Skip to content

Add secure admin rotation with two-step acceptance#731

Merged
Emeka000 merged 2 commits into
Emeka000:mainfrom
victorisiguzoruzoma874:additions
Apr 27, 2026
Merged

Add secure admin rotation with two-step acceptance#731
Emeka000 merged 2 commits into
Emeka000:mainfrom
victorisiguzoruzoma874:additions

Conversation

@victorisiguzoruzoma874

@victorisiguzoruzoma874 victorisiguzoruzoma874 commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

closes issues #211

feat(contract): auditable two-step admin rotation with event emission

Problem

Admin identity was fixed at initialization with no safe rotation path.
A lost or compromised key had no recovery mechanism, and any admin
change left no on-chain audit trail.

Changes

contracts/src/lib.rs

New event structs (#[contracttype]):

  • AdminProposedEvent – emitted when a nomination is created;
    carries current_admin, proposed_admin,
    nominated_at, expires_at
  • AdminTransferredEvent – emitted when the nominee accepts;
    carries previous_admin, new_admin,
    transferred_at
  • AdminNominationCancelledEvent – emitted when the current admin
    cancels; carries cancelled_by,
    cancelled_nominee, cancelled_at

Updated functions (existing logic preserved, events added):

  • nominate_super_admin → emits (admin, proposed) + AdminProposedEvent
  • accept_super_admin → emits (admin, xfer) + AdminTransferredEvent
  • cancel_nomination → emits (admin, nom_cxl) + AdminNominationCancelledEvent
    (silent no-op when nothing is pending)

New canonical entry points:

  • propose_admin(env, proposed) – requires current admin auth;
    delegates to nominate_super_admin
  • accept_admin(env) – requires proposed admin auth;
    delegates to accept_super_admin

Tests (8 new):

  • nominate emits AdminProposedEvent with correct payload
  • accept emits AdminTransferredEvent with correct previous/new admin
  • cancel emits AdminNominationCancelledEvent with correct nominee
  • cancel is a no-op (no panic) when no nomination is pending
  • propose_admin alias emits the expected event topic
  • accept_admin alias completes the transfer and grants admin rights

Security properties

  • Non-instant: 24-hour delay window (NOMINATION_EXPIRY_SECONDS)
  • Two-key: current admin proposes, new admin must independently accept
  • Auditable: every state change emits an indexed on-chain event
  • Resilient: expired nominations are lazily cleared; cancel is always
    available to the current admin

@victorisiguzoruzoma874 victorisiguzoruzoma874 changed the title Additions Add secure admin rotation with two-step acceptance Apr 27, 2026
@Emeka000 Emeka000 merged commit bc729c1 into Emeka000:main Apr 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants