diff --git a/contracts/libraries/SafeToL2Migration.sol b/contracts/libraries/SafeToL2Migration.sol new file mode 100644 index 000000000..c4cf1f16c --- /dev/null +++ b/contracts/libraries/SafeToL2Migration.sol @@ -0,0 +1,177 @@ +// SPDX-License-Identifier: LGPL-3.0-only +/* solhint-disable one-contract-per-file */ +pragma solidity >=0.7.0 <0.9.0; + +import {SafeStorage} from "../libraries/SafeStorage.sol"; +import {Enum} from "../common/Enum.sol"; + +interface ISafe { + // solhint-disable-next-line + function VERSION() external view returns (string memory); + + function setFallbackHandler(address handler) external; + + function getOwners() external view returns (address[] memory); + + function getThreshold() external view returns (uint256); +} + +/** + * @title Migration Contract for updating a Safe from 1.1.1/1.3.0/1.4.1 versions to a L2 version. Useful when replaying a Safe from a non L2 network in a L2 network. + * @notice This contract facilitates the migration of a Safe contract from version 1.1.1 to 1.3.0/1.4.1 L2, 1.3.0 to 1.3.0L2 or from 1.4.1 to 1.4.1L2 + * Other versions are not supported + * @dev IMPORTANT: The migration will only work with proxies that store the implementation address in the storage slot 0. + */ +contract SafeToL2Migration is SafeStorage { + // Address of this contract + address public immutable MIGRATION_SINGLETON; + + /** + * @notice Constructor + * @dev Initializes the migrationSingleton with the contract's own address. + */ + constructor() { + MIGRATION_SINGLETON = address(this); + } + + /** + * @notice Event indicating a change of master copy address. + * @param singleton New master copy address + */ + event ChangedMasterCopy(address singleton); + + event SafeSetup(address indexed initiator, address[] owners, uint256 threshold, address initializer, address fallbackHandler); + + event SafeMultiSigTransaction( + address to, + uint256 value, + bytes data, + Enum.Operation operation, + uint256 safeTxGas, + uint256 baseGas, + uint256 gasPrice, + address gasToken, + address payable refundReceiver, + bytes signatures, + // We combine nonce, sender and threshold into one to avoid stack too deep + // Dev note: additionalInfo should not contain `bytes`, as this complicates decoding + bytes additionalInfo + ); + + /** + * @notice Modifier to make a function callable via delegatecall only. + * If the function is called via a regular call, it will revert. + */ + modifier onlyDelegateCall() { + require(address(this) != MIGRATION_SINGLETON, "Migration should only be called via delegatecall"); + _; + } + + /** + * @notice Modifier to prevent using initialized Safes. + * If Safe has a nonce higher than 0, it will revert + */ + modifier onlyNonceZero() { + // Nonce is increased before executing a tx, so first executed tx will have nonce=1 + require(nonce == 1, "Safe must have not executed any tx"); + _; + } + + /** + * @dev Internal function with common migration steps, changes the singleton and emits SafeMultiSigTransaction event + */ + function migrate(address l2Singleton, bytes memory functionData) private { + singleton = l2Singleton; + + // Encode nonce, sender, threshold + bytes memory additionalInfo = abi.encode(0, msg.sender, threshold); + + // Simulate a L2 transaction so Safe Tx Service indexer picks up the Safe + emit SafeMultiSigTransaction( + MIGRATION_SINGLETON, + 0, + functionData, + Enum.Operation.DelegateCall, + 0, + 0, + 0, + address(0), + address(0), + "", // We cannot detect signatures + additionalInfo + ); + emit ChangedMasterCopy(singleton); + } + + /** + * @notice Migrate from Safe 1.3.0/1.4.1 Singleton (L1) to the same version provided L2 singleton + * Safe is required to have nonce 0 so backend can support it after the migration + * @dev This function should only be called via a delegatecall to perform the upgrade. + * Singletons versions will be compared, so it implies that contracts exist + */ + function migrateToL2(address l2Singleton) public onlyDelegateCall onlyNonceZero { + require(address(singleton) != l2Singleton, "Safe is already using the singleton"); + bytes32 oldSingletonVersion = keccak256(abi.encodePacked(ISafe(singleton).VERSION())); + bytes32 newSingletonVersion = keccak256(abi.encodePacked(ISafe(l2Singleton).VERSION())); + + require(oldSingletonVersion == newSingletonVersion, "L2 singleton must match current version singleton"); + // There's no way to make sure if address is a valid singleton, unless we cofigure the contract for every chain + require( + newSingletonVersion == keccak256(abi.encodePacked("1.3.0")) || newSingletonVersion == keccak256(abi.encodePacked("1.4.1")), + "Provided singleton version is not supported" + ); + + // 0xef2624ae - keccak("migrateToL2(address)") + bytes memory functionData = abi.encodeWithSelector(0xef2624ae, l2Singleton); + migrate(l2Singleton, functionData); + } + + /** + * @notice Migrate from Safe 1.1.1 Singleton to 1.3.0 or 1.4.1 L2 + * Safe is required to have nonce 0 so backend can support it after the migration + * @dev This function should only be called via a delegatecall to perform the upgrade. + * Singletons version will be checked, so it implies that contracts exist. + * A valid and compatible fallbackHandler needs to be provided, only existance will be checked. + */ + function migrateFromV111(address l2Singleton, address fallbackHandler) public onlyDelegateCall onlyNonceZero { + require(isContract(fallbackHandler), "fallbackHandler is not a contract"); + + bytes32 oldSingletonVersion = keccak256(abi.encodePacked(ISafe(singleton).VERSION())); + require(oldSingletonVersion == keccak256(abi.encodePacked("1.1.1")), "Provided singleton version is not supported"); + + bytes32 newSingletonVersion = keccak256(abi.encodePacked(ISafe(l2Singleton).VERSION())); + require( + newSingletonVersion == keccak256(abi.encodePacked("1.3.0")) || newSingletonVersion == keccak256(abi.encodePacked("1.4.1")), + "Provided singleton version is not supported" + ); + + ISafe safe = ISafe(address(this)); + safe.setFallbackHandler(fallbackHandler); + + // Safes < 1.3.0 did not emit SafeSetup, so Safe Tx Service backend needs the event to index the Safe + emit SafeSetup(MIGRATION_SINGLETON, safe.getOwners(), safe.getThreshold(), address(0), fallbackHandler); + + // 0xd9a20812 - keccak("migrateFromV111(address,address)") + bytes memory functionData = abi.encodeWithSelector(0xd9a20812, l2Singleton, fallbackHandler); + migrate(l2Singleton, functionData); + } + + /** + * @notice Checks whether an Ethereum address corresponds to a contract or an externally owned account (EOA). + * @param account The Ethereum address to be checked. + * @return A boolean value indicating whether the address is associated with a contract (true) or an EOA (false). + * @dev This function relies on the `extcodesize` assembly opcode to determine whether an address is a contract. + * It may return incorrect results in some edge cases (see documentation for details). + * Developers should use caution when relying on the results of this function for critical decision-making. + */ + function isContract(address account) internal view returns (bool) { + uint256 size; + // solhint-disable-next-line no-inline-assembly + assembly { + size := extcodesize(account) + } + + // If the code size is greater than 0, it is a contract; otherwise, it is an EOA. + return size > 0; + } +} diff --git a/src/deploy/deploy_migrations.ts b/src/deploy/deploy_migrations.ts new file mode 100644 index 000000000..9dac4194c --- /dev/null +++ b/src/deploy/deploy_migrations.ts @@ -0,0 +1,18 @@ +import { DeployFunction } from "hardhat-deploy/types"; +import { HardhatRuntimeEnvironment } from "hardhat/types"; + +const deploy: DeployFunction = async function (hre: HardhatRuntimeEnvironment) { + const { deployments, getNamedAccounts } = hre; + const { deployer } = await getNamedAccounts(); + const { deploy } = deployments; + + await deploy("SafeToL2Migration", { + from: deployer, + args: [], + log: true, + deterministicDeployment: true, + }); +}; + +deploy.tags = ["not-l2-to-l2-migration", "migration"]; +export default deploy; diff --git a/test/libraries/SafeToL2Migration.spec.ts b/test/libraries/SafeToL2Migration.spec.ts new file mode 100644 index 000000000..66aa7aa6d --- /dev/null +++ b/test/libraries/SafeToL2Migration.spec.ts @@ -0,0 +1,331 @@ +import { expect } from "chai"; +import hre, { ethers, deployments } from "hardhat"; +import { AddressZero } from "@ethersproject/constants"; +import { getSafeWithSingleton, getSafeSingletonAt, getMock } from "../utils/setup"; +import deploymentData from "../json/safeDeployment.json"; +import safeRuntimeBytecode from "../json/safeRuntimeBytecode.json"; +import { + buildSafeTransaction, + executeContractCallWithSigners, + executeTx, + executeTxWithSigners, + safeApproveHash, +} from "../../src/utils/execution"; + +const SAFE_SINGLETON_141_ADDRESS = "0x3E5c63644E683549055b9Be8653de26E0B4CD36E"; + +const SAFE_SINGLETON_141_L2_ADDRESS = "0xfb1bffC9d739B8D520DaF37dF666da4C687191EA"; + +const SAFE_SINGLETON_150_L2_ADDRESS = "0x0Ee37514644683f7EB9745a5726C722DeBa77e52"; + +const COMPATIBILITY_FALLBACK_HANDLER_150 = "0x8aa755cB169991fEDC3E306751dCb71964A041c7"; + +const FALLBACK_HANDLER_STORAGE_SLOT = "0x6c9a6c4a39284e37ed1cf53d337577d14212a4870fb976a4366c693b939918d5"; + +const GUARD_STORAGE_SLOT = "0x4a204f620c8c5ccdca3fd54d003badd85ba500436a431f0cbda4f558c93c34c8"; + +describe("SafeToL2Migration library", () => { + const migratedInterface = new ethers.Interface(["function masterCopy() view returns(address)"]); + + const setupTests = deployments.createFixture(async ({ deployments }) => { + await deployments.fixture(); + + // Set the runtime code for hardcoded addresses, so the expected events are emitted + await hre.network.provider.send("hardhat_setCode", [SAFE_SINGLETON_141_ADDRESS, safeRuntimeBytecode.safe141]); + await hre.network.provider.send("hardhat_setCode", [SAFE_SINGLETON_141_L2_ADDRESS, safeRuntimeBytecode.safe141l2]); + await hre.network.provider.send("hardhat_setCode", [SAFE_SINGLETON_150_L2_ADDRESS, safeRuntimeBytecode.safe150l2]); + await hre.network.provider.send("hardhat_setCode", [ + COMPATIBILITY_FALLBACK_HANDLER_150, + safeRuntimeBytecode.safe150CompatibilityFallbackHandler, + ]); + + const signers = await ethers.getSigners(); + const [user1] = signers; + const singleton111Address = (await (await user1.sendTransaction({ data: deploymentData.safe111 })).wait())?.contractAddress; + const singleton130Address = (await (await user1.sendTransaction({ data: deploymentData.safe130 })).wait())?.contractAddress; + const singleton130L2Address = (await (await user1.sendTransaction({ data: deploymentData.safe130l2 })).wait())?.contractAddress; + + if (!singleton111Address || !singleton130Address || !singleton130L2Address) { + throw new Error("Could not deploy Safe111, Safe130 or Safe130L2"); + } + const singleton111 = await getSafeSingletonAt(singleton111Address); + const singleton130 = await getSafeSingletonAt(singleton130Address); + const singleton141 = await getSafeSingletonAt(SAFE_SINGLETON_141_ADDRESS); + + const guardContract = await hre.ethers.getContractAt("Guard", AddressZero); + const guardEip165Calldata = guardContract.interface.encodeFunctionData("supportsInterface", ["0x945b8148"]); + const validGuardMock = await getMock(); + await validGuardMock.givenCalldataReturnBool(guardEip165Calldata, true); + + const invalidGuardMock = await getMock(); + await invalidGuardMock.givenCalldataReturnBool(guardEip165Calldata, false); + + const safeWith1967Proxy = await getSafeSingletonAt( + await hre.ethers + .getContractFactory("UpgradeableProxy") + .then((factory) => + factory.deploy( + singleton130Address, + singleton130.interface.encodeFunctionData("setup", [ + [user1.address], + 1, + AddressZero, + "0x", + AddressZero, + AddressZero, + 0, + AddressZero, + ]), + ), + ) + .then((proxy) => proxy.getAddress()), + ); + const safeToL2MigrationContract = await hre.ethers.getContractFactory("SafeToL2Migration"); + const migration = await safeToL2MigrationContract.deploy(); + return { + safe111: await getSafeWithSingleton(singleton111, [user1.address]), + safe130: await getSafeWithSingleton(singleton130, [user1.address]), + safe141: await getSafeWithSingleton(singleton141, [user1.address]), + safeWith1967Proxy, + migration, + signers, + validGuardMock, + invalidGuardMock, + singleton130Address, + singleton130L2Address, + }; + }); + + describe("migrateToL2", () => { + it("reverts if the singleton is not set", async () => { + const { + migration, + safeWith1967Proxy, + signers: [user1], + singleton130L2Address, + } = await