Note
Tokenization is a premium feature that requires an additional purchase. If you don’t have access to this feature, contact your Customer Success Manager to discuss having it enabled in your Fireblocks workspace.
Overview
This article describes the roles contained within the Upgradeable ERC-20F, ERC-721F, and ERC-1155F token smart contract templates created by Fireblocks. Each role can perform a specific action and can be assigned to a specific address. Some roles can be assigned to multiple addresses.
Below is a list of roles and each role’s hash you must use when assigning a role. To find a role’s hash in the Fireblocks Console, go to More Actions (...) > Manage contract. View the Read functions, and expand the role to see its hash. While roles are defined by hashes, ERC-20F contracts can be managed directly via the Console UI without manually inputting these values.
Assigning roles
The method for assigning roles depends on your token standard and deployment method.
Method 1: Console UI (Recommended for ERC-20F)
For ERC-20F tokens deployed via Fireblocks, use the streamlined management interface:
On the Tokenization page, hover over the token and select More Actions (...).
Select Manage contract. Note: If this option does not appear, your token may be an externally linked asset. Use Method 2 instead.
Select the Roles tab.
Assign the desired role to an address via the interface. This method does not require role hashes.
Select Submit.
Method 2: Manual (For ERC-721F, ERC-1155F, and Linked Assets)
If the Roles tab is not available, you must grant roles manually:
Hover over the token and select More Actions (...) > Manage contract.
Go to Read functions to copy the specific Role hash (or find it in the table below).
Go to Write functions and locate the
grantRolefunction.Enter the Role hash and the target Address, then select Submit.
Role constants
Burner
This role has the ability to burn tokens. It is often granted to internal addresses within your organization. However, some use cases may benefit from assigning this role to external addresses. The burner address must hold the asset it will burn.
- Role hash: 0x3c11d16cbaffd01df69ce1c404f6340ee057498f5f00246190ea54220576a848
Contract Admin
This role can manage the contract’s metadata, such as adding a link to the Terms of Service using the contractURI field. The Contract Admin role can also connect a token utility contract, such as the Allowlist, to your already deployed token contract.
- Role hash: 0x2ce8d04a9c35987429af538825cd2438cc5c5bb5dc427955f84daaa3ea105016
Default Admin
This role is considered the master administrator role and can grant and revoke assignments to the other roles. For security reasons, this role is often held in a separate wallet.
The Default Admin role is assigned when deploying your smart contract.
- Role hash: 0x0000000000000000000000000000000000000000000000000000000000000000
Minter
This role has the ability to mint tokens and is often public-facing. You can use this role to restrict which addresses can mint your token. For example, you can grant the Minter role to addresses that pass your Know Your Customer (KYC) process.
The Minter role is assigned when deploying your smart contract, but you can grant this role to additional addresses after deployment.
- Role hash: 0x9f2df0fed2c77648de5860a4cc508cd0818c85b8b8a1ab4ceeef8d981c8956a6
Pauser
This role has the ability to pause and unpause the smart contract and prevent addresses from interacting with it.
The Pauser role is assigned when deploying your smart contract, but you can grant this role to additional addresses after deployment.
- Role hash: 0x65d7a28e3265b37a6474929f336521b332c1681b933f6cb9f3376673440d862a
Recovery
This role has the ability to claw back tokens from a user. Often, this is used in conjunction with allowlists or denylists. If an address should not have access to the token based on the allowlist or denylist, the user with the Recovery role can force transfer the tokens back from that address.
- Role hash: 0x0acf805600123ef007091da3b3ffb39474074c656c127aa68cb0ffec232a8ff8
Salvage
This role can return tokens to an address in the scenario where the tokens were accidentally sent to a Fireblocks smart contract.
- Role hash: 0x75afe8d9fedb4699bf07dc7bcb33fe609a84a99adfab7076931f0d93228085bb
Upgrader
This role has the ability to upgrade the token contract by pointing it to a new proxy contract that governs the token contract’s actions.
- Role hash: 0x189ab7a9244df0848122154315af71fe140f3db0fe014031783b0946b8c9d2e3
Role-based access tables
| Function | Which role(s) can call the function? |
| accessRegistryUpdate | Contract Admin |
| contractUriUpdate | Contract Admin |
| mint | Minter |
| burn | Burner |
| recover | Recovery |
| revokeRole | Default Admin |
| renounceRole | All roles except Default Admin |
| pause | Pauser |
| unpause | Pauser |
| upgradeTo | Upgrader |
| upgradeToAndCall | Upgrader |
| salvageERC20 | Salvage |
| salvageGas | Salvage |
| initialize | All roles |
| grantRole | Default Admin |
| Function | Which role(s) can call the function? |
| accessRegistryUpdate | Contract Admin |
| contractUriUpdate | Contract Admin |
| mint | Minter |
| burn | Burner |
| recover | Recovery |
| revokeRole | Default Admin |
| renounceRole | All roles except Default Admin |
| pause | Pauser |
| unpause | Pauser |
| upgradeTo | Upgrader |
| upgradeToAndCall | Upgrader |
| salvageERC20 | Salvage |
| salvageGas | Salvage |
| initialize | All roles |
| tokenUriUpdate | Contract Admin |
| grantRole | Default Admin |
| Function | Which role(s) can call the function? |
| accessRegistryUpdate | Contract Admin |
| contractUriUpdate | Contract Admin |
| mint | Minter |
| burn | Burner |
| recover | Recovery |
| revokeRole | Default Admin |
| renounceRole | All roles except Default Admin |
| pause | Pauser |
| unpause | Pauser |
| upgradeTo | Upgrader |
| upgradeToAndCall | Upgrader |
| salvageERC20 | Salvage |
| salvageGas | Salvage |
| initialize | All roles |
| tokenUriUpdate | Contract Admin |
| mintBatch | Minter |
| burnBatch | Burner |
| grantRole | Default Admin |
| Function | Which role(s) can call the function? |
| accessListAdd | Access List Admin |
| accessListRemove | Access List Admin |
| recover | N/A |
| revokeRole | Default Admin |
| renounceRole | All roles except Default Admin |
| pause | Pauser |
| unpause | Pauser |
| upgradeTo | Upgrader |
| upgradeToAndCall | Upgrader |
| contractUriUpdate | Contract Admin |
| initialize | All roles |
| grantRole | Default Admin |