Merge branch 'upgrade-guardrails' into v1.4

Author: kanewallmann

contracts/contract/dao/node/RocketDAONodeTrustedUpgrade.sol

@@ -1,51 +1,125 @@
-pragma solidity 0.7.6;
-
 // SPDX-License-Identifier: GPL-3.0-only
+pragma solidity 0.8.30;
 
-import "../../RocketBase.sol";
-import "../../../interface/dao/node/RocketDAONodeTrustedUpgradeInterface.sol";
-import "../../../interface/util/IERC20.sol";
-
-// Handles network contract upgrades
+import {RocketStorageInterface} from "../../../interface/RocketStorageInterface.sol";
+import {RocketDAONodeTrustedUpgradeInterface} from "../../../interface/dao/node/RocketDAONodeTrustedUpgradeInterface.sol";
+import {RocketDAOProtocolSettingsSecurityInterface} from "../../../interface/dao/protocol/settings/RocketDAOProtocolSettingsSecurityInterface.sol";
+import {RocketBase} from "../../RocketBase.sol";
 
+/// @notice Handles network contract upgrades
 contract RocketDAONodeTrustedUpgrade is RocketBase, RocketDAONodeTrustedUpgradeInterface {
-
     // Events
+    event UpgradePending(uint256 upgradeProposalID, bytes32 indexed upgradeType, bytes32 indexed name, uint256 time);
+    event UpgradeVetoed(uint256 upgradeProposalID, uint256 time);
     event ContractUpgraded(bytes32 indexed name, address indexed oldAddress, address indexed newAddress, uint256 time);
     event ContractAdded(bytes32 indexed name, address indexed newAddress, uint256 time);
     event ABIUpgraded(bytes32 indexed name, uint256 time);
     event ABIAdded(bytes32 indexed name, uint256 time);
 
+    // The namespace for any storage data used by this contract
+    string constant private daoUpgradeNameSpace = "dao.upgrade.";
+
+    // Immutables
+    bytes32 immutable internal daoTrustedBootstrapKey;
+    bytes32 immutable internal typeUpgradeContract;
+    bytes32 immutable internal typeAddContract;
+    bytes32 immutable internal typeUpgradeABI;
+    bytes32 immutable internal typeAddABI;
+
+    // Only allow bootstrapping when enabled
+    modifier onlyBootstrapMode() {
+        require(getBool(daoTrustedBootstrapKey) == false, "Bootstrap mode not engaged");
+        _;
+    }
+
     // Construct
     constructor(RocketStorageInterface _rocketStorageAddress) RocketBase(_rocketStorageAddress) {
-        version = 1;
+        version = 2;
+
+        // Precompute keys
+        typeUpgradeContract = keccak256(abi.encodePacked("upgradeContract"));
+        typeAddContract = keccak256(abi.encodePacked("addContract"));
+        typeUpgradeABI = keccak256(abi.encodePacked("upgradeABI"));
+        typeAddABI = keccak256(abi.encodePacked("addABI"));
+        daoTrustedBootstrapKey = keccak256(abi.encodePacked("dao.trustednodes.", "bootstrapmode.disabled"));
     }
 
-    // Main accessor for performing an upgrade, be it a contract or abi for a contract
-    // Will require > 50% of trusted DAO members to run when bootstrap mode is disabled
+    /// @notice Called when an upgrade proposal is executed, creates an upgrade proposal that can be vetoed by the
+    ///         security council or executed after the upgrade delay period has passed
+    /// @param _type Type of upgrade (valid values: "upgradeContract", "addContract", "upgradeABI", "addABI")
+    /// @param _name Contract name to upgrade
+    /// @param _contractAbi ABI of the upgraded contract
+    /// @param _contractAddress Address of the upgraded contract
     function upgrade(string memory _type, string memory _name, string memory _contractAbi, address _contractAddress) override external onlyLatestContract("rocketDAONodeTrustedProposals", msg.sender) {
-        // What action are we performing?
+        uint256 upgradeProposalID = getTotal() + 1;
+        // Compute when the proposal can be executed if not vetoed by the security council
+        uint256 startTime = block.timestamp;
+        RocketDAOProtocolSettingsSecurityInterface rocketDAOProtocolSettingsSecurity = RocketDAOProtocolSettingsSecurityInterface(getContractAddress("rocketDAOProtocolSettingsSecurity"));
+        uint256 endTime = startTime + rocketDAOProtocolSettingsSecurity.getUpgradeDelay();
+        // Store data
         bytes32 typeHash = keccak256(abi.encodePacked(_type));
-        // Lets do it!
-        if(typeHash == keccak256(abi.encodePacked("upgradeContract"))) _upgradeContract(_name, _contractAddress, _contractAbi);
-        if(typeHash == keccak256(abi.encodePacked("addContract"))) _addContract(_name, _contractAddress, _contractAbi);
-        if(typeHash == keccak256(abi.encodePacked("upgradeABI"))) _upgradeABI(_name, _contractAbi);
-        if(typeHash == keccak256(abi.encodePacked("addABI"))) _addABI(_name, _contractAbi);
+        setBytes32(keccak256(abi.encodePacked(daoUpgradeNameSpace, "type", upgradeProposalID)), typeHash);
+        setString(keccak256(abi.encodePacked(daoUpgradeNameSpace, "name", upgradeProposalID)), _name);
+        setString(keccak256(abi.encodePacked(daoUpgradeNameSpace, "abi", upgradeProposalID)), _contractAbi);
+        setAddress(keccak256(abi.encodePacked(daoUpgradeNameSpace, "address", upgradeProposalID)), _contractAddress);
+        setUint(keccak256(abi.encodePacked(daoUpgradeNameSpace, "end", upgradeProposalID)), endTime);
+        addUint(keccak256(abi.encodePacked(daoUpgradeNameSpace, "total")), 1);
+        // Emit event
+        emit UpgradePending(upgradeProposalID, typeHash, keccak256(abi.encodePacked(_name)), block.timestamp);
     }
 
