Context
In v9, we added a PoaManager bypass to the onlyOrgOperator modifier in PaymasterHub to enable adminCall migrations for setting paymaster rules on existing orgs:
modifier onlyOrgOperator(bytes32 orgId) {
...
if (msg.sender != _getMainStorage().poaManager) {
// hat-based auth check
}
_;
}This was needed to whitelist vouch-claim selectors on orgs deployed before the OrgDeployer included them.
Why it should be removed
Centralization vector — the Hub owner can unilaterally modify any org's paymaster rules, budgets, and fee caps without governance approval. Org admins/operators should be the only ones who can change their own config.
When to remove
Once all existing orgs have been migrated (vouch-claim selectors whitelisted). Remove in the next PaymasterHub upgrade.
What to change
Revert onlyOrgOperator to the original hat-only check:
modifier onlyOrgOperator(bytes32 orgId) {
OrgConfig storage org = _getOrgsStorage()[orgId];
if (org.adminHatId == 0) revert PaymasterHubErrors.OrgNotRegistered();
bool isAdmin = IHats(_getMainStorage().hats).isWearerOfHat(msg.sender, org.adminHatId);
bool isOperator = org.operatorHatId != 0 && IHats(_getMainStorage().hats).isWearerOfHat(msg.sender, org.operatorHatId);
if (!isAdmin && !isOperator) revert PaymasterHubErrors.NotOperator();
_;
}
Context
In v9, we added a PoaManager bypass to the
onlyOrgOperatormodifier in PaymasterHub to enableadminCallmigrations for setting paymaster rules on existing orgs:This was needed to whitelist vouch-claim selectors on orgs deployed before the OrgDeployer included them.
Why it should be removed
Centralization vector — the Hub owner can unilaterally modify any org's paymaster rules, budgets, and fee caps without governance approval. Org admins/operators should be the only ones who can change their own config.
When to remove
Once all existing orgs have been migrated (vouch-claim selectors whitelisted). Remove in the next PaymasterHub upgrade.
What to change
Revert
onlyOrgOperatorto the original hat-only check: