Skip to content

feat(solana): two-step propose/accept for set_access_manager#1014

Merged
mariuszzak merged 2 commits intomariuszzak/upgrade-authority-transferfrom
mariuszzak/two-step-set-access-manager
Mar 30, 2026
Merged

feat(solana): two-step propose/accept for set_access_manager#1014
mariuszzak merged 2 commits intomariuszzak/upgrade-authority-transferfrom
mariuszzak/two-step-set-access-manager

Conversation

@mariuszzak
Copy link
Copy Markdown
Collaborator

@mariuszzak mariuszzak commented Mar 27, 2026

Summary

set_access_manager was a one-step operation — a single admin call could irreversibly repoint a program to a different Access Manager. If the admin accidentally set it to a wrong or nonexistent AM address, the program would become unrecoverable: all future admin-gated calls (including another set_access_manager to fix the mistake) would fail because require_admin reads roles from the now-invalid AM.

This PR replaces the one-step set_access_manager with a two-step propose/accept pattern across all IBC programs (ICS26, ICS07, GMP, attestation):

  • propose_access_manager_transfer — current AM's admin proposes a new AM address (rejects zero-address and self-transfers)
  • accept_access_manager_transfer — the new AM's admin accepts, proving it is valid and operational before the switch takes effect
  • cancel_access_manager_transfer — current AM's admin cancels a pending proposal

The accept step requires ADMIN_ROLE on the new AM, so the transfer cannot complete unless the target AM is a real, initialized Access Manager with an active admin. This eliminates the risk of bricking a program by pointing it to a bad address.

Shared logic via HasPendingAccessManager trait

Each IBC program's state struct implements a HasPendingAccessManager trait. The actual propose/accept/cancel handlers live in access-manager/src/helpers.rs and are reused by all four programs, avoiding duplicated validation logic.

Programs affected

  • ics26-routerRouterState.pending_access_manager
  • ics07-tendermintAppState.pending_access_manager
  • ics27-gmpGMPAppState.pending_access_manager
  • attestationAttestationState.pending_access_manager

@mariuszzak
feat(solana): two-step propose/accept for set_access_manager
336efca 
Replace the one-step set_access_manager with a two-step
propose/accept/cancel pattern across ICS07, ICS26, GMP and attestation
programs. The accept step requires ADMIN_ROLE on the new AM, proving
it is a valid and initialized access manager.
@mariuszzak mariuszzak self-assigned this Mar 27, 2026
@mariuszzak
test(solana/e2e): add access manager transfer tests for all programs
5c5db78 
- ICS26 Router: propose/accept/cancel + negative (non-admin) test
- ICS07 Tendermint: propose/accept/cancel flow
- ICS27 GMP: propose/accept/cancel flow
- Attestation: propose/accept/cancel flow
@mariuszzak mariuszzak force-pushed the mariuszzak/two-step-set-access-manager branch from fde1b57 to 5c5db78 Compare March 27, 2026 12:46
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 27, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.91%. Comparing base (3a362e3) to head (5c5db78).
⚠️ Report is 1 commits behind head on mariuszzak/upgrade-authority-transfer.

Additional details and impacted files 
@@                          Coverage Diff                           @@
##           mariuszzak/upgrade-authority-transfer    #1014   +/-   ##
======================================================================
  Coverage                                  99.91%   99.91%           
======================================================================
  Files                                         27       27           
  Lines                                       1123     1123           
======================================================================
  Hits                                        1122     1122           
  Misses                                         1        1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mariuszzak mariuszzak marked this pull request as ready for review March 30, 2026 07:49
@mariuszzak mariuszzak requested a review from srdtrk as a code owner March 30, 2026 07:49
@mariuszzak mariuszzak merged commit 837ed3e into mariuszzak/upgrade-authority-transfer Mar 30, 2026
164 checks passed
@mariuszzak mariuszzak deleted the mariuszzak/two-step-set-access-manager branch March 30, 2026 07:50
@mariuszzak mariuszzak mentioned this pull request Mar 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@srdtrk srdtrk Awaiting requested review from srdtrk srdtrk is a code owner

Assignees

@mariuszzak mariuszzak

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mariuszzak