+    /// @notice Called by the proposal contract when a veto passes
+    /// @param _upgradeProposalID ID of the upgrade proposal to veto
+    function veto(uint256 _upgradeProposalID) override external onlyLatestContract("rocketDAOSecurityUpgrade", msg.sender) {
+        // Validate proposal state
+        require(getState(_upgradeProposalID) == UpgradeProposalState.Pending, "Proposal has already succeeded, expired, or executed");
+        // Mark the upgrade as vetoed
+        setBool(keccak256(abi.encodePacked(daoUpgradeNameSpace, "vetoed", _upgradeProposalID)), true);
+        // Emit event
+        emit UpgradeVetoed(_upgradeProposalID, block.timestamp);
+    }
+
+    /// @notice Called after upgrade delay has passed to perform the upgrade
+    /// @param _upgradeProposalID ID of the upgrade proposal to execute
+    /// @dev Must be called by a registered trusted node
+    function execute(uint256 _upgradeProposalID) override external onlyTrustedNode(msg.sender) {
+        // Validate proposal state
+        require(getState(_upgradeProposalID) == UpgradeProposalState.Succeeded, "Proposal has not succeeded or has been vetoed or executed");
+        // Mark as executed
+        setBool(keccak256(abi.encodePacked(daoUpgradeNameSpace, "executed", _upgradeProposalID)), true);
+        // Execute the upgrade
+        _execute(getType(_upgradeProposalID), getName(_upgradeProposalID), getUpgradeABI(_upgradeProposalID), getUpgradeAddress(_upgradeProposalID));
+    }
+
+    /// @notice Immediately execute an upgrade if bootstrap mode is still enabled
+    /// @param _type Type of upgrade (valid values: "upgradeContract", "addContract", "upgradeABI", "addABI")
+    /// @param _name Contract name to upgrade
+    /// @param _contractAbi ABI of the upgraded contract
+    /// @param _contractAddress Address of the upgraded contract
+    function bootstrapUpgrade(string memory _type, string memory _name, string memory _contractAbi, address _contractAddress) override external onlyGuardian onlyBootstrapMode {
+        bytes32 typeHash = keccak256(abi.encodePacked(_type));
+        _execute(typeHash, _name, _contractAbi, _contractAddress);
+    }
 
-    /*** Internal Upgrade Methods for the Trusted Node DAO ****************/
+    /// @dev Internal implementation of the execution process
+    function _execute(bytes32 _typeHash, string memory _name, string memory _contractAbi, address _contractAddress) internal {
+        if (_typeHash == typeUpgradeContract) _upgradeContract(_name, _contractAddress, _contractAbi);
+        else if (_typeHash == typeAddContract) _addContract(_name, _contractAddress, _contractAbi);
+        else if (_typeHash == typeUpgradeABI) _upgradeABI(_name, _contractAbi);
+        else if (_typeHash == typeAddABI) _addABI(_name, _contractAbi);
+        else revert("Invalid upgrade type");
+    }
 
