Access Control

Sage Protocol implements a secure, type-safe, witness-based access control system built using Sui’s Move language. This ensures sensitive protocol operations are accessible only to explicitly authorized components, significantly enhancing security, flexibility, and composability.

​

Configurable Witness Pattern

At the core of Sage’s access control is the configurable witness pattern. Witnesses serve as authorization tokens required to execute protected operations. Each witness is associated with a configuration object explicitly defining permitted witness types.

For example, the following function enforces runtime validation, ensuring only explicitly authorized witness types are accepted:

public fun verify_channel_witness<ChannelWitnessType: drop>(
    channel_witness_config: &ChannelWitnessConfig,
    _: &ChannelWitnessType
): bool {
    let type_name = type_name::get<ChannelWitnessType>();
    type_name == channel_witness_config.type_name
}

This type check explicitly prevents unauthorized usage, significantly strengthening protocol security.

​

Architectural Levels of Access Control

Sage’s access control framework is organized clearly across multiple layers:

• Witness Configurations (Cross-Package Validation)
  • ChannelWitnessConfig, UserWitnessConfig, GroupWitnessConfig: Define authorized witness types for secure user interactions and channel operations.
  • GovernanceWitnessConfig, RewardWitnessConfig: Protect critical administrative actions related to governance and reward management. These configurations become immutable after initial deployment to ensure transparent, decentralized control.
• Administrative Capabilities
  • AdminCap, FeeCap, RewardCap, InviteCap, MintCap: Specialized privileges explicitly granting secure administrative control over sensitive protocol management tasks.
• Object-Level Permissions
  • UserOwnedConfig, UserSharedConfig: Enforce data-level permissions, ensuring users modify only data they own or have explicitly shared.

​

Security Advantages

The witness-based access control model provides several critical security benefits:

• Runtime Type Safety:
  Explicit runtime type-name checks catch unauthorized access attempts immediately, reducing risks from misconfiguration or unauthorized actions.
• Composable Security:
  Sage can easily introduce new witness types and extend validation rules, seamlessly integrating enhancements into the existing security framework without disruption.
• Upgradeable and Flexible:
  Administrative capabilities enable secure updates to witness configurations at runtime, eliminating the need to redeploy smart contracts. For example, administrators can safely update governance witness configurations using existing permissions: [RORY: this section is not strictly true. we may never actually upgrade any of these because if we did things right the first time we shouldn’t have to. the important aspect about this was a technical challenge we overcame to allow for this pattern to exist everywhere in the protocol while avoiding circular dependencies.]

public fun update_channel_type<ChannelType: key> (
    _: &AdminCap,
    channel_config: &mut ChannelConfig
) {
    let type_name = type_name::get<ChannelType>();

    channel_config.type_name = type_name;
}

This flexibility ensures the protocol remains adaptable, significantly reducing overhead and risks associated with future configuration changes.