Deployment & Smart Contracts
Security - Deployment & Smart Contracts
The Foundation has required deployment through GitHub CI and OpenZeppelin's Defender product. For off-chain assets, critical pull requests must go through a required review that upon the merge are gated by successful tests, node scanner software is gated through a state update in the ScannerNodeVersion contract, and smart contract deployments/changes are handled through OpenZeppelin’s Defender product and relayers and are controlled by multisigs. This process ensures that the Forta Network cannot be changed, even in the event of a security breach by an individual involved in any of the development processes.
Lastly, most of the contracts in the Forta Network are upgradeable. Therefore, if you are going to interact with an Upgradeable contract, always use the Proxy address.
Multi-Sig
Forta is managed through three main Gnosis Safe Multi Sig contracts:
- 0xC0eb11fBC755D31c6FECEaAc8760ddCb88C64fE1 (Ethereum mainnet). 4/7 controlled by the Council members
- 0x30ceaeC1d8Ed347B91d45077721c309242db3D6d (Polygon mainnet). 4/7 controlled by the Council members
- 0xd1d4FaFd400fCD643132bb7eAF7682eE97E09C3e (Polygon mainnet). The Council members may delegate certain roles and corresponding signing authority. Currently, administrative roles have been delegated to a 3/9 multisig with members of the Foundation staff and certain members of the original core development team.
The Council multisigs have the following roles:
Ethereum Mainnet
- Forta Token (0x41545f8b9472D758bB669ed8EaEEEcD7a9C4Ec29): ADMIN_ROLE
Polygon Mainnet
- Forta Token (Bridged) (0x9ff62d1FC52A907B6DCbA8077c2DDCA6E6a9d3e1): ADMIN_ROLE
- Access (0x107Ac13567b1b5D84691f890A5bA07EdaE1a11c3): DEFAULT_ADMIN_ROLE, AGENT_ADMIN_ROLE, ENS_MANAGER_ROLE, SCANNER_ADMIN_ROLE, SCANNER_VERSION_ROLE, SLASHER_ROLE, STAKING_ADMIN_ROLE, UPGRADER_ROLE
The administrative multisig has the following roles:
Polygon Mainnet
- Access (0x107Ac13567b1b5D84691f890A5bA07EdaE1a11c3): AGENT_ADMIN_ROLE, DISPATCHER_ROLE, ENS_MANAGER_ROLE, SCANNER_POOL_ADMIN_ROLE, SCANNER_VERSION_ROLE, SLASHER_ROLE, SWEEPER_ROLE, UPGRADER_ROLE
Roles
Complete list of roles with a description:
- Forta Token (0x41545f8b9472D758bB669ed8EaEEEcD7a9C4Ec29):
- ADMIN_ROLE: General admin role granted to account with ability to set ENS and upgrade contract.
- MINTER_ROLE: Role granted to account with the access to mint more FORT tokens.
- Forta Token (Bridged) (0x9ff62d1FC52A907B6DCbA8077c2DDCA6E6a9d3e1):
- ADMIN_ROLE: General admin role granted to account with ability to set ENS and upgrade contract.
- Access (0x107Ac13567b1b5D84691f890A5bA07EdaE1a11c3):
- DEFAULT_ADMIN_ROLE: General admin role that is set during the initialization of the Access contract. Most notable ability is to grant new roles to other accounts and/or contracts.
- ENS_MANAGER_ROLE: Role granted to an account with the ability to set ENS reverse registration.
- UPGRADER_ROLE: Role granted to an account with the ability to upgrade a proxy to use a new implementation.
- AGENT_ADMIN_ROLE: Role granted to account with the ability to set the bot stake threshold, activate frontrunning protection, and enable and/or disable a given bot.
- SCANNER_ADMIN_ROLE: Role granted to account with the ability to set the stake threshold for a given chain, and enable and/or disable a given scanner.
- SCANNER_POOL_ADMIN_ROLE: Role granted to account with the ability to set the scanner pool stake parameters, set scanner node registration delay, and update the amount of enabled scanners in a pool.
- SCANNER_2_SCANNER_POOL_MIGRATOR_ROLE: Role granted to ScannerToScannerPoolMigration contract to be able to de-register scanners from the previous system and register scanner pools under delegated staking.
