@lazy-sol/access-control 1.1.1 → 1.1.4

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+v1.1.3: Prem's audit and its resolution
+- See the list of issues found and resolved in [the audit resolution doc](./audits/1.1_Prem_resolution.md)
+- See the audit methodology and issues found in [the original audit report](./audits/1.1_final_Prem.pdf)
+
+v1.1.2: do not enable full privileges to zero address on construction
+
 v1.1.1: Role-based Access Control (RBAC) Inspector
 - Introduced the Role-based Access Control (RBAC) Inspector UI capable of evaluating features and roles
   for already deployed contracts; supports all EVM-based networks (mainnet, sepolia, etc.)

package/CONTRIBUTING.md

@@ -197,4 +197,5 @@ See also:
 
 Prepared by Basil Gorin
 
-(c) 2017–2024 Basil Gorin
+(c) 2017–2024 Basil Gorin  
+(c) 2024–2025 Lazy So\[u\]l

package/LICENSE.txt

@@ -1,6 +1,7 @@
 The MIT License (MIT)
 
 Copyright (c) 2017-2024 Basil Gorin
+Copyright (c) 2024–2025 Lazy So[u]l
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

package/README.md

@@ -4,6 +4,10 @@ A shortcut to a modular and easily pluggable dapp architecture.
 Enable the modular plug and play (PnP) architecture for your dapp by incorporating the role-based access control (RBAC)
 into the smart contracts.
 
+## Audit(s)
+* [v1.1 Audit by Prem, December 23, 2024 – January 20, 2025](./audits/1.1_final_Prem.pdf)
+  * [Resolution: v1.1 Audit by Prem](./audits/1.1_Prem_resolution.md)
+
 ## Technical Overview
 
 Role-based Access Control (RBAC), or simply Access Control, is the base parent contract to be inherited by other smart
@@ -267,9 +271,14 @@ To execute the restricted access function on the target contract via the AccessC
 3.  To find **all** the addresses having any permissions, track the `RoleUpdated()` event and evaluate the history
     of `assiged` roles for every `operator` address
     * Alternatively, use the [tool](ui.html) which automates the process
+      (see demo [here](https://lazy-sol.github.io/access-control/ui.html))
+
+## See Also
+[Upgradeable Role-based Access Control (U-RBAC)](https://github.com/lazy-sol/access-control-upgradeable/blob/master/README.md)
 
 ## Contributing
 Please see the [Contribution Guide](./CONTRIBUTING.md) document to get understanding on how to report issues,
 contribute to the source code, fix bugs, introduce new features, etc.
 
-(c) 2017–2024 Basil Gorin
+(c) 2017–2024 Basil Gorin  
+(c) 2024–2025 Lazy So\[u\]l

package/audits/1.1_Prem_resolution.md

@@ -0,0 +1,60 @@
+# AccessControl: Smart Contract Audit Report Resolution #
+
+## Resolution Summary ##
+
+| ID      |                                                                                            | Resolution   |
+|---------|--------------------------------------------------------------------------------------------|--------------|
+| Major-1 | Low-Level Call in `execute(bytes)` (OwnableToAccessControlAdapter)                         | Fixed        |
+| Major-2 | Validation of `targetAddress` in `deployNewOwnableToAccessControlAdapter` (AdapterFactory) | Fixed        |
+| Minor-1 | Insufficient Event Logging in `RoleUpdated`                                                | Fixed        |
+| Minor-2 | No Check for `role != 0` in `updateRole`                                                   | Mitigated    |
+| Minor-3 | State Variables Could Be Declared immutable (OwnableToAccessControlAdapter)                | Fixed        |
+| Notes-1 | Version Constraints with Known Issues                                                      | Mitigated    |
+| Notes-2 | Visibility Optimization for Gas Savings                                                    | Fixed        |
+| Notes-3 | Potential Improvement for `FULL_PRIVILEGES_MASK` Assignment                                | Acknowledged |
+
+For issues which were ignored, acknowledged, mitigated, or fixed differently than suggested by the auditor, see the
+[Comments](#comments) section below.
+
+## Comments ##
+### Major-1. Low-Level Call in `execute(bytes)` (OwnableToAccessControlAdapter) ###
+Fixed by
+1.  making `target` immutable,
+2.  ensuring it is an already deployed contract in the `OwnableToAccessControlAdapter` constructor:
+    ```solidity
+    require(_target.code.length != 0, "EOA");
+    ```
+3.  porting `_revert` function from OZ 4.9.6 `@openzeppelin/contracts/utils/Address.sol` library and using it
+    to keep original error messages from the target contract:
+    ```solidity
+    _revert(returndata, "execution failed");
+    ```
+
+### Minor-2. No Check for `role != 0` in `updateRole` ###
+To be used as a parent contract for RBAC-based applications, the `AccessControl` contract is originally designed to be
+lightweight, which was improved even further in version 1.1 by introducing the `AccessControlCore` contract.
+
+To minimise contract size, we minimise the number of public functions exposed and use a single public function
+`updateRole` to add, modify, and delete permissions, including self-revoke.
+
+Mitigated by adding an explicit and very well noticeable comment in the SolDoc for `updateRole` function.
+
+### Notes-1. Version Constraints with Known Issues ###
+To allow the use as a parent contract for a wide range of RBAC-based applications, and serve as a Solidity library,
+we try to keep pragma constraint as low as possible. This approach maximizes compatibility.
+
+Mitigated by updating the compiler version to 0.8.28 in `hardhat.config.js`.
+
+### Notes-2. Visibility Optimization for Gas Savings 
+Visibility modifier was changed from `public` to `external` for functions `isFeatureEnabled`, `isSenderInRole`,
+`isOperatorInRole`, `updateFeatures`, `updateRole`, `updateAccessRole`, and `deployNewOwnableToAccessControlAdapter`.
+
+Functions `features`, and `getRole` remain public to be accessible in inheriting contracts.
+
+### Notes-3. Potential Improvement for `FULL_PRIVILEGES_MASK` Assignment ###
+Role-based Access Control (RBAC) library, and its AccessControl* contracts are designed to be a long-term, but still
+temporary solution for the projects evolving in the direction of the fully decentralized operation. RBAC Lifecycle
+assumes that all the permissions are eventually either fully revoked from external participants, or are fully
+transitioned to the DAO governance smart contract.
+
+Thus, further improvements to `FULL_PRIVILEGES_MASK` assignments and management are out of scope for the RBAC library.

package/contracts/AccessControl.sol

@@ -71,7 +71,7 @@ abstract contract AccessControl is AccessControlCore {
 	 * @param required set of features to check against
 	 * @return true if all the features requested are enabled, false otherwise
 	 */
-	function isFeatureEnabled(uint256 required) public view returns (bool) {
+	function isFeatureEnabled(uint256 required) external view returns (bool) {
 		// delegate to internal `_isFeatureEnabled`
 		return _isFeatureEnabled(required);
 	}
@@ -82,7 +82,7 @@ abstract contract AccessControl is AccessControlCore {
 	 * @param required set of permissions (role) to check against
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
-	function isSenderInRole(uint256 required) public view returns (bool) {
+	function isSenderInRole(uint256 required) external view returns (bool) {
 		// delegate to internal `_isSenderInRole`
 		return _isSenderInRole(required);
 	}
@@ -94,7 +94,7 @@ abstract contract AccessControl is AccessControlCore {
 	 * @param required set of permissions (role) to check
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
-	function isOperatorInRole(address operator, uint256 required) public view returns (bool) {
+	function isOperatorInRole(address operator, uint256 required) external view returns (bool) {
 		// delegate to internal `_isOperatorInRole`
 		return _isOperatorInRole(operator, required);
 	}

package/contracts/AccessControlCore.sol

@@ -107,11 +107,12 @@ abstract contract AccessControlCore {
 	/**
 	 * @dev Fired in updateRole() and updateFeatures()
 	 *
+	 * @param by address which has granted/revoked permissions to operator
 	 * @param operator address which was granted/revoked permissions
 	 * @param requested permissions requested
 	 * @param assigned permissions effectively set
 	 */
-	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
+	event RoleUpdated(address indexed by, address indexed operator, uint256 requested, uint256 assigned);
 
