SymbioticVerifier
Overview
SymbioticVerifier
is a custom ICustomVerifier
implementation used to authorize interactions with the Symbiotic protocol. It restricts access to deposit
, withdraw
, claim
, and claimRewards
calls across Symbiotic vaults and farm contracts. All permissions are tightly scoped using role-based access control via MellowACL
.
This verifier ensures that only allowed addresses (typically curators) can perform specific actions within the Symbiotic ecosystem.
Purpose
The verifier ensures that:
Only whitelisted vaults can act on behalf of themselves in Symbiotic vaults and farms
All interactions are strictly validated against exact calldata to prevent misuse or encoding variation
Only allowed selectors and targets can be used
Role Definitions
CALLER_ROLE
Who is allowed to initiate Symbiotic operations (typically curators)
MELLOW_VAULT_ROLE
Addresses that are allowed to be the recipient of deposits, withdrawals, or claims (usually Subvaults)
SYMBIOTIC_VAULT_ROLE
Contracts that are approved as Symbiotic vault
SYMBIOTIC_FARM_ROLE
Contracts that are approved as Symbiotic farm
Constructor
constructor(address vaultFactory_, address farmFactory_, string memory name_, uint256 version_)
verifyCall
verifyCall
function verifyCall(
address who,
address where,
uint256 value,
bytes calldata callData,
bytes calldata /* verificationData */
) public view returns (bool)
High-Level Behavior
Verifies caller (
who
) hasCALLER_ROLE
Matches target contract (
where
) with either a Symbiotic vault or farmValidates exact function selector and arguments using full
keccak256(callData)
hashRejects any calls with non-zero ETH value
Supported Calls
Symbiotic Vault
deposit(onBehalfOf, amount)
ISymbioticVault.deposit.selector
onBehalfOf
must have MELLOW_VAULT_ROLE
, amount > 0
Symbiotic Vault
withdraw(claimer, amount)
ISymbioticVault.withdraw.selector
claimer
must have MELLOW_VAULT_ROLE
, amount > 0
Symbiotic Vault
claim(recipient, epoch)
ISymbioticVault.claim.selector
recipient
must have MELLOW_VAULT_ROLE
Symbiotic Farm
claimRewards(recipient, token, data)
ISymbioticStakerRewards.claimRewards.selector
recipient
must have MELLOW_VAULT_ROLE
, token != 0x0
For all calls, the calldata must exactly match the selector and parameters
All other selectors or targets are denied
Security Properties
Strict call gating: Only explicitly allowed selectors, targets, and roles pass
Calldata hash check: Enforces strict encoding to avoid alternate ABI variants or garbage data
Zero-value enforcement: Prevents accidental ETH transfers
Factory pattern compatibility: Target contracts can be validated indirectly via registries