Process Security, Pillar 02
Who can call your admin functions? Who can upgrade your contracts? Who can push to production? If those answers are not encoded in a deliberate, documented permission model, your security architecture has a structural gap. RBAC design closes it, on-chain and off.
Role-based access control (RBAC) is the security framework that maps every sensitive action to a defined role, and every role to the minimum set of people or systems authorised to perform it. In traditional enterprise security, this is a solved problem. In Web3, it is largely not: smart contracts are deployed with flat admin structures, teams share deployer keys informally, and off-chain infrastructure is governed by whoever happened to set it up.
We design RBAC frameworks that cover both dimensions: the on-chain permission model encoded in your contracts, and the off-chain access governance across your infrastructure, repositories, cloud environments, and communication tools. The goal is the same in both cases, every sensitive capability is tied to a specific role, that role is assigned deliberately, and the assignment is reviewed and revocable.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
One Compromised Key. Infinite Tokens.
“In the Ankr hack of December 2022, attackers obtained the private key of a former Ankr developer. The key still had access to a privileged contract role. Using it, the attacker called the mint function and issued 6 quadrillion aBNBc tokens into their own wallet, then sold them across liquidity pools for approximately $5M before the token price collapsed entirely. There was no contract bug. There was a flat permission model where a single key held unconstrained minting authority with no role separation, no access expiry, and no off-boarding procedure to revoke it.”
When Only One Person Holds the Keys
“Multichain was one of the largest cross-chain bridge protocols in DeFi, with billions in TVL. In May 2023, CEO Zhao Jun was detained by Chinese authorities. It emerged that he alone held the private keys for all Multichain protocol wallets, there was no role separation, no backup signers, no revocation path. The protocol could not operate. In July 2023, approximately $130M was drained to addresses linked to his family. The on-chain permissions had no expiry, no co-signer requirement, and no recovery mechanism. They were permanent until used.”
Good security architecture for access control is not just about what an attacker cannot do, it is also about what a compromised or malicious insider cannot do alone. Separation of duties, role scoping, and timelocks all serve this purpose. We design these controls to be usable in practice, not just theoretically correct.
The Framework
Web3 protocols operate in two permission environments simultaneously. A robust access control design must address both, most organisations address neither fully.
Mapping every privileged function, upgrade, pause, mint, withdraw, configure, to a defined role. Reviewing whether those roles are appropriately scoped, held by multi-sig rather than EOA, and revocable. Identifying functions that should be timelocked but are not.
Documenting who holds each on-chain and off-chain role. Eliminating informal arrangements where access is granted as a favour or because it was easier. Designing a role assignment process that requires deliberate approval and creates an audit trail.
Ensuring no individual holds the combination of roles that would allow unilateral action on critical functions. The person who proposes a transaction should not be one of the signers who approves it. The developer who writes the upgrade should not be the one who deploys it unilaterally.
High-impact role changes and privileged actions enforced through on-chain timelocks. Community or governance token holders given a meaningful window to observe and respond. Emergency paths designed with explicit scope rather than unlimited admin overrides.
