Admin-capability matrix

How it works

The matrix is a structured inventory of every privileged function a token contract exposes, paired with the key, role, or governance process that controls it and a stated reason it exists. Standard capabilities include mint, burn, pause, freeze or seize, and upgrade, which replaces the contract logic entirely. Each entry is a power over holders that requires justification, not just documentation.

Construction is deliberate. List every onchain capability, name the controller, an EOA, a multisig, a governance contract, or a timelock, specify how many keys are required, and state the business case. Capabilities without a credible case are removed. Those with a legitimate use are constrained: pause functions get scoped to specific modules, and upgrade keys almost always run through a multisig plus a timelock delay that gives the community time to respond.

Why it matters

Sophisticated buyers and institutional due-diligence teams examine contract capabilities before committing capital. A single EOA that can mint unlimited supply or pause all transfers is a deal-breaker for most institutions, no matter how the project describes its decentralization roadmap. The matrix surfaces these risks in an auditable, comparable format and creates a public commitment that is costly to violate.

Example

ERC-20 defines the base interface and is permissionless; mint and pause are optional extensions. Proxy patterns standardized in EIP-1967 introduce an upgrade-admin slot, one of the most consequential entries in the matrix, because its holder can replace all contract logic. That slot should sit behind a multisig with a minimum-delay timelock in every production deployment.