Access & Admin Controls
eUSD implements strict access & admin controls both on- and off-chain.
Smart Contract Roles
The USD e-money defines multiple roles with differing levels of access. At high level, we define the following roles:
| Role name | Role description |
|---|---|
| PROXYOWNER_ROLE | Controls the proxy contract and implements contract upgrades. |
| BLOCKLISTER_ROLE | May assign and remove the BLOCKED_ROLE to addresses. The role can also: a) block the 0 address, effectively disabling mint & burn; and b) unblock the contract address. For more information about blocked roles and blocklisting, see 'Blocklisting'. |
| PAUSER_ROLE | Has the sole privilege of pausing the USD e-money contract. |
| UNPAUSER_ROLE | Has the sole privilege of unpausing the USD e-money contract. |
| MINTER_ROLE | May mint new USD e-moneys using mint() or mintSet(). The only role with minting privileges. |
| BLOCKED_ROLE | Addresses with this role have limited access to the USD e-money. Among others, they cannot transfer eUSD from or to their address. For more information about blocked roles and blocklisting, see 'Blocklisting'. |
| RESCUER_ROLE | This address may call rescueERC20() to move misplaced ERC20 tokens from the smart contract address to another. |
| BURNER_ROLE | May burn USD e-moneys using burn(), burnFrom() and burnFromWithPermit() functions (subject to conditions defined in the smart contracts). |
| DEFAULT_ADMIN_ROLE | Role that administers other roles. |
| DOMAIN_SEPARATOR | DOMAIN_SEPARATOR is not a role. It is related to signatures. |
For a more detailed description of the rights of each role, please refer directly to the inline documentation in eUSD.sol
Upgradability & Timelocks
The stablecoin smart contracts are upgradable to allow for future (non-breaking) changes to the code, including, for example, new features. Users & developers are not impacted by contract upgrades as long as they point their application to the proxy contract.
There are no timelocks enforced at the smart contract level. Timelocks are not implemented to ensure eUSD can respond to any change quickly. However, eUSD may employ timelocks within its internal systems to minimise unauthorised access.
Emergency Procedures
The eUSD team has strict operational guidelines and processes for responding to various emergencies and black-swan events. The most commonly used emergency procedure is assigning the "BLOCKED_ROLE" to new addresses. For more information, see Blocklisting. Other on-chain emergency procedures include but are not limited to pausing the smart contract, making changes to access controlled addresses, and changing proxy owners.
Contract ownership
All eUSD's stablecoin smart contracts are owned and operated by eUSD. Any relevant roles and access to addresses are strictly internal to eUSD. eUSD leverages MPC technology to minimise the risk of unauthorised access to the contract. Furthermore, eUSD employs various internal processes to ensure that even senior executive staff cannot make contract changes without proper authorisation.
Emergency Pausing
Pausing the USD e-money is an unlikely event. It is used to prevent imminent unauthorised access and threats. The mainnet contracts are never paused without a good reason. For more information, please see Pausing.
Governance
eUSD is entirely governed by Membrane Finance, the developer of eUSD. There are no on-chain governance or voting mechanisms nor a governance token at this stage.