Permissions#
Each sub-VM instance has a set of boolean permissions that control what operations it can perform. Permissions are inherited from the parent VM when spawning child sub-VM instances, with certain restrictions applied depending on the context.
deterministic#
When set, the VM is executing in Deterministic Mode. Many operations require this permission, including storage writes, sending messages, calling other contracts, and emitting events.
read_storage#
Allows reading contract storage slots. When unset, any attempt to read storage will fail with a Forbidden error.
write_storage#
Allows writing to contract storage slots. Requires deterministic as well.
send_messages#
Allows sending messages to other addresses. This permission is required by EthSend, PostMessage, and DeployContract operations.
Requires deterministic as well.
call_others#
Allows calling other contracts. This permission is required by EthCall and CallContract operations.
Requires deterministic as well.
spawn_nondet#
Allows spawning Non-Deterministic Mode sub-VM instances via RunNondet.
Permission Changes on Sub-VM Creation#
Different operations modify permissions when creating child sub-VM instances:
CallContract#
Inherits all parent permissions except:
write_storage is disabled
RunNondet#
The non-deterministic sub-VM has:
deterministic is disabled
read_storage is inherited
write_storage is disabled
spawn_nondet is disabled
call_others is disabled
send_messages is disabled
Sandbox#
The sandboxed sub-VM has:
deterministic is inherited
read_storage is inherited
write_storage is inherited if
allow_write_opsis set, otherwise disabledspawn_nondet is disabled
call_others is disabled
send_messages is inherited if
allow_write_opsis set, otherwise disabled