a Stellar multisig account get native threshold enforcement for the emergency pause. - Nonce-Bound Authorized-Caller Rotation:
set_authorized_callerrequires the caller to supply the current monotonic nonce (see below), preventing a leaked owner signature from being replayed to reinstate a staleauthorized_caller.
set_authorized_caller maintains a monotonic u64 nonce stored under
StorageKey::AuthorizedCallerNonce in instance storage.
| Step | Who | Action |
|---|---|---|
| 1 | Integrator | Call get_authorized_caller_nonce() to read the current nonce (defaults to 0). |
| 2 | Owner | Call set_authorized_caller(new_caller, expected_nonce) with the value from step 1. |
| 3 | Contract | Verifies expected_nonce == stored_nonce; rejects with VaultError::StaleNonce if not. |
| 4 | Contract | Increments the stored nonce (wrapping_add(1)) and emits it in the event payload. |
Replay resistance: a captured owner signature contains a fixed expected_nonce.
After one successful rotation the stored nonce advances, so the captured signature is
permanently invalid.
Event payload: the set_authorized_caller event now carries
(old_caller, new_caller, consumed_nonce) as data, allowing off-chain indexers to
detect nonce gaps.
Nonce wrap: the nonce wraps to 0 after u64::MAX rotations (2^64 calls) — a
practical impossibility, but handled safely by wrapping_add.
Allows the current owner to cancel a pending ownership transfer before the nominee accepts it. This provides a safety mechanism to abort mistaken nominations.
Access Control: Only the current owner can call this function. Behavior:
- Removes the
PendingOwnerfrom storage - Emits
ownership_cancelledevent with current owner and cancelled nominee - Panics with "no ownership transfer pending" if no transfer is pending
Allows the current admin to cancel a pending admin transfer before the nominee accepts it. This provides a safety mechanism to abort mistaken nominations.
Access Control: Only the current admin can call this function. Behavior:
- Removes the
PendingAdminfrom storage - Emits
admin_cancelledevent with current admin and cancelled nominee - Panics with "no admin transfer pending" if no transfer is pending
The Callora Settlement contract tracks individual developer balances and global protocol revenue. It enforces strict access control for incoming payments and administrative updates.
Developer address compliance recoveries use propose_balance_migration and
execute_balance_migration. Both calls require authorization by the current
admin address, including its native Stellar multisig thresholds, and execution
is delayed by 24 hours. See Admin developer balance migration.
- Admin: Primary authority over contract configuration and sensitive data.
- Vault: The registered vault contract authorized to send payments.
- Pending Admin: Nominee awaiting acceptance of the admin role.
- Pending Vault: Proposed vault awaiting acceptance.
| Function | Admin | Vault | Pending Admin | Others |
|---|---|---|---|---|
receive_payment |
✅ | ✅ | ❌ | ❌ |
set_admin |
✅ | ❌ | ❌ | ❌ |
accept_admin |
❌ | ❌ | ✅ | ❌ |
cancel_admin_transfer |
✅ | ❌ | ❌ | ❌ |
propose_vault |
✅ | ❌ | ❌ | ❌ |
accept_vault |
✅ | ✅ | ❌ | ❌ |
set_vault (alias of propose_vault) |
✅ | ❌ | ❌ | ❌ |
set_developer_claim_window |
✅ | ❌ | ❌ | ❌ |
clear_developer_claim_window |
✅ | ❌ | ❌ | ❌ |
get_all_developer_balances |
✅ | ❌ | ❌ | ❌ |
- Two-Step Admin Rotation: Prevents accidental loss of control by requiring the nominee to explicitly accept the role.
- Two-Step Vault Rotation: Prevents accidentally misrouting settlement credits by requiring the proposed vault to accept (or the admin to finalize).
- Per-Developer Claim Windows: Admins may configure inclusive ledger timestamp windows that restrict when each developer can claim accrued settlement balance. Developers without a configured window remain unrestricted.
- Restricted Views: Sensitive batch queries like
get_all_developer_balancesare restricted to the admin to prevent unnecessary exposure of the full ledger via the contract interface. - Cancellation Safety: The admin can invoke
cancel_admin_transferto clear a mistaken nomination.
The Callora Revenue Pool contract processes USDC distribution to developer wallets. Like Settlement and Vault, it implements standard administrative roles and rotation procedures.
- Admin: Handles revenue distributions and nominates administrative successions.
- Pending Admin: A nominated account that has to explicitly accept the role to become the Admin.
- Pause Guardian: Optional emergency role that may pause the revenue pool without receiving any distribution, unpause, upgrade, or admin-management authority.
| Function | Admin | Pending Admin | Pause Guardian | Others |
|---|---|---|---|---|
distribute |
✅ | ❌ | ❌ | ❌ |
batch_distribute |
✅ | ❌ | ❌ | ❌ |
pause |
✅ | ❌ | ✅ | ❌ |
unpause |
✅ | ❌ | ❌ | ❌ |
set_pause_guardian |
✅ | ❌ | ❌ | ❌ |
clear_pause_guardian |
✅ | ❌ | ❌ | ❌ |
set_admin |
✅ | ❌ | ❌ | ❌ |
accept_admin |
❌ | ✅ | ❌ | ❌ |
claim_admin (alias of accept_admin) |
❌ | ✅ | ❌ | ❌ |
cancel_admin_transfer |
✅ | ❌ | ❌ | ❌ |
The current admin can call cancel_admin_transfer to abort a pending admin nomination.
The current admin can call set_pause_guardian to delegate emergency pause authority to a narrow role, and clear_pause_guardian to remove that role. The pause guardian can only call pause; it cannot unpause, distribute funds, rotate admin, change caps, clear or replace itself, or upgrade the contract.
The implementation includes comprehensive tests covering:
- ✅
set_authorized_callerdefault nonce is0before first rotation - ✅ First rotation with nonce
0succeeds and advances stored nonce to1 - ✅ Replaying a consumed nonce is rejected with
VaultError::StaleNonce - ✅ Supplying a future nonce is rejected with
VaultError::StaleNonce - ✅ Three sequential rotations each advance the nonce correctly
- ✅ Nonce wraps at
u64::MAXviawrapping_add - ✅ Failed rotations do not advance the stored nonce
- ✅ Successful rotation emits
(old, new, consumed_nonce)in the event payload - ✅ Vault self-address is rejected as
new_caller - ✅ Admin and Vault can call
receive_payment - ✅ Unauthorized callers are rejected from
receive_payment - ✅ Only Admin can call
set_adminandpropose_vault(and theset_vaultalias) - ✅ Only Admin or Pending Vault can call
accept_vault - ✅ Only Pending Admin can call
accept_admin - ✅ Only Admin can call
get_all_developer_balances - ✅ All rotation and update logic preserves state integrity
- ✅ Only current owner can call
cancel_ownership_transfer - ✅ Only current admin can call
cancel_admin_transferin Vault, Settlement, and Revenue Pool - ✅ Cancel functions clear pending state and emit events
- ✅ Cancel functions fail when no transfer is pending
- ✅ Cancel functions fail for unauthorized callers
- ✅ After cancellation, new nominations can be made
Run tests with:
cargo build --workspace --release --target=wasm32-unknown-unknown