setupTests(); + + await expect( + executeContractCallWithSigners(safeWith1967Proxy, migration, "migrateToL2", [singleton130L2Address], [user1], true), + ).to.be.revertedWith("GS013"); + }); + + it("reverts if new singleton is the same as the old one", async () => { + const { + safe130, + migration, + signers: [user1], + singleton130Address, + } = await setupTests(); + await expect( + executeContractCallWithSigners(safe130, migration, "migrateToL2", [singleton130Address], [user1], true), + ).to.be.revertedWith("GS013"); + }); + + it("reverts if new singleton is not supported", async () => { + const { + safe130, + migration, + signers: [user1], + } = await setupTests(); + await expect( + executeContractCallWithSigners(safe130, migration, "migrateToL2", [SAFE_SINGLETON_150_L2_ADDRESS], [user1], true), + ).to.be.revertedWith("GS013"); + }); + + it("reverts if nonce > 0", async () => { + const { + safe130, + migration, + signers: [user1], + singleton130Address, + singleton130L2Address, + } = await setupTests(); + const safeAddress = await safe130.getAddress(); + expect(await safe130.nonce()).to.be.eq(0); + + // Increase nonce by sending eth + await user1.sendTransaction({ to: safeAddress, value: ethers.parseEther("1") }); + const nonce = 0; + const safeTx = buildSafeTransaction({ to: user1.address, value: ethers.parseEther("1"), nonce }); + await executeTxWithSigners(safe130, safeTx, [user1]); + + expect(await safe130.nonce()).to.be.eq(1); + await expect( + executeContractCallWithSigners(safe130, migration, "migrateToL2", [singleton130L2Address], [user1], true), + ).to.be.revertedWith("GS013"); + + const singletonResp = await user1.call({ to: safeAddress, data: migratedInterface.encodeFunctionData("masterCopy") }); + expect(migratedInterface.decodeFunctionResult("masterCopy", singletonResp)[0]).to.eq(singleton130Address); + }); + + it("migrates from singleton 1.3.0 to 1.3.0L2", async () => { + const { + safe130, + migration, + signers: [user1], + singleton130L2Address, + } = await setupTests(); + const safeAddress = await safe130.getAddress(); + // The emit matcher checks the address, which is the Safe as delegatecall is used + const migrationSafe = migration.attach(safeAddress); + const migrationAddress = await migration.getAddress(); + + const functionName = "migrateToL2"; + const expectedData = migration.interface.encodeFunctionData(functionName, [singleton130L2Address]); + const safeThreshold = await safe130.getThreshold(); + const additionalInfo = hre.ethers.AbiCoder.defaultAbiCoder().encode( + ["uint256", "address", "uint256"], + [0, user1.address, safeThreshold], + ); + await expect(executeContractCallWithSigners(safe130, migration, functionName, [singleton130L2Address], [user1], true)) + .to.emit(migrationSafe, "ChangedMasterCopy") + .withArgs(singleton130L2Address) + .to.emit(migrationSafe, "SafeMultiSigTransaction") + .withArgs( + migrationAddress, + 0, + expectedData, + 1, + 0, + 0, + 0, + AddressZero, + AddressZero, + "0x", // We cannot detect signatures + additionalInfo, + ); + + const singletonResp = await user1.call({ to: safeAddress, data: migratedInterface.encodeFunctionData("masterCopy") }); + expect(migratedInterface.decodeFunctionResult("masterCopy", singletonResp)[0]).to.eq(singleton130L2Address); + expect(await safe130.nonce()).to.be.eq(1); + }); + + it("migrates from singleton 1.4.1 to 1.4.1L2", async () => { + const { + safe141, + migration, + signers: [user1], + } = await setupTests(); + const safeAddress = await safe141.getAddress(); + // The emit matcher checks the address, which is the Safe as delegatecall is used + const migrationSafe = migration.attach(safeAddress); + const migrationAddress = await migration.getAddress(); + + const functionName = "migrateToL2"; + const expectedData = migration.interface.encodeFunctionData(functionName, [SAFE_SINGLETON_141_L2_ADDRESS]); + const safeThreshold = await safe141.getThreshold(); + const additionalInfo = hre.ethers.AbiCoder.defaultAbiCoder().encode( + ["uint256", "address", "uint256"], + [0, user1.address, safeThreshold], + ); + await