Add Ownable2Step and remove Ownable for access control. #2497
Description
Ownable2Step is a module which provides access control mechanism, there is an account (an owner) that can be granted exclusive access to specific procedures (or functions).
Ownable2Step extends Ownable by introducing a two-step ownership transfer flow. Instead of immediately switching ownership, the current owner nominates a pending owner, and the pending owner must explicitly call accept_ownership to finalize the transfer and become the new owner. This pattern helps prevent common operational errors, such as transferring ownership to the wrong address that cannot properly interact with the permission model.
The initial owner is configured at deployment via owner_config_slot. Ownership can later be updated through the combination of transfer_ownership (to set the pending owner) and accept_ownership (to complete the transfer).
Because the owner role in fungible token standards often controls minting (note: a more generic access-control mechanism will be introduced later) and other administrative procedures, ownership management is security-critical. For this reason, we recommend deprecating the simple one-step Ownable mechanism in favor of Ownable2Step.
In setups where the “owner” is a multisig or DAO, a two-step transfer also makes the handover process more deliberate and easier to operate safely.
We propose to remove ownable.masm and ownable2step.masm:
Storage Slots:
Previously in ownable.masm:
owner_config_slot → [owner_prefix, owner_suffix, 0, 0]
Now in ownable2step.masm:
owner_config_slot → [owner_prefix, owner_suffix, pending_owner_prefix, pending_owner_prefix]
Transferring the ownership:
Previously in ownable.masm:
pub proc transfer_ownership
# single step ownership transfer
end
Now in ownable2step.masm:
pub proc transfer_ownership
# 2-step ownership transfer
# cancel ownership transfer if `pending_owner = owner`
end
pub proc accept_ownership
# accept ownership
end