 	/**
 	 * @notice Function modifier making a function defined as public behave as restricted
@@ -135,8 +136,11 @@ abstract contract AccessControlCore {
 	 * @param _features initial features mask of the contract, can be zero
 	 */
 	constructor(address _owner, uint256 _features) { // visibility modifier is required to be compilable with 0.6.x
-		// grant owner full privileges
-		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
+		// if there is a request to set owner (zero address owner means no owner)
+		if(_owner != address(0)) {
+			// grant owner full privileges
+			__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
+		}
 		// update initial features bitmask
 		__setRole(address(this), _features, _features);
 	}
@@ -148,7 +152,7 @@ abstract contract AccessControlCore {
 	 *
 	 * @return 256-bit bitmask of the features enabled
 	 */
-	function features() public view returns (uint256) {
+	function features() public view returns(uint256) {
 		// features are stored in 'this' address mapping of `userRoles`
 		return getRole(address(this));
 	}
@@ -162,9 +166,9 @@ abstract contract AccessControlCore {
 	 *
 	 * @param _mask bitmask representing a set of features to enable/disable
 	 */
-	function updateFeatures(uint256 _mask) public {
-		// delegate call to `updateRole`
-		updateRole(address(this), _mask);
+	function updateFeatures(uint256 _mask) external {
+		// delegate to internal `_updateRole()`
+		_updateRole(address(this), _mask);
 	}
 
 	/**
@@ -189,22 +193,30 @@ abstract contract AccessControlCore {
 	 * @notice Updates set of permissions (role) for a given user,
 	 *      taking into account sender's permissions.
 	 *
-	 * @dev Setting role to zero is equivalent to removing an all permissions
+	 * @dev Setting role to zero is equivalent to removing all the permissions
 	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
 	 *      copying senders' permissions (role) to the user
 	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
 	 *
+	 * ╔════════════════════════════════════════════════════════════════════════╗
+	 * ║                WARNING: RISK OF ACCIDENTAL SELF-REVOKE                 ║
+	 * ╠════════════════════════════════════════════════════════════════════════╣
+	 * ║  updateRole function is used to add, update, and delete permissions,   ║
+	 * ║  as well as to revoke and self-revoke all the permissions              ║
+	 * ║                                                                        ║
+	 * ║  updateRole(msg.sender, 0) executed by a super admin themselves        ║
+	 * ║  revokes super admin permissions forever if there is no other super    ║
+	 * ║  admin set prior to updateRole(msg.sender, 0) call                     ║
+	 * ╚════════════════════════════════════════════════════════════════════════╝
+	 *
 	 * @param operator address of a user to alter permissions for,
 	 *       or self address to alter global features of the smart contract
 	 * @param role bitmask representing a set of permissions to
 	 *      enable/disable for a user specified
 	 */
-	function updateRole(address operator, uint256 role) public {
-		// caller must have a permission to update user roles
-		_requireSenderInRole(ROLE_ACCESS_MANAGER);
-
-		// evaluate the role and reassign it
-		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
+	function updateRole(address operator, uint256 role) external {
+		// delegate to internal `_updateRole()`
+		_updateRole(operator, role);
 	}
 
 	/**
@@ -316,6 +328,28 @@ abstract contract AccessControlCore {
 		return __hasRole(getRole(operator), required);
 	}
 
+	/**
+	 * @dev Updates set of permissions (role) for a given user,
+	 *      taking into account sender's permissions.
+	 *
+	 * @dev Setting role to zero is equivalent to removing all the permissions
+	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
+	 *      copying senders' permissions (role) to the user
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param role bitmask representing a set of permissions to
+	 *      enable/disable for a user specified
+	 */
+	function _updateRole(address operator, uint256 role) internal {
+		// caller must have a permission to update user roles
+		_requireSenderInRole(ROLE_ACCESS_MANAGER);
+
+		// evaluate the role and reassign it
+		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
+	}
+
 	/**
 	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
 	 *
@@ -336,7 +370,7 @@ abstract contract AccessControlCore {
 		userRoles[operator] = assignedRole;
 
 		// fire an event
-		emit RoleUpdated(operator, requestedRole, assignedRole);
+		emit RoleUpdated(msg.sender, operator, requestedRole, assignedRole);
 	}
 
 	/**

package/contracts/AdapterFactory.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity >=0.8.4;
+pragma solidity >=0.8.20;
 
 import "./OwnableToAccessControlAdapter.sol";
 
@@ -39,7 +39,10 @@ contract AdapterFactory {
 	 * @param targetAddress OZ Ownable target address to bind OwnableToAccessControlAdapter to
 	 * @return address of the newly deployed OwnableToAccessControlAdapter contract
 	 */
-	function deployNewOwnableToAccessControlAdapter(address targetAddress) public returns(address) {
+	function deployNewOwnableToAccessControlAdapter(address targetAddress) external returns(address) {
+		// verify the inputs
+		require(targetAddress != address(0), "zero address");
+		require(targetAddress.code.length != 0, "EOA");
 		// verify sender is a target owner
 		require(Ownable(targetAddress).owner() == msg.sender, "not an owner");
 

package/contracts/OwnableToAccessControlAdapter.sol

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: MIT
 // breaking changes in .call() (0.5.0)
 // allow .call{}() (0.6.2)
-pragma solidity >=0.8.4;
+pragma solidity >=0.8.20;
 
 import "./AccessControl.sol";
 
@@ -71,7 +71,7 @@ contract OwnableToAccessControlAdapter is AccessControlCore {
 	 *
 	 * @dev Target contract must transfer its ownership to the AccessControl Adapter
 	 */
-	address public target;
+	address public immutable target;
 
 	/**
 	 * @dev Access roles mapping stores the roles required to access the functions on the
@@ -95,16 +95,17 @@ contract OwnableToAccessControlAdapter is AccessControlCore {
 	 * @param selector selector of the function which corresponding access role was updated
 	 * @param role effective required role to execute the function defined by the selector
 	 */
-	event AccessRoleUpdated(bytes4 selector, uint256 role);
+	event AccessRoleUpdated(bytes4 indexed selector, uint256 role);
 
 	/**
 	 * @dev Logs function execution result on the target if the execution completed successfully
 	 *
 	 * @param selector selector of the function which was executed on the target contract
+	 * @param roleRequired role that was required to execute the function requested
 	 * @param data full calldata payload passed to the target contract (includes the 4-bytes selector)
 	 * @param result execution response from the target contract
 	 */
-	event ExecutionComplete(bytes4 selector, bytes data, bytes result);
+	event ExecutionComplete(bytes4 indexed selector, uint256 roleRequired, bytes data, bytes result);
 
