Combined Policies
Overview
This policy allows you to customize a tailored security blanket for your protocol, unique to your protocol's business offering. This is a common best practice through which security is seen as a multi-layered onion, where each layer protects against different attack vectors.
Protected Attack Vector
Based on your configuration, this policy will allow you to protect against any number of attack vectors, by combining them in different orders and configurations.
How It Works
When a transaction reaches this policy, it goes through the list of configured policy combinations.
Once all policies finished executing and inspecting the incoming transactions, the policy checks if the combined results matches any of the configured combinations.
If a matching combination exist, the transaction will be allowed to go through. Otherwise, it will be reverted.
Setup Instructions
Deploy your own version of this policy (see Source Code).
Call the setConsumersStatuses() method to configure which consumers are allowed to interact with this policy.
Call the setFirewall() method to set which Firewall is allowed to use this policy.
Call the setAllowedCombinations() method to set what policies combinations you want this policy to work with.
Add the newly deployed policy to the Firewall (you can do this Globally or Per-Method, see Policy Administration).
That's it!
Properties
firewallAddress
address
allowedCombinationHashes
bytes32[]
the list of allowed policies combinations (hashed)
isAllowedCombination
mapping
(bytes32 => bool)
a mapping between combination hashes and their status (true
or false
)
approvedConsumer
mapping
(address => bool)
a mapping of allowed consumers
policies
addresses[]
a list of policy addresses
currentResults
bool[][]
a matrix of inspection results, used throughout the execution of the configured policies
Methods
setConsumersStatuses()
function setConsumersStatuses(address[] calldata consumers, bool[] calldata statuses)
function setConsumersStatuses(address[] calldata consumers, bool[] calldata statuses)
Callable only by the policy owner. Sets which consumers are allowed to use this policy.
consumers
address[] calldata
a list of consumers for which we're setting the statuses
statuses
bool[] calldata
a list of statuses to approve / disapprove the corresponding consumers
setFireall()
function setFirewall(address _firewallAddress)
function setFirewall(address _firewallAddress)
Callable only by the policy owner. Sets the Firewall that can use this policy.
_firewallAddress
address
setAllowedCombinations()
function setAllowedCombinations(address[] calldata _policies, bool[][] calldata _allowedCombinations)
function setAllowedCombinations(address[] calldata _policies, bool[][] calldata _allowedCombinations)
Callable only by the policy owner. Sets the policies combinations that the policy will use.
_policies
address[] calldata
a list of addresses for the policies we want to configure combinations for
_allowedCombinations
bool[][]
a matrix of combinations for allowed policies
the row length must match the length of the _policies
array
each row represents a combination policies that need to pass in order to allow the transaction to go through
Security Lifecycle
This policy runs during both the Firewall's Pre Execution and the Post Execution hooks.
Source Code
On our GitHub repository: CombinedPoliciesPolicy.sol
Last updated