When privileged roles are being changed, it is recommended to follow a two-step approach:
- The current privileged role proposes a new address for the change
- The newly proposed address then claims the privileged role in a separate transaction.
This two-step change allows accidental proposals to be corrected instead of leaving the system operationally with no/malicious privileged role.
For e.g., in a single-step change, if the current admin accidentally changes the new admin to a zero-address or an incorrect address (where the private keys are not available), the system is left without an operational admin and will have to be redeployed.
- Two-step Change
- One-step -> Error-prone
- Zero/Incorrect Address
- Step 1: Old Approves New
- Step 2: New Claims Ownership
- Error Recovery in Step 1
- Risk Mitigation