 	/**
 	 * @dev Deploys an AccessControl Adapter binding it to the target OZ Ownable contract,
@@ -116,6 +117,7 @@ contract OwnableToAccessControlAdapter is AccessControlCore {
 	constructor(address _target, address _owner) AccessControlCore(_owner, 0) { // visibility modifier is required to be compilable with 0.6.x
 		// verify the inputs
 		require(_target != address(0), "zero address");
+		require(_target.code.length != 0, "EOA");
 
 		// initialize internal contract state
 		target = _target;
@@ -132,9 +134,9 @@ contract OwnableToAccessControlAdapter is AccessControlCore {
 	 * @param role role required to execute this function, or zero to disable
 	 *      access to the specified function for everyone
 	 */
-	function updateAccessRole(string memory signature, uint256 role) public {
-		// delegate to `updateAccessRole(bytes4, uint256)`
-		updateAccessRole(bytes4(keccak256(bytes(signature))), role);
+	function updateAccessRole(string memory signature, uint256 role) external {
+		// delegate to internal `_updateAccessRole(bytes4, uint256)`
+		__updateAccessRole(bytes4(keccak256(bytes(signature))), role);
 	}
 
 	/**
@@ -148,7 +150,23 @@ contract OwnableToAccessControlAdapter is AccessControlCore {
 	 * @param role role required to execute this function, or zero to disable
 	 *      access to the specified function for everyone
 	 */
-	function updateAccessRole(bytes4 selector, uint256 role) public {
+	function updateAccessRole(bytes4 selector, uint256 role) external {
+		// delegate to internal `_updateAccessRole(bytes4, uint256)`
+		__updateAccessRole(selector, role);
+	}
+
+	/**
+	 * @dev Updates the access role required to execute the function defined by its selector
+	 *      on the target contract
+	 *
+	 * @dev More on function signatures and selectors: https://docs.soliditylang.org/en/develop/abi-spec.html
+	 *
+	 * @param selector function selector on the target contract, for example
+	 *      0xf2fde38b selector corresponds to the "transferOwnership(address)" function
+	 * @param role role required to execute this function, or zero to disable
+	 *      access to the specified function for everyone
+	 */
+	function __updateAccessRole(bytes4 selector, uint256 role) private {
 		// verify the access permission
 		_requireSenderInRole(ROLE_ACCESS_ROLES_MANAGER);
 
@@ -175,34 +193,25 @@ contract OwnableToAccessControlAdapter is AccessControlCore {
 	 */
 	function execute(bytes memory data) public payable returns(bytes memory) {
 		// extract the selector (first 4 bytes as bytes4) using assembly
-		bytes4 selector;
-		assembly {
-			// load the first word after the length field
-			selector := mload(add(data, 32))
-		}
+		bytes4 selector = data.length == 0? bytes4(0x00000000): __extractSelector(data);
 
-		// zero data length means we're trying to execute the receive() function on
-		// the target and supply some ether to the target; in this case we don't need a security check
-		// if the data is present, we're executing some real function and must do a security check
-		if(data.length != 0) {
-			// determine the role required to access the function
-			uint256 roleRequired = accessRoles[selector];
+		// determine the role required to access the function
+		uint256 roleRequired = accessRoles[selector];
 
-			// verify function access role was already set
-			require(roleRequired != 0, "access role not set");
+		// verify function access role was already set
+		require(roleRequired != 0, "access role not set");
 
-			// verify the access permission
-			_requireSenderInRole(roleRequired);
-		}
+		// verify the access permission
+		_requireSenderInRole(roleRequired);
 
 		// execute the call on the target
 		(bool success, bytes memory result) = address(target).call{value: msg.value}(data);
 
 		// verify the execution completed successfully
-		require(success, "execution failed");
+		__requireSuccessfulCall(success, result);
 
 		// emit an event
-		emit ExecutionComplete(selector, data, result);
+		emit ExecutionComplete(selector, roleRequired, data, result);
 
 		// return the result
 		return result;
@@ -230,4 +239,44 @@ contract OwnableToAccessControlAdapter is AccessControlCore {
 		// delegate to `execute(bytes)`
 		execute(msg.data);
 	}
+
+	/// @dev Extracts first 4 bytes from the input, throwing if input is less than 4 bytes long
+	function __extractSelector(bytes memory data) private pure returns(bytes4) {
+		// verify data has at least 4 bytes to read
+		require(data.length >= 4, "bad selector");
+		// extract the selector (first 4 bytes as bytes4) using assembly
+		bytes4 selector;
+		assembly {
+		// load the first word after the length field
+			selector := mload(add(data, 32))
+		}
+		// return whatever we've loaded from the memory
+		return selector;
+	}
+
+	/// @dev Mimics the require(success, string(returndata))
+	function __requireSuccessfulCall(bool success, bytes memory returndata) private pure {
+		// if operation was not successful
+		if(!success) {
+			// revert, trying to deliver original error message from the low-level call,
+			// and falling back to "execution failed" if low-level call returned no message
+			__revert(returndata, "execution failed");
+		}
+	}
+
+	/// @dev Copied as is from OZ 4.9.6 @openzeppelin/contracts/utils/Address.sol::_revert(bytes,string)
+	function __revert(bytes memory returndata, string memory errorMessage) private pure {
+		// Look for revert reason and bubble it up if present
+		if(returndata.length > 0) {
+			// The easiest way to bubble the revert reason is using memory via assembly
+			/// @solidity memory-safe-assembly
+			assembly {
+				let returndata_size := mload(returndata)
+				revert(add(32, returndata), returndata_size)
+			}
+		}
+		else {
+			revert(errorMessage);
+		}
+	}
 }

package/contracts/mocks/ErrorHelper.sol

@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.4;
+
+contract ErrorHelper {
+	address public owner;
+
+	function transferOwnership(address _owner) public {
+		owner = _owner;
+	}
+
+	function throwError(string memory message) public pure {
+		require(false, message);
+	}
+}

package/docs/style_guides.md

@@ -237,4 +237,5 @@ See also: [Gitlab Testing Standards](https://docs.gitlab.com/ee/development/test
 
 Prepared by Basil Gorin
 
-(c) 2017–2024 Basil Gorin
+(c) 2017–2024 Basil Gorin  
+(c) 2024–2025 Lazy So\[u\]l

package/hardhat.config.js

@@ -333,7 +333,7 @@ module.exports = {
 		// https://hardhat.org/guides/compile-contracts.html
 		compilers: [
 			{
-				version: "0.8.21",
+				version: "0.8.28",
 				settings: {
 					optimizer: {
 						enabled: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lazy-sol/access-control",
-  "version": "1.1.1",
+  "version": "1.1.4",
   "description": "Enable the modular plug and play (PnP) architecture for your dapp by incorporating the role-based access control (RBAC) into the smart contracts",
   "main": "index.js",
   "scripts": {
@@ -22,16 +22,18 @@
   "author": "Basil Gorin",
   "license": "MIT",
   "devDependencies": {
-    "@lazy-sol/a-missing-gem": "^1.0.10",
+    "@lazy-sol/a-missing-gem": "^1.0.12",
     "@lazy-sol/zeppelin-test-helpers": "^1.0.5",
     "@nomiclabs/hardhat-truffle5": "^2.0.7",
-    "hardhat": "^2.22.13",
+    "hardhat": "^2.25.0",
     "hardhat-deploy": "^0.11.45",
     "hardhat-gas-reporter": "^1.0.10",
-    "solidity-coverage": "^0.8.13"
+    "solidity-coverage": "^0.8.16"
   },
   "overrides": {
     "axios": ">=1.7.5",
+    "cookie": ">=0.7.0",
+    "elliptic": "^6.6.0",
     "micromatch": "^4.0.8",
     "tar": "^6.2.1",
     "tough-cookie": "^4.1.3",

