Merge branch 'main' into ma/b08-reward-claims-interface-doc

Author: sveitser

contracts/rust/adapter/src/bindings/access_control_upgradeable.rs

@@ -3,6 +3,7 @@
 //! This is autogenerated code.
 //! Do not manually edit these files.
 //! These files may be overwritten by the codegen system at any time.
+pub mod r#access_control_upgradeable;
 pub mod r#erc1967_proxy;
 pub mod r#esp_token;
 pub mod r#esp_token_v2;

contracts/rust/adapter/src/bindings/mod.rs

@@ -23,6 +23,7 @@ use alloy::sol;
 /// - structs should be exported and renamed with `xxSol` suffix to avoid confusion with other rust types
 ///   - see module doc for more explanation on types duplication issue in alloy
 pub use crate::bindings::{
+    access_control_upgradeable::AccessControlUpgradeable,
     erc1967_proxy::ERC1967Proxy,
     esp_token::EspToken,
     esp_token_v2::EspTokenV2,

contracts/rust/adapter/src/sol_types.rs

@@ -10,6 +10,7 @@
 - [Safe Multisig Proposals](#safe-multisig-proposals)
 - [Troubleshooting](#troubleshooting)
 - [POS Deployment](#pos-deployment)
+  - [Automated Deployment Verification](#automated-deployment-verification)
 
 ## Prerequisites
 
@@ -1286,6 +1287,32 @@ After completing all steps, verify:
 4. **StakeTable**: Upgraded to V2, owned by OpsTimelock, EspressoSys multisig has pauser role
 5. **All proxies**: Point to correct implementation addresses
 
+### Automated Deployment Verification
+
+The `scripts/verify-pos-deployment.sh` script automates the verification of your deployment configuration. It checks
+timelock delays, roles, contract ownership, versions, and cross-contract references.
+
+#### Prerequisites
+
+- Foundry installed (for `cast` command)
+- Environment variables set (see below)
+- Access to the RPC endpoint where contracts are deployed
+
+#### Usage
+
+##### Source environment variables from your deployment output file
+
+source .env.eth.mainnet.staketable # or your deployment output file
+
+##### Run verification
+
+./scripts/verify-pos-deployment.sh --rpc-url $RPC_URL#### Environment Variables
+
+For a complete list of required and optional environment variables, run:
+
+./scripts/verify-pos-deployment.sh --helpThe script will skip checks for any unset variables and show warnings. At
+minimum, you should set the contract proxy addresses you want to verify.
+
 ## Arbitrum Mainnet
 
 ### Step 1: Deploy the `OpsTimelock`

contracts/rust/deployer/README.md

@@ -770,9 +770,10 @@ impl<P: Provider + WalletProvider> DeployerArgs<P> {
             "feecontract" | "feecontractproxy" => Contract::FeeContractProxy,
             "esptoken" | "esptokenproxy" => Contract::EspTokenProxy,
             "staketable" | "staketableproxy" => Contract::StakeTableProxy,
+            "rewardclaim" | "rewardclaimproxy" => Contract::RewardClaimProxy,
             _ => anyhow::bail!(
                 "Unknown contract type: {}. Supported types: lightclient, feecontract, esptoken, \
-                 staketable",
+                 staketable, rewardclaim",
                 target_contract
             ),
         };
@@ -785,19 +786,29 @@ impl<P: Provider + WalletProvider> DeployerArgs<P> {
             )
         })?;
 
-        tracing::info!(
-            "Transferring ownership of {} from EOA to {}",
-            target_contract,
-            new_owner
-        );
-
-        // Use the existing transfer_ownership function from lib.rs
-        let receipt =
+        // RewardClaim uses AccessControl instead of Ownable, so we need to grant the admin role
+        // instead of transferring ownership
+        let receipt = if contract_type == Contract::RewardClaimProxy {
+            tracing::info!(
+                "Granting DEFAULT_ADMIN_ROLE for {} to {} (RewardClaim uses AccessControl, not \
+                 Ownable)",
+                target_contract,
+                new_owner
+            );
+            crate::grant_admin_role(&self.deployer, contract_type, contract_address, new_owner)
+                .await?
+        } else {
+            tracing::info!(
+                "Transferring ownership of {} from EOA to {}",
+                target_contract,
+                new_owner
+            );
             crate::transfer_ownership(&self.deployer, contract_type, contract_address, new_owner)
-                .await?;
+                .await?
+        };
 
         tracing::info!(
-            "Successfully transferred ownership of {} to {}. Transaction: {}",
+            "Successfully transferred admin control of {} to {}. Transaction: {}",
             target_contract,
             new_owner,
             receipt.transaction_hash