- DISPATCHER_ROLE: Role granted to account with ability to assign and/or unassign bots to scanner nodes.
- MIGRATION_EXECUTOR_ROLE: Role granted to account with ability to migrate scanners. Role granted to a Forta controlled EOA, 0xe9a105b355A14D11eA3468410Dfe6B31998C8384.
- SLASHER_ROLE: Role granted to the SlashingController contract to slash a stake subject.
- SWEEPER_ROLE: Role granted to account with ability to transfer out tokens mistakenly sent to the staking contract.
- REWARDER_ROLE: Role granted to account with ability to reward scanner pools. Role granted to a Forta controlled EOA, 0x15d3c7e811582Be09Bb8673cD603Bb2F22D1e47B.
- SLASHING_ARBITER_ROLE: Role granted to account with ability to execute various actions in the slashing process. Role granted to the 2/3 Arbiter multisig, 0x044f6Db7F0ba9e5F0AccD797E2AD5B1bA4E1E853. Slashing detailed further here.
- STAKING_CONTRACT_ROLE: Role granted to the Staking contract with the ability to increase or decrease a subject’s stake allocation.
- STAKING_ADMIN_ROLE: Role granted to account with the ability to set the percentage of a delegator’s stake than can be slashed.
- ALLOCATOR_CONTRACT_ROLE: Role granted to the Allocator contract with the ability to increase and/or decrease a subject's allocated stake amount for rewards calculation.
- SCANNER_VERSION_ROLE: Role granted to an account with the ability to set a new scanner node version.
- SCANNER_BETA_VERSION_ROLE: Role granted to an account with the ability to set a new scanner node beta version.
Contract Administration
Forta contracts are managed through OpenZeppelin's Defender product utilizing relays to manage smart contract deployment and maintenance.
Smart Contracts Deployments
Forta Network uses smart contracts to coordinate registration and ownership of Scanner Nodes and Detection Bots (referred by their former name of Agents in this release), the assignments of Bots and Scanners, the accepted Scanner Node software version and the economic safety mechanisms of the network via the ERC20 FORT Token.
To learn more, read the smart contracts github repo, the documentation for the contracts, or the smart contract architecture diagram in the Design page.
Ethereum Mainnet
| Name | Proxy | Implementation |
|---|---|---|
| Forta Token | 0x41545f8b9472D758bB669ed8EaEEEcD7a9C4Ec29 | 0x587969Add789c13F64Bcc34Ff253BD9BFB78f38a |
Polygon
Goerli Testnet
| Name | Proxy | Implementation |
|---|---|---|
| Forta Token | 0x848F1fF1fa76Dc882Ca2F3521265ba3F27e42158 | 0x86f09B8B8d0315Cca71a89953Aa3f7982a122eAd |
Mumbai Testnet
Pause Functionality
Currently, Forta does not implement Pause functionality in its smart contracts. In lieu of Pause functionality, the contracts’ upgradability could be utilized to pause the contracts in the event of responding to an incident. Additionally, Forta does not incorporate the usage of Oracles, and therefore has no risk of Oracle manipulation attacks.
Timelock
Forta has no implementation of a Timelock. Since changes to the contracts require an execution from the 4/7 Forta Council multisig, this process fulfills the need of a Timelock’s functionality.
Forta On-Chain Monitoring
Forta on-chain activity is monitored by Forta Detection Bots and feeds into Forta Network's incident response process. The following detection bots were developed specifically for the Forta smart contracts. The code is available on GitHub.
- Forta Access Control Role Changed
- Forta Access Manager - Router Updated
- Forta Admin Bot Scanner Disable
- Forta Agent Updated
- Forta Agents Linked
- Forta Core Monitoring
- Forta Emitting Upgraded
- Forta Mint Mainnet
- Forta Scanner Node Software Updated
- Forta Staking Events
- Forta Staking Parameters
- Forta High Number Of Bot Deployments
- Forta Routing Updated
- Forta Stake Controller Changed
- Forta Stake Threshold Changed
- Forta Token Role Changes
- Forta Whitelist Disabling
Forta is also monitored by the bots in the Threat Detection Kits.
Forta Off-Chain Monitoring
Lastly, several operational monitors exist around the performance of the network, such as latency, API usage, deployments, etc.