package/suggested_numeration_and_naming.txt

@@ -0,0 +1,12 @@
+Report AccessControl
+	add Minor-1 | Insufficient Event Logging in `RoleUpdated` and shift other Minor numbering by one:
+	Minor-2 | No Check for `role != 0` in `updateRole`
+	Minor-3 | State Variables Could Be Declared immutable (OwnableToAccessControlAdapter)
+
+Report AccessControlUpgradable
+	switch Notes-1. Gas Optimizations and Notes-2. Use Latest Solidity Version (^0.8.26), use the same naming as in AccessControl report:
+	Notes-1 | Version Constraints with Known Issues (may keep the original Use Latest Solidity Version (^0.8.26) name but then need to change to the same in AccessControl report) 
+	Notes-2 | Visibility Optimization for Gas Savings
+add Minor-2 | No Check for `role != 0` in `updateRole`
+add Notes-3 | Potential Improvement for `FULL_PRIVILEGES_MASK` Assignment and shift Notes-3. Test Coverage by one: Notes-4. Test Coverage
+

package/test/adapter_factory.js

@@ -21,7 +21,7 @@ const {
 const {
 	deploy_usdt,
 	deploy_adapter_factory,
-	factory_deploy_ownable_to_ac_adapter,
+	factory_deploy_ownable_to_ac_adapter_pure,
 } = require("./include/deployment_routines");
 
 // run AdapterFactory tests
@@ -39,13 +39,19 @@ contract("AdapterFactory tests", function(accounts) {
 		factory = await deploy_adapter_factory();
 	});
 
+	it("adapter deployment fails if target address is zero address", async function() {
+		await expectRevert(factory_deploy_ownable_to_ac_adapter_pure(a1, factory, ZERO_ADDRESS), "zero address");
+	});
+	it("adapter deployment fails if target address is EOA", async function() {
+		await expectRevert(factory_deploy_ownable_to_ac_adapter_pure(a1, factory, a2), "EOA");
+	});
 	it("adapter deployment fails if executed not by the ownable owner", async function() {
-		await expectRevert(factory_deploy_ownable_to_ac_adapter(a2, factory, usdt), "not an owner");
+		await expectRevert(factory_deploy_ownable_to_ac_adapter_pure(a2, factory, usdt), "not an owner");
 	});
 	describe("adapter deployment succeeds if executed by the ownable owner", async function() {
 		let adapter;
 		beforeEach(async function() {
-			({adapter} = await factory_deploy_ownable_to_ac_adapter(a1, factory, usdt));
+			adapter = await factory_deploy_ownable_to_ac_adapter_pure(a1, factory, usdt);
 		});
 		it("adapter's target is set correctly", async function() {
 			expect(await adapter.target()).to.be.equal(usdt.address);

package/test/include/deployment_routines.js

@@ -6,13 +6,21 @@
  * @returns USDT ERC20 instance
  */
 async function deploy_usdt(a0) {
-	// smart contracts required
 	const USDTContract = artifacts.require("TetherToken");
-
-	// deploy the token and return the reference
 	return await USDTContract.new(0, "Tether USD", "USDT", 6, {from: a0});
 }
 
+/**
+ * Deploys ErrorHelper, which helps to throw arbitrary error string, used in tests
+ * 
+ * @param a0 deployer account
+ * @return ErrorHelper instance
+ */
+async function deploy_error_helper(a0) {
+	const ErrorHelper = artifacts.require("ErrorHelper");
+	return await ErrorHelper.new({from: a0});
+}
+
 /**
  * Deploys AccessControl contract
  *
@@ -22,10 +30,7 @@ async function deploy_usdt(a0) {
  * @returns AccessControl instance
  */
 async function deploy_access_control(a0, owner = a0, features = 0) {
-	// deploy AccessControlMock
 	const AccessControlMock = artifacts.require("AccessControlMock");
-
-	// deploy and return the instance
 	return await AccessControlMock.new(owner, features, {from: a0});
 }
 
@@ -67,9 +72,7 @@ async function deploy_ownable_to_ac_adapter(a0, target) {
  * @returns OwnableToAccessControlAdapter instance
  */
 async function deploy_no_deps_ownable_to_ac_adapter(a0, target) {
-	// artifacts in use
 	const OwnableToAccessControlAdapter = artifacts.require("OwnableToAccessControlAdapter");
-	// deploy and return the deployd instance
 	return await OwnableToAccessControlAdapter.new(target.address || target, a0, {from: a0});
 }
 
@@ -80,15 +83,14 @@ async function deploy_no_deps_ownable_to_ac_adapter(a0, target) {
  * @returns AdapterFactory instance
  */
 async function deploy_adapter_factory(a0) {
-	// artifacts in use
 	const AdapterFactory = artifacts.require("AdapterFactory");
-	// deploy and return the deployd instance
 	return await AdapterFactory.new(a0? {from: a0}: undefined);
 }
 
 /**
  * Deploys OwnableToAccessControlAdapter via the AdapterFactory
  * Deploys the AdapterFactory and target Ownable if required
+ * Transfers ownership from the target to the adapter
  *
  * @param a0 deployer address, target owner, required
  * @param factory AdapterFactory instance or address, optional
@@ -113,15 +115,7 @@ async function factory_deploy_ownable_to_ac_adapter(a0, factory, target) {
 	}
 
 	// deploy the adapter via the AdapterFactory
-	const receipt = await factory.deployNewOwnableToAccessControlAdapter(target.address, {from: a0});
-	const {
-		adapterAddress,
-		ownableTargetAddress,
-	} = receipt.logs.find(log => log.event === "NewOwnableToAccessControlAdapterDeployed").args;
-
-	// connect to the adapter
-	const OwnableToAccessControlAdapter = artifacts.require("OwnableToAccessControlAdapter");
-	const adapter = await OwnableToAccessControlAdapter.at(adapterAddress);
+	const adapter = await factory_deploy_ownable_to_ac_adapter_pure(a0, factory, target);
 
 	// transfer ownership to the adapter
 	await target.transferOwnership(adapter.address, {from: a0});
@@ -130,12 +124,35 @@ async function factory_deploy_ownable_to_ac_adapter(a0, factory, target) {
 	return {factory, target, adapter};
 }
 