-    // Upgrade a network contract
+    /// @dev Performs an update to a contract and ABI simultaneously
     function _upgradeContract(string memory _name, address _contractAddress, string memory _contractAbi) internal {
         // Check contract being upgraded
         bytes32 nameHash = keccak256(abi.encodePacked(_name));
-        require(nameHash != keccak256(abi.encodePacked("rocketVault")),               "Cannot upgrade the vault");
-        require(nameHash != keccak256(abi.encodePacked("rocketTokenRETH")),           "Cannot upgrade token contracts");
-        require(nameHash != keccak256(abi.encodePacked("rocketTokenRPL")),            "Cannot upgrade token contracts");
+        require(nameHash != keccak256(abi.encodePacked("rocketVault")), "Cannot upgrade the vault");
+        require(nameHash != keccak256(abi.encodePacked("rocketTokenRETH")), "Cannot upgrade token contracts");
+        require(nameHash != keccak256(abi.encodePacked("rocketTokenRPL")), "Cannot upgrade token contracts");
         require(nameHash != keccak256(abi.encodePacked("rocketTokenRPLFixedSupply")), "Cannot upgrade token contracts");
-        require(nameHash != keccak256(abi.encodePacked("casperDeposit")),             "Cannot upgrade the casper deposit contract");
-        require(nameHash != keccak256(abi.encodePacked("rocketMinipoolPenalty")),      "Cannot upgrade minipool penalty contract");
+        require(nameHash != keccak256(abi.encodePacked("casperDeposit")), "Cannot upgrade the casper deposit contract");
+        require(nameHash != keccak256(abi.encodePacked("rocketMinipoolPenalty")), "Cannot upgrade minipool penalty contract");
         // Get old contract address & check contract exists
         address oldContractAddress = getAddress(keccak256(abi.encodePacked("contract.address", _name)));
         require(oldContractAddress != address(0x0), "Contract does not exist");
@@ -67,7 +141,7 @@ contract RocketDAONodeTrustedUpgrade is RocketBase, RocketDAONodeTrustedUpgradeI
         emit ContractUpgraded(nameHash, oldContractAddress, _contractAddress, block.timestamp);
     }
 
-    // Add a new network contract
+    /// @dev Adds a new contract to the protocol
     function _addContract(string memory _name, address _contractAddress, string memory _contractAbi) internal {
         // Check contract name
         bytes32 nameHash = keccak256(abi.encodePacked(_name));
@@ -91,7 +165,7 @@ contract RocketDAONodeTrustedUpgrade is RocketBase, RocketDAONodeTrustedUpgradeI
         emit ContractAdded(nameHash, _contractAddress, block.timestamp);
     }
 
-    // Upgrade a network contract ABI
+    /// @dev Upgrades an existing ABI
     function _upgradeABI(string memory _name, string memory _contractAbi) internal {
         // Check ABI exists
         string memory existingAbi = getString(keccak256(abi.encodePacked("contract.abi", _name)));
@@ -105,7 +179,7 @@ contract RocketDAONodeTrustedUpgrade is RocketBase, RocketDAONodeTrustedUpgradeI
         emit ABIUpgraded(keccak256(abi.encodePacked(_name)), block.timestamp);
     }
 
-    // Add a new network contract ABI
+    /// @dev Adds a new ABI to the protocol
     function _addABI(string memory _name, string memory _contractAbi) internal {
         // Check ABI name
         bytes32 nameHash = keccak256(abi.encodePacked(_name));
@@ -123,4 +197,66 @@ contract RocketDAONodeTrustedUpgrade is RocketBase, RocketDAONodeTrustedUpgradeI
         emit ABIAdded(nameHash, block.timestamp);
     }
 
