Admin

The Defender Admin service acts as an interface to manage your smart contract project through one or more secure multi-signature contracts. Defender Admin holds no control at all over your system, which is fully controlled by the keys of the signers.

Use cases

Use Defender Admin whenever you need secure management of your smart contracts on-chain. Any administrative operation should not be unilaterally controlled by a single owner. Instead, set up a multi-signature wallet and rely on Defender Admin to run any of the following actions through it:

  • Upgrading a contract to a new implementation

  • Tweaking a numerical parameter in your protocol that affects its behavior

  • Managing an access control list for restricted operations

  • Pausing your contract in the event of an emergency

Contracts and Proposals

To begin managing one of your Contracts in Defender Admin, the first step is to register it. This is a one-time process where you specify network and address and assign a name to your contract. The contract’s ABI will be automatically pulled in from etherscan or sourcify if it has been verified, but you will need to manually enter it otherwise.

Defender Admin Edit Contract
Defender Admin will automatically attempt to detect some features of your contract. Today, it will detect whether it’s an EIP1967-compatible or a legacy zOS proxy (and load the implementation’s ABI in that case) and whether it’s managed by a ProxyAdmin contract.
Defender Admin Withdraw

Once the contract has been added, you can create new Proposals for it. Each proposal is an action you will want to execute on the contract, which is executed via a multisig contract, and requires a quorum of admins to be in agreement. Once created, other admins can review and approve the proposal until it reaches the approval threshold and is executed.

Alternatively, you can also choose to execute an action directly on a Contract using Admin, if the function is not restricted to be called via a multisig.

When creating a new proposal, Defender Admin will first simulate it and will refuse to create it if the action reverts, showing the revert reason returned by the contract.

Proposal types

Defender Admin supports two kinds of proposals today: upgrades and custom actions. More proposal types will be added down the road.

Upgrades

An upgrade action can only be executed on EIP1967-compatible or legacy zOS upgradeable proxies that expose an upgradeTo(address) function. Defender Admin will handle proxies directly owned by a multi-signature wallet or proxies managed by a ProxyAdmin that is in turn owned by the wallet. The upgrade action only requires you to choose the new implementation address, and Defender Admin takes care of the rest.

Defender Admin currently does not validate storage layout compatibility of the implementations. For this reason, we strongly suggest using the prepareUpgrade function from the openzeppelin-upgrades library, via truffle or buidler, to deploy the target implementation.

Custom actions

A custom action is a call to any function in the managed contract. Defender Admin will handle the encoding of the transaction data and submit it as a new proposal via the chosen multi-signature wallet.

If no multi-signature wallet is specified, Defender will send the transaction directly to the contract.

Custom actions can also be repeated, which will present you to a pre-filled form, so you can review and tweak the action before approving it.

Certain ABI types, such as nested structs, are not yet supported. Contact us if you need to call a function that is currently unsupported!

Multi-signature wallets

Defender Admin supports two kinds of multi-signature wallets: Gnosis Safe and Gnosis MultisigWallet. If you are using a multi-signature implementation that is not supported, let us know!

Gnosis Safe

The Gnosis Safe wallet gathers offline signatures of each admin and then submits a single transaction with all signatures to execute the action. To share signatures, it relies on the Safe Transaction Service hosted by Gnosis.

The Safe Transaction Service is only available on Rinkeby and Mainnet. Still, you can use Defender Admin on any network; it will just skip syncing with the transaction service if it’s not available.

When using a Gnosis Safe, Defender Admin will synchronize all signatures to and from the Safe Transaction Service. This way, any admins on your team using the Safe UI will still be able to sign the Defender Admin proposals.

The Safe contract requires all its proposals to be executed in order. If you have gathered all signatures for a proposal and still cannot execute it, make sure there are no prior proposals pending execution.

Gnosis MultisigWallet

The Gnosis MultisigWallet requires each admin to submit a new transaction with their approval, so there is no need for a separate service to coordinate.

In addition to the vanilla MultisigWallet, Defender Admin also supports a PartiallyDelayedMultisig variant developed by dYdX. In this wallet, once a proposal has been approved, it is required to wait for a timelock period before it can be executed. Defender Admin will load this information from the contract and display it on the interface.

Managing your multi-sig from Defender Admin

While Defender Admin does not yet provide a specialized interface for management of the multi-signature wallet contract, you can still manage it through custom action proposals.

By adding your multi-sig contract to Defender Admin, you can invoke management functions such as addOwner or changeThreshold easily, specifying the multisig itself as the multisig to send these calls through.

Defender Admin Add Owner

Wallets

All approvals in Defender Admin today are handled via Metamask. Defender Admin also supports hardware wallets through Metamask. We have so far tested support with Ledger Nano. Please contact us if you want to use a different wallet (software or hardware) with Defender.

Address book

All members of your team share an address book where you can define user-friendly names for your accounts or contracts. You can set up these names anywhere you see an address in Defender just by clicking on it, or you can manage your entire address book in the corresponding section in the top-right user menu.

Defender will also automatically create address book entries for you when you import a new contract into Admin.

Defender Admin Edit Address

Security considerations

Defender Admin acts exclusively as an interface to your contracts and multi-signature wallets. This means that you do not grant Defender any rights over your contracts by using Admin to manage them. All proposal approvals are signed client-side using the admin user private key through Metamask. The Defender Admin backend is only involved in storing proposal metadata and sharing the approval signatures when these are not stored on-chain. Ultimately, the multi-signature wallet contracts are the ones that verify these approvals and execute the proposed actions.

Defender Admin’s main contribution to security is then related to usability. First, it automates the process of crafting the transaction for a proposal to avoid manual errors. Second, it provides a clear interface for reviewing a proposal without having to manually decode the proposal hex data.

Coming up…​

We are working on support for the xDai network in Admin, so you can manage your contracts on this popular sidechain as well. We are also working on public views for contracts, so you can optionally share with your community what change proposals are coming. Stay tuned, and let us know if you have any requests!