+/**
+ * Deploys OwnableToAccessControlAdapter via the AdapterFactory
+ *
+ * @param a0 deployer address, target owner, required
+ * @param factory AdapterFactory instance, required
+ * @param target Ownable instance or address, required
+ * @returns OwnableToAccessControlAdapter instance
+ */
+async function factory_deploy_ownable_to_ac_adapter_pure(a0, factory, target) {
+	// deploy the adapter via the AdapterFactory
+	const receipt = await factory.deployNewOwnableToAccessControlAdapter(target.address || target, {from: a0});
+	const {
+		adapterAddress,
+		ownableTargetAddress,
+	} = receipt.logs.find(log => log.event === "NewOwnableToAccessControlAdapterDeployed").args;
+
+	// connect to the adapter and return the result
+	const OwnableToAccessControlAdapter = artifacts.require("OwnableToAccessControlAdapter");
+	return await OwnableToAccessControlAdapter.at(adapterAddress);
+}
+
 // export public deployment API
 module.exports = {
 	deploy_usdt,
+	deploy_error_helper,
 	deploy_access_control,
 	deploy_no_deps_ownable_to_ac_adapter,
 	deploy_ownable_to_ac_adapter,
 	deploy_adapter_factory,
 	factory_deploy_ownable_to_ac_adapter,
+	factory_deploy_ownable_to_ac_adapter_pure,
 }

package/test/include/rbac.behaviour.js

@@ -59,23 +59,34 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 			beforeEach(async function() {
 				access_control = await deployment_fn.call(this, a0, owner, features);
 			});
-			it('"RoleUpdated(owner)" event is emitted correctly', async function() {
-				await expectEvent.inConstruction(access_control, "RoleUpdated", {
-					operator: owner,
-					requested: FULL_PRIVILEGES_MASK,
-					assigned: FULL_PRIVILEGES_MASK,
+			if(owner !== ZERO_ADDRESS) {
+				it('"RoleUpdated(owner)" event is emitted correctly', async function() {
+					await expectEvent.inConstruction(access_control, "RoleUpdated", {
+						by: a0,
+						operator: owner,
+						requested: FULL_PRIVILEGES_MASK,
+						assigned: FULL_PRIVILEGES_MASK,
+					});
 				});
-			});
+			}
 			it('"RoleUpdated(this)" event is emitted correctly', async function() {
 				await expectEvent.inConstruction(access_control, "RoleUpdated", {
+					by: a0,
 					operator: access_control.address,
 					requested: features,
 					assigned: features,
 				});
 			});
-			it("owners' role is set correctly", async function() {
-				expect(await access_control.getRole(owner)).to.be.bignumber.that.equals(FULL_PRIVILEGES_MASK);
-			});
+			if(owner !== ZERO_ADDRESS) {
+				it("owners' role is set correctly", async function() {
+					expect(await access_control.getRole(owner)).to.be.bignumber.that.equals(FULL_PRIVILEGES_MASK);
+				});
+			}
+			else {
+				it("owners' role is not set", async function() {
+					expect(await access_control.getRole(owner)).to.be.bignumber.that.equals("0");
+				});
+			}
 			it("features are set correctly", async function() {
 				expect(await access_control.features()).to.be.bignumber.that.equals(features);
 			});
@@ -125,6 +136,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: set,
 									assigned: set,
@@ -148,6 +160,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: not(remove),
 									assigned: not(remove),
@@ -173,6 +186,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: set,
 									assigned: "0",
@@ -197,6 +211,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: not(remove),
 									assigned: MAX_UINT256,
@@ -228,6 +243,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: set,
 									assigned: role.and(set),
@@ -252,6 +268,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: not(remove),
 									assigned: not(role.and(remove)),

package/test/ownable_to_rbac_adapter.js

@@ -17,8 +17,12 @@ const {
 	MAX_UINT256,
 } = constants;
 
+// BN constants and utilities
+const {random_bn256} = require("@lazy-sol/a-missing-gem");
+
 // deployment routines in use
 const {
+	deploy_error_helper,
 	deploy_ownable_to_ac_adapter,
 	deploy_no_deps_ownable_to_ac_adapter,
 } = require("./include/deployment_routines");
@@ -32,16 +36,27 @@ contract("OwnableToAccessControlAdapter tests", function(accounts) {
 	// a1, a2,... – working accounts to perform tests on
 	const [A0, a0, H0, a1, a2, a3] = accounts;
 
-	it("Adapter won't deploy targeting to a zero address", async function() {
+	it("adapter deployment fails if target is a zero address", async function() {
 		await expectRevert(deploy_no_deps_ownable_to_ac_adapter(a0, ZERO_ADDRESS), "zero address");
 	});
+	it("adapter deployment fails if target is an EOA", async function() {
+		await expectRevert(deploy_no_deps_ownable_to_ac_adapter(a0, a1), "EOA");
+	});
 	describe("after the Adapter is deployed and target Ownable ownership transferred to the Adapter", function() {
 		let target, adapter;
 		beforeEach(async function() {
 			({target, adapter} = await deploy_ownable_to_ac_adapter(a0));
 		});
 
