Upgradable Authenticator #351
Conversation
bh2smith
changed the title
bh2smith
force-pushed
the
167/upgradable_authenticator
branch
from
b15486b to
4fe914f
Compare
There was a problem hiding this comment.
Looks very good! Requested changes:
- Remove
@openzeppelin/contracts-upgradeablesince we shouldn't be mixing and matching upgradeable contract libraries - Add unit tests to make sure
setManagercannot be called to "take control" of the contract after deployment.
There was a problem hiding this comment.
Nice work.
How does changing the owner and the manager work? To my understanding:
- the owner can probably be changed with a custom proxy function,
- the manager cannot be changed once is set, and is the initial owner.
I think 2 can be fixed by hardcoding the manager to be the owner with some assembly reading the right storage slot, then the behavior would be as expected (owner = manager after changing the owner).
In any case, I would test both cases to clarify what is expected of the proxy.
Co-authored-by: Nicholas Rodrigues Lordello <[email protected]>
…cy assurance, rename setManager to initializeManager
Co-authored-by: Federico Giacon <[email protected]>
yarn.lock
Outdated
| @@ -629,72 +629,72 @@ | |||
| path-browserify "^1.0.0" | |||
| url "^0.11.0" | |||
|
|
|||
| "@sentry/[email protected]": | |||
There was a problem hiding this comment.
Can we revert the yarn.lock changes? I don't think they should be included in this PR.
There was a problem hiding this comment.
This wasn't intentional.. I will revert them but I am just using whatever yarn install gives me.
There was a problem hiding this comment.
This is probably because the package.json changed and then the change was reverted. If you revert the lock file, then yarn install this should be the same.
There was a problem hiding this comment.
I am not able to make this happen without forcing the lock file from main. Could it be my node version that is doing this?
There was a problem hiding this comment.
Hmm, maybe its something specific to your setup. If I run yarn install on your branch, it respects the lock file and does not overwrite it:
$ git clone -b 167/upgradable_authenticator [email protected]:gnosis/gp-v2-contracts.git TEMP
...
$ cd TEMP; yarn
...
$ git status
On branch 167/upgradable_authenticator
Your branch is up to date with 'origin/167/upgradable_authenticator'.
nothing to commit, working tree clean
|
As I was discussing with @bh2smith over Slack, I think it's necessary to have an automated mechanism to check that the storage layout of future upgrades remains compatible, to avoid accidentally corrupting the storage of live contracts. This check is built into the OpenZeppelin Upgrades plugin but I understand you weren't able to use it because you needed deterministic deployments. Even if you don't use it for production deployment, my recommendation would be to have a set of tests that use our plugin to deploy and upgrade from one version to the next. Having this as part of your test suite should provide some assurance that future upgrades are correct. One issue we have currently is that you need to skip one of the checks that we do (disallowing delegatecall), but this is something we can quickly add if you need it. |
There was a problem hiding this comment.
A point worth discussing before merging: do we really want that the manager is set once for all and can never change until we change the authenticator contract code with a function that does so? The owner of the proxy may change, but not the manager.
Otherwise, the PR and the feature look very nice to me!
To frangio: I agree that with the current changes we can't update the contract without testing that each "base" entry in storage is preserved. We should discuss this in the team, but I believe that upgrades will be sufficiently few and the used storage sufficiently limited that we can resort to manual testing for each update. Depending on the complexity, we may as well do as you say and use openzeppelin-upgrades to test the upgrade process.
|
@fedgiac note that we can always introduce a function in the version 2 contract that allows us to update the manager. Is this good enough for our purposes or should we make another onlyManager method right now that allows the manager to reassign someone else? |
|
I'd make it so that the proxy owner can change the manager at will. Upgrading the proxy is a relatively expensive operations (as pointed out by frangio), and changing the manager is something that we might need to do from the start, for example because we want to assign this power to some other staking contract, or a DAO. Note that we use the same owner address on mainnet and Rinkeby for now: the first transaction I expect after releasing is changing the owner of the mainnet contract to some other address. Then also the manager should be changing. |
…2-contracts into 167/upgradable_authenticator
| } | ||
|
|
||
| function updateManager(address newManager) external onlyProxyAdmin { | ||
| manager = newManager; |
There was a problem hiding this comment.
If the manager gets set to address(0), then anyone can call initializeManager and take ownership of the contract now.
Maybe instead of adding the ability of changing the manager in this PR, we do it as a separate PR. What do you think @fedgiac ?
There was a problem hiding this comment.
My understanding is that the current changes on the owner are work in progress.
I don't mind if it's done here or done in another PR, but I think that making provision for changing the manager is necessary before releasing.
There was a problem hiding this comment.
I think that making provision for changing the manager is necessary before releasing.
Selbstverständlich
There was a problem hiding this comment.
Reverted the onlyProxyAdmin
| // Slot taken from https://eips.ethereum.org/EIPS/eip-1967#specification | ||
| // obtained as bytes32(uint256(keccak256('eip1967.proxy.admin')) - 1) | ||
| bytes32 slot = | ||
| 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103; |
There was a problem hiding this comment.
This should probably be a constant.
|
For the records, I'm ok with merging the PR as it was before the recent changes and discuss the work on the settable manager in another PR. |
|
If we allow to change the manager later, isn't that equivalent to inheriting open zeppelin's Ownable? |
Yes, I think we just need to inherit both |
Closes #167
This PR introduces minor changes to the
AllowListAuthenticatormaking it upgradable and includes tests verifying upgradability. In particular:customInitiallyOwnableas it is no longer used: Not yet sure how this will affect thedeploymentsdirectory which still includes it.ownertomanagerbecause of name collision with proxy ownerNote that the unit tests involving Authenticator's non-upgrade related functionality do not use the proxy deployment as specified in the migration scripts, so that manager must be set immediately after deployment.
We had originally planned/hoped to use the
hardhat-upgradesplugin and opened the following two PRs toopenzeppelin-upgrades, but this plugin turned out to be unnecessary.Test Plan
Old + new unit and e2e tests.