Purpose

The Verifier contract is a multi-mode permissioning module for verifying and enforcing call-level access control across vault-connected modules. It supports:

• On-chain allowlists using hashed shortened calls (CompactCall)
• Merkle tree-based validation for compact merkle, extended merkle and custom verifier verification types
• Delegated verification logic through external custom verifiers (ICustomVerifier)

This contract enables secure and modular delegation of operational permissions

Core Responsibilities

• Validates function calls from external actors (e.g., operators, curators) or strategy contracts (strategies)
• Grants or revokes execution rights using on-chain and off-chain mechanisms
• Ensures that only whitelisted or merkle-authenticated calls are allowed
• Integrates with vault-based role system via IAccessControl

Roles and Access

• SET_MERKLE_ROOT_ROLE: Role allowed to update the active Merkle root
• CALLER_ROLE: Role required by initiators of authorized calls
• ALLOW_CALL_ROLE: Grants ability to add compact calls to allowlist
• DISALLOW_CALL_ROLE: Grants ability to remove compact calls from allowlist

Storage Layout

struct VerifierStorage {
  address vault;
  bytes32 merkleRoot;
  EnumerableSet.Bytes32Set compactCallHashes;
  mapping(bytes32 => CompactCall) compactCalls;
}

• vault: Vault contract that owns the verifier (must support IAccessControl)
• merkleRoot: Merkle root for off-chain verified call proofs