+		it("it is impossible to send ether before empty selector access role is configured", async function() {
+			await expectRevert(web3.eth.sendTransaction({
+				from: a0,
+				to: adapter.address,
+				value: 1_000_000_000, // 1 gwei
+			}), "access role not set");
+		});
 		it("it is impossible to send ether to the non-payable target contract via the adapter", async function() {
+			await adapter.methods["updateAccessRole(bytes4,uint256)"]("0x00000000", 1, {from: a0});
 			await expectRevert(web3.eth.sendTransaction({
 				from: a0,
 				to: adapter.address,
@@ -55,15 +70,16 @@ contract("OwnableToAccessControlAdapter tests", function(accounts) {
 				data: target.contract.methods.transferOwnership(a2).encodeABI(),
 			}), "access role not set");
 		});
-		describe("once transferOwnership function access control is configured", function() {
+		describe("when transferOwnership function access control is configured", function() {
 			const ROLE_OWNERSHIP_MANAGER = 0x00010000;
+			const fn_selector = web3.eth.abi.encodeFunctionSignature("transferOwnership(address)");
 			let receipt;
 			beforeEach(async function() {
-				receipt = await adapter.updateAccessRole("transferOwnership(address)", ROLE_OWNERSHIP_MANAGER, {from: a0});
+				receipt = await adapter.methods["updateAccessRole(string,uint256)"]("transferOwnership(address)", ROLE_OWNERSHIP_MANAGER, {from: a0});
 			});
 			it('"AccessRoleUpdated" event is emitted', async function() {
 				expectEvent(receipt, "AccessRoleUpdated", {
-					selector: web3.eth.abi.encodeFunctionSignature("transferOwnership(address)"),
+					selector: web3.utils.padRight(fn_selector, 64),
 					role: "" + ROLE_OWNERSHIP_MANAGER,
 				});
 			});
@@ -78,23 +94,95 @@ contract("OwnableToAccessControlAdapter tests", function(accounts) {
 				beforeEach(async function() {
 					await adapter.updateRole(a1, ROLE_OWNERSHIP_MANAGER, {from: a0});
 				});
-				it("execution of the transferOwnership function succeeds", async function() {
-					await web3.eth.sendTransaction({
+				it("execution of the transferOwnership non-payable function fails if ether is supplied", async function() {
+					await expectRevert(web3.eth.sendTransaction({
 						from: a1,
 						to: adapter.address,
 						data: target.contract.methods.transferOwnership(a2).encodeABI(),
-					});
-					expect(await target.owner(), "wrong owner after ownership transfer").to.equal(a2);
+						value: 1_000_000_000, // 1 gwei
+					}), "execution failed");
 				});
-				it("execution of the transferOwnership non-payable function fails if ether is supplied", async function() {
+				it("execution of the transferOwnership fails if function selector is corrupted", async function() {
 					await expectRevert(web3.eth.sendTransaction({
 						from: a1,
 						to: adapter.address,
-						data: target.contract.methods.transferOwnership(a2).encodeABI(),
+						data: "0x112233",
 						value: 1_000_000_000, // 1 gwei
-					}), "execution failed");
+					}), "bad selector");
+				});
+				describe("execution of the transferOwnership function succeeds otherwise", function() {
+					let receipt, data;
+					beforeEach(async function() {
+						data = target.contract.methods.transferOwnership(a2).encodeABI();
+						receipt = await web3.eth.sendTransaction({
+							from: a1,
+							to: adapter.address,
+							data: data,
+						});
+					});
+					it('"ExecutionComplete" event is emitted', async function() {
+						await expectEvent.inTransaction(receipt.transactionHash, adapter, "ExecutionComplete", {
+							selector: web3.utils.padRight(fn_selector, 64),
+							roleRequired: ROLE_OWNERSHIP_MANAGER,
+							data: data,
+							result: null,
+						});
+					});
+					it("owner gets transferred correctly", async function() {
+						expect(await target.owner()).to.equal(a2);
+					});
 				});
 			});
 		});
+		describe("configuring access to the underlying functions (updateAccessRole)", function() {
+			const fn_signature = "1234";
+			const fn_selector = web3.eth.abi.encodeFunctionSignature(fn_signature);
+			const access_permission = random_bn256();
+			describe("when setting the access with updateAccessRole(string, uint256)", function() {
+				let receipt;
+				beforeEach(async function() {
+					receipt = await adapter.methods["updateAccessRole(string,uint256)"](fn_signature, access_permission, {from: a0});
+				});
+				it('"AccessRoleUpdated" event is emitted', async function() {
+					expectEvent(receipt, "AccessRoleUpdated", {
+						selector: web3.utils.padRight(fn_selector, 64),
+						role: "" + access_permission,
+					});
+				});
+				it("access permission is updated", async function() {
+					expect(await adapter.accessRoles(fn_selector)).to.be.bignumber.that.equals(access_permission);
+				});
+			});
+			describe("when setting the access with updateAccessRole(bytes4, uint256)", function() {
+				let receipt;
+				beforeEach(async function() {
+					receipt = await adapter.methods["updateAccessRole(bytes4,uint256)"](fn_selector, access_permission, {from: a0});
+				});
+				it('"AccessRoleUpdated" event is emitted', async function() {
+					expectEvent(receipt, "AccessRoleUpdated", {
+						selector: web3.utils.padRight(fn_selector, 64),
+						role: "" + access_permission,
+					});
+				});
+				it("access permission is updated", async function() {
+					expect(await adapter.accessRoles(fn_selector)).to.be.bignumber.that.equals(access_permission);
+				});
+			});
+		});
+	});
+	describe("after the Adapter is deployed, targeting to the ErrorHelper contract (custom execution error check)", function() {
+		let target, adapter;
+		beforeEach(async function() {
+			target = await deploy_error_helper(a0);
+			adapter = await deploy_no_deps_ownable_to_ac_adapter(a0, target);
+			await adapter.methods["updateAccessRole(string,uint256)"]("throwError(string)", 1, {from: a0});
+			await adapter.updateRole(a1, 1, {from: a0});
+		});
+
+		it("custom error string gets propagated from the target through the adapter", async function() {
+			const message = "Hello, World!";
+			const data = target.contract.methods.throwError(message).encodeABI();
+			await expectRevert(adapter.execute(data, {from: a1}), message);
+		});
 	});
 });

package/test/ownable_to_rbac_adapter_rbac.js

@@ -46,12 +46,14 @@ contract("OwnableToAccessControlAdapter: RBAC tests", function(accounts) {
 		it("it is impossible to configure the access role from an unauthorized account", async function() {
 			const operator = a1;
 			await adapter.updateRole(operator, not(ROLE_ACCESS_ROLES_MANAGER), {from: a0});
-			await expectRevert(adapter.updateAccessRole("1", 1, {from: operator}), "AccessDenied()");
+			await expectRevert(adapter.methods["updateAccessRole(string,uint256)"]("1", 1, {from: operator}), "AccessDenied()");
+			await expectRevert(adapter.methods["updateAccessRole(bytes4,uint256)"]("0x12345678", 1, {from: operator}), "AccessDenied()");
 		});
 		it("it is possible to configure the access role from the authorized account", async function() {
 			const operator = a1;
 			await adapter.updateRole(operator, ROLE_ACCESS_ROLES_MANAGER, {from: a0});
-			adapter.updateAccessRole("1", 1, {from: operator});
+			adapter.methods["updateAccessRole(string,uint256)"]("1", 1, {from: operator});
+			adapter.methods["updateAccessRole(bytes4,uint256)"]("0x12345678", 1, {from: operator});
 		});
 	});
 });

package/ui.html

@@ -44,7 +44,7 @@
 	</div>
 </div>
 </fieldset>
-<div style="position: fixed; left: 0; bottom: 0; margin: 0.1em 0.2em;">&copy; 2024 <a href="https://github.com/lazy-sol/">Lazy So[u]l</a></div>
+<div style="position: fixed; left: 0; bottom: 0; margin: 0.1em 0.2em;">&copy; 2024–2025 <a href="https://github.com/lazy-sol/">Lazy So[u]l</a></div>
 <div style="position: fixed; right: 0; bottom: 0; margin: 0.1em 0.2em; font-family: monospace;">
 	[<a href="https://lazy-sol.github.io/advanced-erc20/ui.html">Advanced ERC20</a>]
 	[<a href="https://lazy-sol.github.io/tiny-erc721/ui.html">Tiny ERC721</a>]

package/artifacts/contracts/OwnableToAccessControlAdapter.sol/OwnableToAccessControlAdapter.json