expect(executeContractCallWithSigners(safe141, migration, functionName, [SAFE_SINGLETON_141_L2_ADDRESS], [user1], true)) + .to.emit(migrationSafe, "ChangedMasterCopy") + .withArgs(SAFE_SINGLETON_141_L2_ADDRESS) + .to.emit(migrationSafe, "SafeMultiSigTransaction") + .withArgs( + migrationAddress, + 0, + expectedData, + 1, + 0, + 0, + 0, + AddressZero, + AddressZero, + "0x", // We cannot detect signatures + additionalInfo, + ); + + const singletonResp = await user1.call({ to: safeAddress, data: migratedInterface.encodeFunctionData("masterCopy") }); + expect(migratedInterface.decodeFunctionResult("masterCopy", singletonResp)[0]).to.eq(SAFE_SINGLETON_141_L2_ADDRESS); + expect(await safe141.nonce()).to.be.eq(1); + }); + + it("migrates from singleton 1.1.1 to 1.4.1L2", async () => { + const { + safe111, + migration, + signers: [user1], + } = await setupTests(); + const safeAddress = await safe111.getAddress(); + expect(await safe111.VERSION()).eq("1.1.1"); + expect("0x" + (await hre.ethers.provider.getStorage(safeAddress, FALLBACK_HANDLER_STORAGE_SLOT)).slice(26)).to.be.eq( + AddressZero, + ); + + // The emit matcher checks the address, which is the Safe as delegatecall is used + const migrationSafe = migration.attach(safeAddress); + const migrationAddress = await migration.getAddress(); + + const functionName = "migrateFromV111"; + const data = migration.interface.encodeFunctionData(functionName, [ + SAFE_SINGLETON_141_L2_ADDRESS, + COMPATIBILITY_FALLBACK_HANDLER_150, + ]); + const nonce = await safe111.nonce(); + expect(nonce).to.be.eq(0); + const safeThreshold = await safe111.getThreshold(); + const additionalInfo = hre.ethers.AbiCoder.defaultAbiCoder().encode( + ["uint256", "address", "uint256"], + [0, user1.address, safeThreshold], + ); + + const tx = buildSafeTransaction({ to: migrationAddress, data, operation: 1, nonce }); + + expect(await executeTx(safe111, tx, [await safeApproveHash(user1, safe111, tx, true)])) + .to.emit(migrationSafe, "ChangedMasterCopy") + .withArgs(SAFE_SINGLETON_141_L2_ADDRESS) + .to.emit(migrationSafe, "SafeMultiSigTransaction") + .withArgs( + migrationAddress, + 0, + data, + 1, + 0, + 0, + 0, + AddressZero, + AddressZero, + "0x", // We cannot detect signatures + additionalInfo, + ) + .to.emit(migrationSafe, "SafeSetup") + .withArgs(migrationAddress, await safe111.getOwners(), safeThreshold, AddressZero, COMPATIBILITY_FALLBACK_HANDLER_150); + + expect(await safe111.nonce()).to.be.eq(1); + expect(await safe111.VERSION()).to.be.eq("1.4.1"); + const singletonResp = await user1.call({ to: safeAddress, data: migratedInterface.encodeFunctionData("masterCopy") }); + expect(migratedInterface.decodeFunctionResult("masterCopy", singletonResp)[0]).to.eq(SAFE_SINGLETON_141_L2_ADDRESS); + expect("0x" + (await hre.ethers.provider.getStorage(safeAddress, FALLBACK_HANDLER_STORAGE_SLOT)).slice(26)).to.be.eq( + COMPATIBILITY_FALLBACK_HANDLER_150.toLowerCase(), + ); + }); + + it("doesn't touch important storage slots", async () => { + const { + safe130, + migration, + signers: [user1], + singleton130L2Address, + } = await setupTests(); + const safeAddress = await safe130.getAddress(); + + const ownerCountBeforeMigration = await hre.ethers.provider.getStorage(safeAddress, 3); + const thresholdBeforeMigration = await hre.ethers.provider.getStorage(safeAddress, 4); + const nonceBeforeMigration = await hre.ethers.provider.getStorage(safeAddress, 5); + const guardBeforeMigration = await hre.ethers.provider.getStorage(safeAddress, GUARD_STORAGE_SLOT); + const fallbackHandlerBeforeMigration = await hre.ethers.provider.getStorage(safeAddress, FALLBACK_HANDLER_STORAGE_SLOT); + + await expect(executeContractCallWithSigners(safe130, migration, "migrateToL2", [singleton130L2Address], [user1], true)); + + expect(await hre.ethers.provider.getStorage(safeAddress, 3)).to.be.eq(ownerCountBeforeMigration); + expect(await hre.ethers.provider.getStorage(safeAddress, 4)).to.be.eq(thresholdBeforeMigration); + expect(await hre.ethers.provider.getStorage(safeAddress, 5)).to.be.eq(nonceBeforeMigration); + expect(await hre.ethers.provider.getStorage(safeAddress, GUARD_STORAGE_SLOT)).to.be.eq(guardBeforeMigration); + expect(await hre.ethers.provider.getStorage(safeAddress, FALLBACK_HANDLER_STORAGE_SLOT)).to.be.eq( + fallbackHandlerBeforeMigration, + ); + }); + }); +});