Contract pausing

[m-chrzan]

Description

Adds a mechanism for pausing the protocol to prevent/mitigate damages in case of an exploit.

The basic design is as follows:

• Pausable contracts extend Pausable.sol
  • This adds two new storage slots, using the ERC-1967 pattern, rather than storage variables, which would mangle storage.
  • pauser is the address that is permissioned to pause/unpause the contract.
  • paused is a boolean indicating whether or not the contract is paused.
  • Functions that should be paused specify the onlyWhenNotPaused modifier.
• Pauser.sol is a new contract, it should be set as the pauser address in Pausable contracts. It can only be called by the MultiSig.
• MultiSig has new functions, pauseContracts and unpauseContracts, which pause/unpause a list of contracts.
• pauseContracts can be called by any MultiSig signer to immediately pause the chosen contracts.
• unpauseContracts can be called by Governance (via referendum or hotfix) to immediately unpause chosen contracts.
• TODO: add pausing to other protocol contracts.
• TODO: add pausing-related events.
• TODO: Make Vote.sol pausable. This one has a different test setup than other contracts, making it more difficult to test. Will need to look into how to do this cleanly.

Tested

Unit tests.

Other changes

Set unlimited timeout for GroupHealth tests, as they started timing out in GitHub Actions.

Cleaned up some tests to use the named owner account and to explicitly specify the caller with .connect().

Vote needed some extra cleanup, as it used the production "core" fixture, differently than other contract unit tests. Updated to use a new test deployment.

Related issues

• Fixes Allow MultiSig to pause parts of the protocol without timelock #159

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	network	+8	345 kB	dougwilson
npm/[email protected]	environment, filesystem, network Transitive: eval	+19	925 kB	dougwilson
npm/[email protected]	None	0	8.66 kB	manuelstofer
npm/[email protected]	None	0	25.8 kB	ljharb
npm/[email protected]	Transitive: environment, filesystem	+52	8.21 MB	holgerd77
npm/[email protected]	None	0	429 kB	kkoopa
npm/[email protected]	None	0	62.9 kB	ralxz
npm/[email protected]	filesystem, network	+3	61 kB	dougwilson
npm/[email protected]	Transitive: filesystem, network	+4	86 kB	dougwilson
npm/[email protected]	Transitive: environment, eval, filesystem, network, shell, unsafe	+446	172 MB

🚮 Removed packages: npm/@celo/[email protected], npm/@ethereumjs/[email protected], npm/@ethereumjs/[email protected], npm/@ethereumjs/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[soloseng]

Left a few comments, but in general looks good! 🚀

[pahor167]

What is the purpose of having standalone smart contract as a pauser ?

We could have multisig as a Pauser (since multisig needs to set pauser anyways and only owner = multisig of pauser can actually pause the smart contract). If multisig would be the pauser, we could simplify the design quite a bit since pausing would be allowed only to owner of the smart contracts which is already a multisig.

[m-chrzan]

What is the purpose of having standalone smart contract as a pauser ?

You're right, now that I think about it, I don't think it's necessary and could be simplified to put all the functionality in the MultiSig. I think this architecture was necessary when I had some different ideas about how to disable the MultiSig executing proposals and unpausing before, but shouldn't be necessary anymore.

I guess the one argument for keeping the separate contract would be for better modularity (e.g. if in the future we'd want to swap out our custom MultiSig for something like a Gnosis Safe).

[soloseng]

💚 Looks cleaner now without the Pauser contract!