Security

Draft. Security model, permissions, and administrative controls.

Role Hierarchy

Akkadia uses a four-role model defined in the Admin contract:

Role	Responsibilities	Assigned By
Admin	Full control, role assignments, protocol settings	Self (transfer only)
Operator	Day-to-day operations: ACR minting, chunk verifiers, world deletion	Admin
Fee Collector	Receives 5% of realm creation/expansion fees	Admin
Protocol	Receives 95% of realm creation/expansion fees	Admin

Permission Model

Contract-Level Permissions

Each contract enforces its own permission checks:

Contract	Admin	Operator	Owner	Role Holders
admin	All settings	-	-	-
acr	Config	Mint	Transfer own	-
user	All users	-	Own profile	-
chunk	Worlds, roles, masters	Verifiers	Own chunks	Per-chunk
personal_world	Biomes, roles	Delete	Own realms	Per-realm
block	System blocks, config	-	Own blocks	-

Realm Permission Checks

Primary Realm (Chunk) - Permission check order:

Chunk owner
Admin
Realm master
Role holders

Community Realm - Permission check order:

Realm owner
Role holders

Note: In Community Realms, admin is NOT in the permission check for actions like block:install. However, admin can:

Grant/revoke roles to any user
Configure permissions and roles globally
Delete worlds (emergency)

On-Chain Security

What the blockchain verifies:

Security Aspect	On-Chain Verification
Ownership	NFT ownership (chunks), address ownership (realms)
Permissions	Role assignments, permission checks before actions
Payments	Fee distribution, mint prices, refunds
Deduplication	ACR mint request IDs prevent double-minting
Limits	Max supply, role assignment limits (maxAssign)

Administrative Controls

Admin Capabilities

Transfer admin role
Assign Operator, Fee Collector, Protocol addresses
Create/update permissions and roles
Create system blocks
Grant realm masters
Configure protocol settings (BPS rates, limits)

Operator Capabilities

Mint ACR tokens (with request deduplication)
Set chunk verifiers
Delete community realms (emergency)

What Admin/Operator Cannot Do

Access user funds directly
Modify user-owned NFTs without consent
Bypass on-chain payment verification
Mint ACR without unique request ID

Event Logging

All significant actions emit on-chain events for auditability:

Role grants/revokes
Ownership transfers
Fee distributions
Configuration changes
Mint operations

Off-Chain Components

Some operations involve off-chain services:

Component	Security Consideration
ACR mint queue	Deduplication enforced on-chain via requestID
System block inventory	Managed off-chain, not tradeable
Activity tracking	Used for ACR earning criteria
Chunk verifiers	Hash for rendering data fetching

Emergency Response

Available Actions

Operator: Delete problematic community realms
Admin: Revoke roles, update permissions, reassign operators

Current Limitations

No global pause mechanism
No contract upgrade mechanism (immutable)
Role changes take effect immediately

Best Practices

For Players

Verify transaction details before signing
Understand role permissions before granting
Keep wallet credentials secure

For Realm Owners

Limit editor role grants to trusted users
Review role assignments periodically
Use maxAssign limits for sensitive roles

Status

This security model is in draft. Future updates may include:

Formal threat model
Audit reports
Operational runbooks
Emergency contact procedures

Admin - Role definitions and assignments
Chunk - Primary Realm permissions
Personal World - Community Realm permissions
Architecture - Contract dependencies