@@ -1,285 +0,0 @@
-{
-  "_format": "hh-sol-artifact-1",
-  "contractName": "OwnableToAccessControlAdapter",
-  "sourceName": "contracts/OwnableToAccessControlAdapter.sol",
-  "abi": [
-    {
-      "inputs": [
-        {
-          "internalType": "address",
-          "name": "_target",
-          "type": "address"
-        },
-        {
-          "internalType": "address",
-          "name": "_owner",
-          "type": "address"
-        }
-      ],
-      "stateMutability": "nonpayable",
-      "type": "constructor"
-    },
-    {
-      "inputs": [],
-      "name": "AccessDenied",
-      "type": "error"
-    },
-    {
-      "anonymous": false,
-      "inputs": [
-        {
-          "indexed": false,
-          "internalType": "bytes4",
-          "name": "selector",
-          "type": "bytes4"
-        },
-        {
-          "indexed": false,
-          "internalType": "uint256",
-          "name": "role",
-          "type": "uint256"
-        }
-      ],
-      "name": "AccessRoleUpdated",
-      "type": "event"
-    },
-    {
-      "anonymous": false,
-      "inputs": [
-        {
-          "indexed": false,
-          "internalType": "bytes4",
-          "name": "selector",
-          "type": "bytes4"
-        },
-        {
-          "indexed": false,
-          "internalType": "bytes",
-          "name": "data",
-          "type": "bytes"
-        },
-        {
-          "indexed": false,
-          "internalType": "bytes",
-          "name": "result",
-          "type": "bytes"
-        }
-      ],
-      "name": "ExecutionComplete",
-      "type": "event"
-    },
-    {
-      "anonymous": false,
-      "inputs": [
-        {
-          "indexed": true,
-          "internalType": "address",
-          "name": "operator",
-          "type": "address"
-        },
-        {
-          "indexed": false,
-          "internalType": "uint256",
-          "name": "requested",
-          "type": "uint256"
-        },
-        {
-          "indexed": false,
-          "internalType": "uint256",
-          "name": "assigned",
-          "type": "uint256"
-        }
-      ],
-      "name": "RoleUpdated",
-      "type": "event"
-    },
-    {
-      "stateMutability": "payable",
-      "type": "fallback"
-    },
-    {
-      "inputs": [],
-      "name": "ROLE_ACCESS_MANAGER",
-      "outputs": [
-        {
-          "internalType": "uint256",
-          "name": "",
-          "type": "uint256"
-        }
-      ],
-      "stateMutability": "view",
-      "type": "function"
-    },
-    {
-      "inputs": [],
-      "name": "ROLE_ACCESS_ROLES_MANAGER",
-      "outputs": [
-        {
-          "internalType": "uint256",
-          "name": "",
-          "type": "uint256"
-        }
-      ],
-      "stateMutability": "view",
-      "type": "function"
-    },
-    {
-      "inputs": [
-        {
-          "internalType": "bytes4",
-          "name": "",
-          "type": "bytes4"
-        }
-      ],
-      "name": "accessRoles",
-      "outputs": [
-        {
-          "internalType": "uint256",
-          "name": "",
-          "type": "uint256"
-        }
-      ],
-      "stateMutability": "view",
-      "type": "function"
-    },
-    {
-      "inputs": [
-        {
-          "internalType": "bytes",
-          "name": "data",
-          "type": "bytes"
-        }
-      ],
-      "name": "execute",
-      "outputs": [
-        {
-          "internalType": "bytes",
-          "name": "",
-          "type": "bytes"
-        }
-      ],
-      "stateMutability": "payable",
-      "type": "function"
-    },
-    {
-      "inputs": [],
-      "name": "features",
-      "outputs": [
-        {
-          "internalType": "uint256",
-          "name": "",
-          "type": "uint256"
-        }
-      ],
-      "stateMutability": "view",
-      "type": "function"
-    },
-    {
-      "inputs": [
-        {
-          "internalType": "address",
-          "name": "operator",
-          "type": "address"
-        }
-      ],
-      "name": "getRole",
-      "outputs": [
-        {
-          "internalType": "uint256",
-          "name": "",
-          "type": "uint256"
-        }
-      ],
-      "stateMutability": "view",
-      "type": "function"
-    },
-    {
-      "inputs": [],
-      "name": "target",
-      "outputs": [
-        {
-          "internalType": "address",
-          "name": "",
-          "type": "address"
-        }
-      ],
-      "stateMutability": "view",
-      "type": "function"
-    },
-    {
-      "inputs": [
-        {
-          "internalType": "bytes4",
-          "name": "selector",
-          "type": "bytes4"
-        },
-        {
-          "internalType": "uint256",
-          "name": "role",
-          "type": "uint256"
-        }
-      ],
-      "name": "updateAccessRole",
-      "outputs": [],
-      "stateMutability": "nonpayable",
-      "type": "function"
-    },
-    {
-      "inputs": [
-        {
-          "internalType": "string",
-          "name": "signature",
-          "type": "string"
-        },
-        {
-          "internalType": "uint256",
-          "name": "role",
-          "type": "uint256"
-        }
-      ],
-      "name": "updateAccessRole",
-      "outputs": [],
-      "stateMutability": "nonpayable",
-      "type": "function"
-    },
-    {
-      "inputs": [
-        {
-          "internalType": "uint256",
-          "name": "_mask",
-          "type": "uint256"
-        }
-      ],
-      "name": "updateFeatures",
-      "outputs": [],
-      "stateMutability": "nonpayable",
-      "type": "function"
-    },
-    {
-      "inputs": [
-        {
-          "internalType": "address",
-          "name": "operator",
-          "type": "address"
-        },
-        {
-          "internalType": "uint256",
-          "name": "role",
-          "type": "uint256"
-        }
-      ],
-      "name": "updateRole",
-      "outputs": [],
-      "stateMutability": "nonpayable",
-      "type": "function"
-    },
-    {
-      "stateMutability": "payable",
-      "type": "receive"
-    }
-  ],
-  "bytecode": "0x608060405234801561001057600080fd5b50604051610a23380380610a2383398101604081905261002f9161012f565b80600061003f82600019806100bb565b61004a3082806100bb565b50506001600160a01b0382166100955760405162461bcd60e51b815260206004820152600c60248201526b7a65726f206164647265737360a01b604482015260640160405180910390fd5b50600180546001600160a01b0319166001600160a01b0392909216919091179055610162565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b80516001600160a01b038116811461012a57600080fd5b919050565b6000806040838503121561014257600080fd5b61014b83610113565b915061015960208401610113565b90509250929050565b6108b2806101716000396000f3fe6080604052600436106100a05760003560e01c8063491d261111610064578063491d2611146101d35780635defb40d146101f3578063ae5b102e14610213578063ae682e2e14610233578063d4b839921461024b578063d5bb7f6714610283576100bf565b806309c5eabe146100ff5780630e82fe25146101285780632b5214161461016357806334e48c9e14610185578063442767331461019d576100bf565b366100bf576100bd604051806020016040528060008152506102a3565b005b6100bd6000368080601f0160208091040260200160405190810160405280939291908181526020018383808284376000920191909152506102a392505050565b61011261010d36600461064c565b6102a3565b60405161011f91906106ed565b60405180910390f35b34801561013457600080fd5b5061015561014336600461071d565b60026020526000908152604090205481565b60405190815260200161011f565b34801561016f57600080fd5b5030600090815260208190526040902054610155565b34801561019157600080fd5b50610155600160fd1b81565b3480156101a957600080fd5b506101556101b836600461074f565b6001600160a01b031660009081526020819052604090205490565b3480156101df57600080fd5b506100bd6101ee36600461076a565b610411565b3480156101ff57600080fd5b506100bd61020e366004610794565b610477565b34801561021f57600