Skip to content

feat(paymaster): add separate whitelistAdmin param to BondTreasuryPaymaster#106

Merged
aliXsed merged 1 commit intomainfrom
aliX/paymaster-whitelist-admin
Apr 8, 2026
Merged

feat(paymaster): add separate whitelistAdmin param to BondTreasuryPaymaster#106
aliXsed merged 1 commit intomainfrom
aliX/paymaster-whitelist-admin

Conversation

@aliXsed
Copy link
Copy Markdown
Collaborator

@aliXsed aliXsed commented Apr 8, 2026

Summary

The BondTreasuryPaymaster constructor previously coupled DEFAULT_ADMIN_ROLE and WHITELIST_ADMIN_ROLE to the same admin address. This made it impossible to assign whitelist management to an operational key (e.g. FLEET_OPERATOR) while keeping DEFAULT_ADMIN_ROLE on a multisig at deployment time.

Changes

  • BondTreasuryPaymaster.sol: Add whitelistAdmin as a new constructor parameter (2nd position). When whitelistAdmin != admin, the constructor grants WHITELIST_ADMIN_ROLE to whitelistAdmin in addition to admin.
  • DeploySwarmUpgradeableZkSync.s.sol: Pass fleetOperator as whitelistAdmin so the fleet operator gets WHITELIST_ADMIN_ROLE and NODL_ADMIN retains DEFAULT_ADMIN_ROLE.
  • BondTreasuryPaymaster.t.sol: Update MockBondTreasuryPaymaster and all test instantiations. Add test_separateWhitelistAdmin to verify role separation.
  • swarm-specification.md: Update deployment example.

Motivation

During the ZkSync mainnet deployment, we discovered that the single admin parameter forced FLEET_OPERATOR to receive DEFAULT_ADMIN_ROLE (a security risk) or NODL_ADMIN to receive WHITELIST_ADMIN_ROLE (operationally impractical since it's a multisig). This fix allows proper separation of concerns at deployment time.

Testing

All 55 BondTreasuryPaymasterTest tests pass.

@aliXsed
feat(paymaster): add separate whitelistAdmin param to BondTreasuryPay…
4ea1d77 
…master

The BondTreasuryPaymaster constructor previously coupled DEFAULT_ADMIN_ROLE
and WHITELIST_ADMIN_ROLE to the same 'admin' address. This made it impossible
to assign whitelist management to an operational key (e.g. FLEET_OPERATOR)
while keeping DEFAULT_ADMIN_ROLE on a multisig.

Changes:
- Add 'whitelistAdmin' as the second constructor parameter
- When whitelistAdmin != admin, grant WHITELIST_ADMIN_ROLE to whitelistAdmin
- Update deploy script to pass fleetOperator as whitelistAdmin
- Update all test instantiations and add test_separateWhitelistAdmin
- Update spec doc deployment example
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026

LCOV of commit 4ea1d77 during checks #640

Summary coverage rate:
  lines......: 32.1% (769 of 2392 lines)
  functions..: 28.9% (108 of 374 functions)
  branches...: 37.7% (139 of 369 branches)

Files changed coverage rate:
                                                  |Lines       |Functions  |Branches    
  Filename                                        |Rate     Num|Rate    Num|Rate     Num
  ======================================================================================
  script/DeploySwarmUpgradeableZkSync.s.sol       | 0.0%     64| 0.0%     1|    -      0
  src/paymasters/BondTreasuryPaymaster.sol        | 0.0%     30| 0.0%     3| 0.0%      7
  test/paymasters/BondTreasuryPaymaster.t.sol     | 0.0%     12| 0.0%     5|    -      0

@aliXsed aliXsed merged commit 153c20d into main Apr 8, 2026
3 checks passed
@aliXsed aliXsed deleted the aliX/paymaster-whitelist-admin branch April 8, 2026 01:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aliXsed