SymbioticVerifier

Overview

SymbioticVerifier is a custom ICustomVerifier implementation used to authorize interactions with the Symbiotic protocol. It restricts access to deposit, withdraw, claim, and claimRewards calls across Symbiotic vaults and farm contracts. All permissions are tightly scoped using role-based access control via MellowACL.

This verifier ensures that only allowed addresses (typically curators) can perform specific actions within the Symbiotic ecosystem.

Purpose

The verifier ensures that:

  • Only whitelisted vaults can act on behalf of themselves in Symbiotic vaults and farms

  • All interactions are strictly validated against exact calldata to prevent misuse or encoding variation

  • Only allowed selectors and targets can be used

Role Definitions

Role Constant
Description

CALLER_ROLE

Who is allowed to initiate Symbiotic operations (typically curators)

MELLOW_VAULT_ROLE

Addresses that are allowed to be the recipient of deposits, withdrawals, or claims (usually Subvaults)

SYMBIOTIC_VAULT_ROLE

Contracts that are approved as Symbiotic vault

SYMBIOTIC_FARM_ROLE

Contracts that are approved as Symbiotic farm

Constructor

constructor(address vaultFactory_, address farmFactory_, string memory name_, uint256 version_)

verifyCall

function verifyCall(
    address who,
    address where,
    uint256 value,
    bytes calldata callData,
    bytes calldata /* verificationData */
) public view returns (bool)

High-Level Behavior

  • Verifies caller (who) has CALLER_ROLE

  • Matches target contract (where) with either a Symbiotic vault or farm

  • Validates exact function selector and arguments using full keccak256(callData) hash

  • Rejects any calls with non-zero ETH value

Supported Calls

Target Type
Function
Signature
Additional Checks

Symbiotic Vault

deposit(onBehalfOf, amount)

ISymbioticVault.deposit.selector

onBehalfOf must have MELLOW_VAULT_ROLE, amount > 0

Symbiotic Vault

withdraw(claimer, amount)

ISymbioticVault.withdraw.selector

claimer must have MELLOW_VAULT_ROLE, amount > 0

Symbiotic Vault

claim(recipient, epoch)

ISymbioticVault.claim.selector

recipient must have MELLOW_VAULT_ROLE

Symbiotic Farm

claimRewards(recipient, token, data)

ISymbioticStakerRewards.claimRewards.selector

recipient must have MELLOW_VAULT_ROLE, token != 0x0

  • For all calls, the calldata must exactly match the selector and parameters

  • All other selectors or targets are denied

Security Properties

  • Strict call gating: Only explicitly allowed selectors, targets, and roles pass

  • Calldata hash check: Enforces strict encoding to avoid alternate ABI variants or garbage data

  • Zero-value enforcement: Prevents accidental ETH transfers

  • Factory pattern compatibility: Target contracts can be validated indirectly via registries