080fd5b506100bd61022e3660046107ed565b61048c565b34801561023f57600080fd5b50610155600160ff1b81565b34801561025757600080fd5b5060015461026b906001600160a01b031681565b6040516001600160a01b03909116815260200161011f565b34801561028f57600080fd5b506100bd61029e366004610809565b6104f5565b602081015181516060919015610323576001600160e01b03198116600090815260026020526040812054908190036103185760405162461bcd60e51b81526020600482015260136024820152721858d8d95cdcc81c9bdb19481b9bdd081cd95d606a1b60448201526064015b60405180910390fd5b61032181610502565b505b60015460405160009182916001600160a01b03909116903490610347908890610822565b60006040518083038185875af1925050503d8060008114610384576040519150601f19603f3d011682016040523d82523d6000602084013e610389565b606091505b5091509150816103ce5760405162461bcd60e51b815260206004820152601060248201526f195e1958dd5d1a5bdb8819985a5b195960821b604482015260640161030f565b7f57a62eca76fc623c92f161d2a4b851851ece707135ce2af1eec256d660571b6d8386836040516104019392919061083e565b60405180910390a1949350505050565b61041e600160fd1b610502565b6001600160e01b03198216600081815260026020908152604091829020849055815192835282018390527fdb8ed917742b49e83acd1322bcaa8f18b1e5f78a70784c43ea14db7ab50e628d910160405180910390a15050565b610488828051906020012082610411565b5050565b610499600160ff1b610502565b61048882826104f0336104c1876001600160a01b031660009081526020819052604090205490565b6001600160a01b0391909116600090815260208190526040902054600019808818821618908716919091171690565b610513565b6104ff308261048c565b50565b6104ff61050e8261056b565b61057d565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b6000610577338361059b565b92915050565b806104ff57604051634ca8886760e01b815260040160405180910390fd5b6001600160a01b038216600090815260208190526040812054821682145b9392505050565b634e487b7160e01b600052604160045260246000fd5b600067ffffffffffffffff808411156105f1576105f16105c0565b604051601f8501601f19908116603f01168101908282118183101715610619576106196105c0565b8160405280935085815286868601111561063257600080fd5b858560208301376000602087830101525050509392505050565b60006020828403121561065e57600080fd5b813567ffffffffffffffff81111561067557600080fd5b8201601f8101841361068657600080fd5b610695848235602084016105d6565b949350505050565b60005b838110156106b85781810151838201526020016106a0565b50506000910152565b600081518084526106d981602086016020860161069d565b601f01601f19169290920160200192915050565b6020815260006105b960208301846106c1565b80356001600160e01b03198116811461071857600080fd5b919050565b60006020828403121561072f57600080fd5b6105b982610700565b80356001600160a01b038116811461071857600080fd5b60006020828403121561076157600080fd5b6105b982610738565b6000806040838503121561077d57600080fd5b61078683610700565b946020939093013593505050565b600080604083850312156107a757600080fd5b823567ffffffffffffffff8111156107be57600080fd5b8301601f810185136107cf57600080fd5b6107de858235602084016105d6565b95602094909401359450505050565b6000806040838503121561080057600080fd5b61078683610738565b60006020828403121561081b57600080fd5b5035919050565b6000825161083481846020870161069d565b9190910192915050565b63ffffffff60e01b8416815260606020820152600061086060608301856106c1565b828103604084015261087281856106c1565b969550505050505056fea26469706673582212201ba377eb6a91d1e61a05796e2c3f7b98c258168e3db52e709dd2c3a003d3eb7864736f6c63430008150033",
-  "deployedBytecode": "0x6080604052600436106100a05760003560e01c8063491d261111610064578063491d2611146101d35780635defb40d146101f3578063ae5b102e14610213578063ae682e2e14610233578063d4b839921461024b578063d5bb7f6714610283576100bf565b806309c5eabe146100ff5780630e82fe25146101285780632b5214161461016357806334e48c9e14610185578063442767331461019d576100bf565b366100bf576100bd604051806020016040528060008152506102a3565b005b6100bd6000368080601f0160208091040260200160405190810160405280939291908181526020018383808284376000920191909152506102a392505050565b61011261010d36600461064c565b6102a3565b60405161011f91906106ed565b60405180910390f35b34801561013457600080fd5b5061015561014336600461071d565b60026020526000908152604090205481565b60405190815260200161011f565b34801561016f57600080fd5b5030600090815260208190526040902054610155565b34801561019157600080fd5b50610155600160fd1b81565b3480156101a957600080fd5b506101556101b836600461074f565b6001600160a01b031660009081526020819052604090205490565b3480156101df57600080fd5b506100bd6101ee36600461076a565b610411565b3480156101ff57600080fd5b506100bd61020e366004610794565b610477565b34801561021f57600080fd5b506100bd61022e3660046107ed565b61048c565b34801561023f57600080fd5b50610155600160ff1b81565b34801561025757600080fd5b5060015461026b906001600160a01b031681565b6040516001600160a01b03909116815260200161011f565b34801561028f57600080fd5b506100bd61029e366004610809565b6104f5565b602081015181516060919015610323576001600160e01b03198116600090815260026020526040812054908190036103185760405162461bcd60e51b81526020600482015260136024820152721858d8d95cdcc81c9bdb19481b9bdd081cd95d606a1b60448201526064015b60405180910390fd5b61032181610502565b505b60015460405160009182916001600160a01b03909116903490610347908890610822565b60006040518083038185875af1925050503d8060008114610384576040519150601f19603f3d011682016040523d82523d6000602084013e610389565b606091505b5091509150816103ce5760405162461bcd60e51b815260206004820152601060248201526f195e1958dd5d1a5bdb8819985a5b195960821b604482015260640161030f565b7f57a62eca76fc623c92f161d2a4b851851ece707135ce2af1eec256d660571b6d8386836040516104019392919061083e565b60405180910390a1949350505050565b61041e600160fd1b610502565b6001600160e01b03198216600081815260026020908152604091829020849055815192835282018390527fdb8ed917742b49e83acd1322bcaa8f18b1e5f78a70784c43ea14db7ab50e628d910160405180910390a15050565b610488828051906020012082610411565b5050565b610499600160ff1b610502565b61048882826104f0336104c1876001600160a01b031660009081526020819052604090205490565b6001600160a01b0391909116600090815260208190526040902054600019808818821618908716919091171690565b610513565b6104ff308261048c565b50565b6104ff61050e8261056b565b61057d565b6001600160a01b0383166000818152602081815260409182902084905581518581529081018490527fe9be537308880e0f56b7d7cfd7abf85f14c4934486d138f848b92a0cbaf659b4910160405180910390a2505050565b6000610577338361059b565b92915050565b806104ff57604051634ca8886760e01b815260040160405180910390fd5b6001600160a01b038216600090815260208190526040812054821682145b9392505050565b634e487b7160e01b600052604160045260246000fd5b600067ffffffffffffffff808411156105f1576105f16105c0565b604051601f8501601f19908116603f01168101908282118183101715610619576106196105c0565b8160405280935085815286868601111561063257600080fd5b858560208301376000602087830101525050509392505050565b60006020828403121561065e57600080fd5b813567ffffffffffffffff81111561067557600080fd5b8201601f8101841361068657600080fd5b610695848235602084016105d6565b949350505050565b60005b838110156106b85781810151838201526020016106a0565b50506000910152565b600081518084526106d981602086016020860161069d565b601f01601f19169290920160200192915050565b6020815260006105b960208301846106c1565b80356001600160e01b03198116811461071857600080fd5b919050565b60006020828403121561072f57600080fd5b6105b982610700565b80356001600160a01b038116811461071857600080fd5b60006020828403121561076157600080fd5b6105b982610738565b6000806040838503121561077d57600080fd5b61078683610700565b946020939093013593505050565b600080604083850312156107a757600080fd5b823567ffffffffffffffff8111156107be57600080fd5b8301601f810185136107cf57600080fd5b6107de858235602084016105d6565b95602094909401359450505050565b6000806040838503121561080057600080fd5b61078683610738565b60006020828403121561081b57600080fd5b5035919050565b6000825161083481846020870161069d565b9190910192915050565b63ffffffff60e01b8416815260606020820152600061086060608301856106c1565b828103604084015261087281856106c1565b969550505050505056fea26469706673582212201ba377eb6a91d1e61a05796e2c3f7b98c258168e3db52e709dd2c3a003d3eb7864736f6c63430008150033",
-  "linkReferences": {},
-  "deployedLinkReferences": {}
-}