Purpose
TheVerifier contract is a multi-mode permissioning module for verifying and enforcing call-level access control across vault-connected modules. It supports:
- On-chain allowlists using hashed shortened calls (
CompactCall) - Merkle tree-based validation for compact merkle, extended merkle and custom verifier verification types
- Delegated verification logic through external custom verifiers (
ICustomVerifier)
Core Responsibilities
- Validates function calls from external actors (e.g., operators, curators) or strategy contracts (strategies)
- Grants or revokes execution rights using on-chain and off-chain mechanisms
- Ensures that only whitelisted or merkle-authenticated calls are allowed
- Integrates with vault-based role system via
IAccessControl
Roles and Access
SET_MERKLE_ROOT_ROLE: Role allowed to update the active Merkle rootCALLER_ROLE: Role required by initiators of authorized callsALLOW_CALL_ROLE: Grants ability to add compact calls to allowlistDISALLOW_CALL_ROLE: Grants ability to remove compact calls from allowlist
Storage Layout
vault: Vault contract that owns the verifier (must supportIAccessControl)merkleRoot: Merkle root for off-chain verified call proofscompactCallHashes: Set of hashes representing allowed compact callscompactCalls: Optional mapping for reverse lookup of call metadata by hash
Verification Types
- ONCHAIN_COMPACT: Checks
CompactCall(who | where | selector) hash against internal set - MERKLE_COMPACT: Verifies Merkle proof of
CompactCall(who | where | selector) hash - MERKLE_EXTENDED: Verifies Merkle proof of
ExtendedCall(who | where | value | callData) hash - CUSTOM_VERIFIER: Delegates full verification to an external verifier
Call Structures
CompactCall: Encodes permissioned call using address and selectorExtendedCall: Encodes full call (selector + calldata + ETH value)VerificationPayload: Contains verification metadata and proof
View Functions
vault(): Returns the associated vault contractmerkleRoot(): Returns current Merkle rootallowedCalls(): Returns number of compact calls in allowlistallowedCallAt(index): ReturnsCompactCallat index from internal setisAllowedCall(who, where, callData): Checks ifCompactCallis explicitly allowedhashCall(CompactCall): Returns keccak256 hash of compact callhashCall(ExtendedCall): Returns keccak256 hash of extended call
Verification Functions
verifyCall(...)
- Validates call permissions using the chosen
VerificationType - Reverts with
VerificationFailedon failure
getVerificationResult(...) → bool
- Returns
trueif the verification succeeds,falseotherwise
ONCHAIN_COMPACT: Validate hash against stored allowlistMERKLE_COMPACT: Validate Merkle proof of compact hashMERKLE_EXTENDED: Validate Merkle proof of full hashCUSTOM_VERIFIER: Validate Merkle proot of the verification payload and delegate validation to external contract
Mutable Functions
initialize(bytes calldata initParams):- Accepts
abi.encode(address vault_, bytes32 merkleRoot_) - Sets the vault address and initial Merkle root
- Accepts
setMerkleRoot(bytes32 root):- Updates Merkle root (requires
SET_MERKLE_ROOT_ROLE)
- Updates Merkle root (requires
allowCalls(CompactCall[] calldata calls):- Adds compact calls to allowlist
- Reverts on duplicates (calls already allowed)
disallowCalls(CompactCall[] calldata calls):- Removes calls from allowlist
- Reverts if call is not found in allowlist
Initialization
initParamsformat:abi.encode(address vault_, bytes32 merkleRoot_)