Multi-Tier Permissioning

Protocol Permissions System

NashPoint implements a multi-tiered permissioning system where protocol-level governance controls which contracts can be used, routers control which components can be integrated, and Node owners select from these approved options. This ensures security while maintaining Node owner autonomy over their strategy.

Registry Level (Top)

Registry Owner controls global whitelist of valid contracts:

function setRegistryType(address addr, RegistryType type_, bool status) external onlyOwner {
    if (type_ == RegistryType.UNUSED) revert ErrorsLib.InvalidRole();
    if (type_ == RegistryType.NODE) revert ErrorsLib.NotFactory();
    roles[addr][type_] = status;
}

Types: ROUTER, QUOTER, REBALANCER, FACTORY

Router Level (Middle)

Registry owner controls which components each router can use:

function setWhitelistStatus(address component, bool status) external onlyRegistryOwner {
    isWhitelisted[component] = status;
}

Node Level (Bottom)

Node owners can only add protocol-whitelisted services:

function addRouter(address router) external onlyOwner {
    if (!protocol.isRouterWhitelisted(router)) revert ErrorsLib.NotWhitelisted();
    if (routers[router]) revert ErrorsLib.AlreadySet();
    routers[router] = true;
}

function addRebalancer(address newRebalancer) external onlyOwner {
    if (!registry.isRegistryType(newRebalancer, RegistryType.REBALANCER)) {
        revert ErrorsLib.NotWhitelisted();
    }
}

function setQuoter(address newQuoter) external onlyOwner {
    if (!registry.isRegistryType(newQuoter, RegistryType.QUOTER)) 
        revert ErrorsLib.NotWhitelisted();
}

No Forced Upgrades

The Registry Owner can revoke protocol-level permissions for routers, rebalancers, quoters, and components. However, these changes only affect future additions - any Node's existing configuration continues to function normally. This ensures Node owners maintain full control over their strategy and cannot be forced to upgrade or change their Node's setup.

1. Node operations don't check current registry status:

function execute(address target, bytes calldata data) external onlyRouter {
    // Only checks router is added to Node, not registry status
    if (!isRouter[msg.sender]) revert ErrorsLib.InvalidSender();
}

1. Router operations don't recheck registry status:

modifier onlyNodeRebalancer(address node) {
    // Only checks Node's rebalancer list, not registry
    if (!INode(node).isRebalancer(msg.sender)) revert ErrorsLib.NotRebalancer();
}

1. Component operations continue after whitelist removal:

function invest(address node, address component) external {
    // Only checks Node's component list, not router whitelist
    if (!INode(node).isComponent(component)) revert ErrorsLib.InvalidComponent();
}

Adding Components & Routers

To correctly configure a Node to use new Routers and Components follow this guide:

Adding Routers and Components - Step by Step Guide