BlackHartBlackHart
Scores/Circle CCTP/Provenance/Access Control
D1

Access Control

Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.

Weight 18%88% confidence
48
Concerning
info

How This Score Is Built

Permission models, admin surface, reentrancy protection, and authorization boundaries. #1 exploit vector by dollar loss in DeFi history.

+23Strong positive
+12Positive
+5Slight positive
−15Strong negative
−8Negative
−3Slight negative

Scoring Tree

BRI Formula
300 + 700 × ∏(Dᵢ/100)^wᵢ
680
Current BRI
D1Access Control
Weight 16%
48
(48/100)^0.16 = 0.8892
Contributing Factors
+16attesterManager (V2: 0xc16b...c95a) can enableAttester/disableAttester and setSignatureThreshold; combined with the attester set this is effectively a cross-chain mint authority
+16Live mitigation confirmed on-chain: signatureThreshold=2 with 2 enabled attesters (0x725b...3F96, 0x52Ed...bCeF) — a single compromised attester key cannot forge a mint; both must sign
+16Per-contract owner/pauser/rescuer/tokenController roles all read on-chain (distinct addresses per role and per contract — role separation, not a single key)
-52Modifiers: onlyOwner, onlyAttesterManager, onlyTokenController, whenNotPaused; attester enable/disable and threshold changes are unilateral by attesterManager with no delay
0TokenMessengerV2 is itself an upgradeable proxy (AdminUpgradableProxy, impl 0x555e...3ec8) — owner can rotate logic; no on-chain timelock observed
0ChainSecurity (2025-03-24) confirms a 2-step pattern for transferring high-importance roles (avoids lockout), though it notes the 2-step pattern is NOT applied to the proxy admin role
Evidence Sources
blackhart_analysisMay 30sha256:3a92f407962d....

Score Composition

-52

Modifiers: onlyOwner, onlyAttesterManager, onlyTokenController, whenNotPaused; attester enable/disable and threshold changes are unilateral by attesterManager with no delay

Strong negativecodeView in source
0

TokenMessengerV2 is itself an upgradeable proxy (AdminUpgradableProxy, impl 0x555e...3ec8) — owner can rotate logic; no on-chain timelock observed

NeutralcodeView in source
0

ChainSecurity (2025-03-24) confirms a 2-step pattern for transferring high-importance roles (avoids lockout), though it notes the 2-step pattern is NOT applied to the proxy admin role

NeutralcodeView in source
+16

attesterManager (V2: 0xc16b...c95a) can enableAttester/disableAttester and setSignatureThreshold; combined with the attester set this is effectively a cross-chain mint authority

Strong positivecodeView in source
+16

Live mitigation confirmed on-chain: signatureThreshold=2 with 2 enabled attesters (0x725b...3F96, 0x52Ed...bCeF) — a single compromised attester key cannot forge a mint; both must sign

Strong positive
+16

Per-contract owner/pauser/rescuer/tokenController roles all read on-chain (distinct addresses per role and per contract — role separation, not a single key)

Strong positivecodeView in source

Evidence Chain (1 files)

BlackHart AnalysisMay 30, 2026, 05:10 AM
sha256:3a92f407962d...

Score History

No dimension-level score changes recorded yet.

Methodology: 2.1Formula: 1.1Weights: 1.1
How is Access Control scored?← Back to Provenance Ledger