+    /// @notice Get the total number of upgrade proposals
+    function getTotal() override public view returns (uint256) {
+        return getUint(keccak256(abi.encodePacked(daoUpgradeNameSpace, "total")));
+    }
+
+    /// @notice Return the state of the specified upgrade proposal
+    /// @param _upgradeProposalID ID of the upgrade proposal to query
+    function getState(uint256 _upgradeProposalID) override public view returns (UpgradeProposalState) {
+        // Check the proposal ID is legit
+        require(getTotal() >= _upgradeProposalID && _upgradeProposalID > 0, "Invalid upgrade proposal ID");
+        if (getVetoed(_upgradeProposalID)) {
+            return UpgradeProposalState.Vetoed;
+        } else if (getExecuted(_upgradeProposalID)) {
+            return UpgradeProposalState.Executed;
+        } else if (block.timestamp < getEnd(_upgradeProposalID)) {
+            return UpgradeProposalState.Pending;
+        } else {
+            return UpgradeProposalState.Succeeded;
+        }
+    }
+
+    /// @notice Get the end time of this proposal (when the upgrade delay ends)
+    /// @param _upgradeProposalID ID of the upgrade proposal to query
+    function getEnd(uint256 _upgradeProposalID) override public view returns (uint256) {
+        return getUint(keccak256(abi.encodePacked(daoUpgradeNameSpace, "end", _upgradeProposalID)));
+    }
+
+    /// @notice Get whether the proposal has been executed
+    /// @param _upgradeProposalID ID of the upgrade proposal to query
+    function getExecuted(uint256 _upgradeProposalID) override public view returns (bool) {
+        return getBool(keccak256(abi.encodePacked(daoUpgradeNameSpace, "executed", _upgradeProposalID)));
+    }
+
+    /// @notice Get whether the proposal has been vetoed
+    /// @param _upgradeProposalID ID of the upgrade proposal to query
+    function getVetoed(uint256 _upgradeProposalID) override public view returns (bool) {
+        return getBool(keccak256(abi.encodePacked(daoUpgradeNameSpace, "vetoed", _upgradeProposalID)));
+    }
+
+    /// @notice Get the proposal type
+    /// @param _upgradeProposalID ID of the upgrade proposal to query
+    function getType(uint256 _upgradeProposalID) override public view returns (bytes32) {
+        return getBytes32(keccak256(abi.encodePacked(daoUpgradeNameSpace, "type", _upgradeProposalID)));
+    }
+
+    /// @notice Get the proposed upgrade contract name
+    /// @param _upgradeProposalID ID of the upgrade proposal to query
+    function getName(uint256 _upgradeProposalID) override public view returns (string memory) {
+        return getString(keccak256(abi.encodePacked(daoUpgradeNameSpace, "name", _upgradeProposalID)));
+    }
+
+    /// @notice Get the proposed upgrade contract address
+    /// @param _upgradeProposalID ID of the upgrade proposal to query
+    function getUpgradeAddress(uint256 _upgradeProposalID) override public view returns (address) {
+        return getAddress(keccak256(abi.encodePacked(daoUpgradeNameSpace, "address", _upgradeProposalID)));
+    }
+
+    /// @notice Get the proposed upgrade contract ABI
+    /// @param _upgradeProposalID ID of the upgrade proposal to query
+    function getUpgradeABI(uint256 _upgradeProposalID) override public view returns (string memory) {
+        return getString(keccak256(abi.encodePacked(daoUpgradeNameSpace, "abi", _upgradeProposalID)));
+    }
 }

contracts/contract/dao/protocol/settings/RocketDAOProtocolSettingsSecurity.sol

@@ -18,6 +18,8 @@ contract RocketDAOProtocolSettingsSecurity is RocketDAOProtocolSettings, RocketD
             _setSettingUint("proposal.vote.time", 2 weeks);      // How long a proposal can be voted on
             _setSettingUint("proposal.execute.time", 4 weeks);   // How long a proposal can be executed after its voting period is finished
             _setSettingUint("proposal.action.time", 4 weeks);    // Certain proposals require a secondary action to be run after the proposal is successful (joining, leaving etc). This is how long until that action expires
+            _setSettingUint("upgradeveto.quorum", 0.33 ether);   // RPIP-60: Member quorum threshold to veto a protocol upgrade (33%)
+            _setSettingUint("upgrade.delay", 7 days);            // RPIP-60: Amount of time after an upgrade proposal passes that the security has to veto it
             // Default permissions for security council
             setBool(keccak256(abi.encodePacked("dao.security.allowed.setting", "deposit", "deposit.enabled")), true);
             setBool(keccak256(abi.encodePacked("dao.security.allowed.setting", "deposit", "deposit.assign.enabled")), true);
@@ -92,4 +94,14 @@ contract RocketDAOProtocolSettingsSecurity is RocketDAOProtocolSettings, RocketD
     function getActionTime() override external view returns (uint256) {
         return getSettingUint("proposal.action.time");
     }
+
+    /// @notice The quorum required by the security council to veto an upgrade
+    function getUpgradeVetoQuorum() override external view returns (uint256) {
+        return getSettingUint("upgradeveto.quorum");
+    }
+
+    /// @notice The amount of time that must be waited after an upgrade before executing
+    function getUpgradeDelay() override external view returns (uint256) {
+        return getSettingUint("upgrade.delay");
+    }
 }

contracts/contract/dao/security/RocketDAOSecurityProposals.sol

@@ -45,7 +45,7 @@ contract RocketDAOSecurityProposals is RocketBase, RocketDAOSecurityProposalsInt
     }
 
     constructor(RocketStorageInterface _rocketStorageAddress) RocketBase(_rocketStorageAddress) {
-        version = 1;
+        version = 2;
     }
 
     /// @notice Creates a new proposal for this DAO