Skip to main content

Blocklisting

Addresses may be assigned the BLOCKED_ROLE ("Blocked Role"), a role preventing them from receiving or sending eUSD to other addresses. The role also disables their ability to burn or mint eUSD. Assigning and removing the Blocked Roles is the responsibility of BLOCKLISTER_ROLE ("Blocker"), a role controlled by Membrane Finance ("Membrane").

Addresses are not blocked arbitrarily; an address may only be blocked pursuant to the Access Denial Policy, available at https://membrane.fi/legal/access-denial-policy

Ramifications of the Blocked Role

An address that has been assigned the Blocked Role, may not

  1. Mint new eUSD;
  2. Burn existing eUSD;
  3. Receive eUSD; or
  4. Send eUSD;

A blocked address may, however, call the transferFrom() function, as long as it does not transfer funds from/to a blocked address.

Blocked Roles can perform critical operations

In certain cases, assigning Blocked Role to an address does not prevent it from performing critical operations. The below table illustrates some of the critical operations that can performed by privileged addresses:

Additional roleCritical operations available to the Blocked Role
DEFAULT_ADMIN_ROLEgrantRole() and revokeRole()
PROXY_OWNER_ROLEupgradeTo() and upgradeToAndCall()
PAUSER_ROLEpause()
UNPAUSER_ROLEunpause()
MINTERmint() and mintSet()
BURNERburnFrom() and burnFromWithPermit()
RESCUERrescueERC20()

Blocked Roles can perform some operations

A Blocked Role can still perform some non-critical operations even if they do not hold privileged roles. Such operations include, for example: approve(), permit(), and transferFrom() between two addresses that are not its own. Regardless, a Blocked Role will block the address from transfering its own funds to and from other addresses.

BLOCKLISTER can alter contract behaviour

The BLOCKLISTER can (un)intentionally disable mint(), mintSet(), burn(), burnFrom(), and burnFromWithPermit() functions by blocking the 0-address. Additionally, the BLOCKLISTER can unblock the contract address which is undesirable.

Membrane implements checks outside of the smart contract to ensure such role changes are not made.