# Admin Address Options **Date**: 2025-12-11 **Status**: Updated - Defender No Longer Available --- ## ⚠️ Important Update **OpenZeppelin Defender is no longer offered**. The deployment scripts have been updated to use direct admin addresses instead. --- ## 🔐 Admin Address Options ### Option 1: Multisig Wallet (Recommended) **Best for**: Production deployments requiring multiple approvals **Options**: - **Gnosis Safe**: https://gnosis-safe.io/ - Most popular multisig solution - Supports multiple chains - Web interface for managing transactions - Configurable threshold (e.g., 2-of-3, 3-of-5) - **Safe (formerly Gnosis Safe)**: https://safe.global/ - Updated branding, same functionality - Enhanced security features - Mobile app support **Setup**: 1. Create a Safe wallet on Ethereum Mainnet 2. Add signers (e.g., 3-5 trusted addresses) 3. Set threshold (e.g., 2-of-3) 4. Copy the Safe address 5. Set in `.env`: ```bash TETHER_ADMIN= MIRROR_ADMIN= # Can be same or different ``` **Benefits**: - ✅ Multiple approvals required - ✅ Enhanced security - ✅ Audit trail - ✅ Recovery options - ✅ No single point of failure --- ### Option 2: EOA (Externally Owned Account) **Best for**: Development, testing, or simple deployments **Setup**: 1. Use a secure wallet (hardware wallet recommended) 2. Copy the address 3. Set in `.env`: ```bash TETHER_ADMIN= MIRROR_ADMIN= ``` **Security Considerations**: - ⚠️ Single point of failure - ⚠️ Private key must be secured - ⚠️ Consider using hardware wallet - ⚠️ Not recommended for production --- ### Option 3: Custom Access Control Contract **Best for**: Complex permission requirements You can deploy a custom access control contract that implements: - Role-based access control - Timelock delays - Multi-signature requirements - Custom permission logic **Example**: Deploy OpenZeppelin's `AccessControl` or `AccessManager` and set it as admin. --- ## 📋 Current Implementation ### Deployment Scripts Both deployment scripts now use: - `TETHER_ADMIN` for MainnetTether - `MIRROR_ADMIN` for TransactionMirror ```solidity address admin = vm.envAddress("TETHER_ADMIN"); require(admin != address(0), "TETHER_ADMIN not set in .env"); ``` ### Contract Pattern Contracts use simple admin pattern (similar to OpenZeppelin's `Ownable`): - Single `admin` address - `onlyAdmin` modifier for protected functions - `setAdmin()` function to transfer admin (requires current admin) --- ## 🚀 Deployment Steps ### 1. Choose Admin Address Type **Recommended**: Gnosis Safe (multisig) ### 2. Set Up Admin Address **For Multisig (Gnosis Safe)**: 1. Go to https://safe.global/ 2. Create a new Safe on Ethereum Mainnet 3. Add signers (minimum 2, recommended 3-5) 4. Set threshold (e.g., 2-of-3) 5. Complete setup and copy Safe address **For EOA**: 1. Use secure wallet (hardware wallet recommended) 2. Copy wallet address ### 3. Update .env File ```bash # Admin addresses (multisig recommended) TETHER_ADMIN=0x... # Your admin address (Safe or EOA) MIRROR_ADMIN=0x... # Can be same as TETHER_ADMIN or different # Other required variables PRIVATE_KEY=0x... # Deployer private key ETH_MAINNET_RPC_URL=https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY ETHERSCAN_API_KEY=... ``` ### 4. Deploy Contracts ```bash # Deploy MainnetTether forge script script/DeployMainnetTether.s.sol \ --rpc-url $ETH_MAINNET_RPC_URL \ --private-key $PRIVATE_KEY \ --broadcast \ --verify \ -vvvv # Deploy TransactionMirror forge script script/DeployTransactionMirror.s.sol \ --rpc-url $ETH_MAINNET_RPC_URL \ --private-key $PRIVATE_KEY \ --broadcast \ --verify \ --via-ir \ -vvvv ``` --- ## 🔒 Security Best Practices ### For Production 1. **Use Multisig**: Always use Gnosis Safe or similar for production 2. **Multiple Signers**: Use 3-5 signers with 2-of-3 or 3-of-5 threshold 3. **Hardware Wallets**: Use hardware wallets for signers 4. **Separate Admin Addresses**: Consider different admin addresses for different contracts 5. **Regular Reviews**: Periodically review admin addresses and permissions ### For Development/Testing 1. **Testnet First**: Deploy to testnet first 2. **Secure Storage**: Keep private keys secure 3. **Hardware Wallet**: Use hardware wallet even for testing 4. **Documentation**: Document admin addresses and recovery procedures --- ## 📝 Post-Deployment ### Verify Admin Address After deployment, verify the admin address: ```bash # Check MainnetTether admin cast call "admin()" --rpc-url $ETH_MAINNET_RPC_URL # Check TransactionMirror admin cast call "admin()" --rpc-url $ETH_MAINNET_RPC_URL ``` ### Transfer Admin (If Needed) If you need to transfer admin to a different address: ```bash # Transfer MainnetTether admin cast send \ "setAdmin(address)" \ \ --rpc-url $ETH_MAINNET_RPC_URL \ --private-key $CURRENT_ADMIN_PRIVATE_KEY # Transfer TransactionMirror admin cast send \ "setAdmin(address)" \ \ --rpc-url $ETH_MAINNET_RPC_URL \ --private-key $CURRENT_ADMIN_PRIVATE_KEY ``` **Note**: For multisig, execute this transaction through the Safe interface. --- ## 🔄 Migration from Defender If you previously used Defender: 1. **Create New Admin Address**: Set up Gnosis Safe or choose EOA 2. **Update .env**: Replace `DEFENDER_ADMIN` with `TETHER_ADMIN`/`MIRROR_ADMIN` 3. **Deploy New Contracts**: Deploy with new admin addresses 4. **Or Transfer Admin**: If contracts already deployed, transfer admin to new address --- ## 📚 References - [Gnosis Safe Documentation](https://docs.safe.global/) - [OpenZeppelin Access Control](https://docs.openzeppelin.com/contracts/5.x/access-control) - [OpenZeppelin Ownable](https://docs.openzeppelin.com/contracts/5.x/access-control#ownership-and-ownable) --- **Last Updated**: 2025-12-11 **Status**: Updated - Defender Removed