Privileged Actions

Certain privileged actions (transaction messages) are only allowed to be performed by authorized entities. Some messages require the sender to be an observer validator, while others require the sender to be a specific policy account.

A policy account is similar to an on-chain multisig account with members voting for message execution.

Each group has an admin, a set of members, and a set of policy accounts. Each policy account has an admin, an address and a decision policy (threshold of votes, voting period, etc.).

The group mechanism on ZetaChain is powered by the group Cosmos SDK module (opens in a new tab).

ZetaChain can have any number of groups. Anyone can create a group. In this document we only consider policy accounts that give authorization to perform privileged actions.

These "special" policy accounts are defined in the params of of the observer module (opens in a new tab). These policy accounts are set during genesis and as any module parameter they can be changed through governance. This is important, because even though the protocol has a notion of admins and privileged policy accounts, they are chosen by the community of the chain through governance. If a group/policy admin or members of a group become malicious, the community can create a new group with new admin and members and use the parameter change governance proposal to point the parameter of the observer module to the new policy accounts.

To learn which policy accounts can send which privileged messages, check the module documentation and look for "Authorized" notice next to each message.

You may notice that policy accounts below are called "Group1" and "Group2". These are just names that indicate the level of permissions and are not related to the actual groups associated with policy accounts. As you can see in testnet there are two entries ("Group1" and "Group2") and both point to the same policy account. This means that right now even though there are two levels of permissions ("Group1" and "Group2") there is only one policy account that is authorized to perform privileged actions. On mainnet this might change.