When deploying via the Sphinx DevOps Platform, the ManagedService contract is the default executor. It relays calls from arbitrary EOAs to the end user's Gnosis Safe contract using their installed SphinxModuleProxy.
The Sphinx team owns the ManagedService contract.
- The contract:
ManagedService.sol - Unit tests:
ManagedService.t.sol
Allow the user to specify a consistent executor address when deploying via the Sphinx DevOps Platform
When deploying via Sphinx, the user must specify an executor field in their deployment approval leaf (see the Sphinx Merkle tree specification for more information). However, the individual addresses used by the Sphinx DevOps Platform to execute transactions may vary and be rotated regularly. Therefore, we use the ManagedService contract to allow users to specify a single address whenever they deploy via the platform.
- It must be possible to execute an arbitrary
callvia theManagedServicecontract. - It must not be possible to execute a
delegatecallvia theManagedServicecontract. - If the underlying
callreverts, the entire transaction should revert.
- Must grant the
DEFAULT_ADMIN_ROLEto the specified owner address. - Must revert if the
_owneraddress isaddress(0).
- Must revert if the caller does not have the
RELAYER_ROLErole. - Must revert if the underlying call reverts.
- Must revert if the destination address is
address(0). - Must revert if the
ManagedServicecalls this function directly or indirectly (i.e. re-entrancy is not allowed). - A successful call must:
- Call the target address with the requested data.
- Emit a
Calledevent in theManagedServicecontract. - Return the return value of the underlying call as raw bytes.
The ManagedService relies on the OpenZeppelin AccessControl contract to manage access and the ReentrancyGuard contract to protect against reentrancy attacks. We test that the interactions with these contracts work correctly in the unit tests for the ManagedService, but we don't thoroughly test these contracts. Instead, we assume that they are secure and have been thoroughly tested by their authors.
The Sphinx DevOps Platform relies on sending transactions via the ManagedService from arbitrary EOAs with the RELAYER_ROLE to execute deployments on behalf of the user via their SphinxModuleProxy. We operate under the assumption that these EOAs will inevitably be compromised, and we intend to have mitigation strategies in place to deal with that. We expect that a compromised EOA with the RELAYER_ROLE will not impact the fundamental security properties of the SphinxModuleProxy. Likewise, we expect that to be true if the ManagedService contract is compromised in some other way. See the SphinxModuleProxy specification for more information on what a malicious executor could do.