contracts/rust/deployer/src/builder.rs

@@ -1208,63 +1208,74 @@ pub async fn transfer_ownership(
     target_address: Address,
     new_owner: Address,
 ) -> Result<TransactionReceipt> {
-    let receipt = match target_contract {
-        Contract::LightClient | Contract::LightClientProxy => {
-            tracing::info!(%target_address, %new_owner, "Transfer LightClient ownership");
-            let lc = LightClient::new(target_address, &provider);
-            lc.transferOwnership(new_owner)
-                .send()
-                .await?
-                .get_receipt()
-                .await?
-        },
-        Contract::FeeContract | Contract::FeeContractProxy => {
-            tracing::info!(%target_address, %new_owner, "Transfer FeeContract ownership");
-            let fee = FeeContract::new(target_address, &provider);
-            fee.transferOwnership(new_owner)
-                .send()
-                .await?
-                .get_receipt()
-                .await?
-        },
-        Contract::EspToken | Contract::EspTokenProxy => {
-            tracing::info!(%target_address, %new_owner, "Transfer EspToken ownership");
-            let token = EspToken::new(target_address, &provider);
-            token
-                .transferOwnership(new_owner)
-                .send()
-                .await?
-                .get_receipt()
-                .await?
-        },
-        Contract::StakeTable | Contract::StakeTableProxy | Contract::StakeTableV2 => {
-            tracing::info!(%target_address, %new_owner, "Transfer StakeTable ownership");
-            let stake_table = StakeTable::new(target_address, &provider);
-            stake_table
-                .transferOwnership(new_owner)
-                .send()
-                .await?
-                .get_receipt()
-                .await?
-        },
-        Contract::RewardClaim | Contract::RewardClaimProxy => {
-            tracing::info!(%target_address, %new_owner, "Grant RewardClaim DEFAULT_ADMIN_ROLE");
-            let reward_claim = RewardClaim::new(target_address, &provider);
-            let admin_role = reward_claim.DEFAULT_ADMIN_ROLE().call().await?;
-            reward_claim
-                .grantRole(admin_role, new_owner)
-                .send()
-                .await?
-                .get_receipt()
-                .await?
-        },
-        _ => return Err(anyhow!("Not Ownable, can't transfer ownership!")),
-    };
+    // Use OwnableUpgradeable interface for all Ownable contracts
+    // This is more generic and maintainable than matching on each contract type
+    let ownable = OwnableUpgradeable::new(target_address, &provider);
+
+    // Verify the contract is actually Ownable by checking if we can read the owner
+    let current_owner = ownable.owner().call().await.context(format!(
+        "Contract at {target_address:#x} does not implement Ownable interface"
+    ))?;
+
+    tracing::info!(%target_contract, %target_address, current_owner = %current_owner, new_owner = %new_owner, "Transferring ownership of {target_contract}");
+
+    let receipt = ownable
+        .transferOwnership(new_owner)
+        .send()
+        .await?
+        .get_receipt()
+        .await?;
+
     let tx_hash = receipt.transaction_hash;
     tracing::info!(%receipt.gas_used, %tx_hash, "ownership transferred");
     Ok(receipt)
 }
 
+/// Grant DEFAULT_ADMIN_ROLE to a new admin for AccessControl-based contracts
+/// This handles contracts like RewardClaim that use AccessControl instead of Ownable
+/// TODO: create a function for pauser roles
+pub async fn grant_admin_role(
+    provider: impl Provider,
+    target_contract: Contract,
+    target_address: Address,
+    new_admin: Address,
+) -> Result<TransactionReceipt> {
+    // Use AccessControlUpgradeable interface
+    let access_control = AccessControlUpgradeable::new(target_address, &provider);
+
+    // Verify the contract is actually AccessControl by checking if we can read roles
+    let admin_role = access_control
+        .DEFAULT_ADMIN_ROLE()
+        .call()
+        .await
+        .context(format!(
+            "Contract at {target_address:#x} does not implement AccessControl interface"
+        ))?;
+
+    // Check if new_admin already has the role (for logging purposes)
+    let already_has_role = access_control.hasRole(admin_role, new_admin).call().await?;
+
+    tracing::info!(
+        %target_contract,
+        %target_address,
+        new_admin = %new_admin,
+        already_has_role = %already_has_role,
+        "Granting DEFAULT_ADMIN_ROLE for {target_contract}"
+    );
+
+    // For RewardClaim, grantRole handles the revoke of the previous admin internally
+    let receipt = access_control
+        .grantRole(admin_role, new_admin)
+        .send()
+        .await?
+        .get_receipt()
+        .await?;
+
+    let tx_hash = receipt.transaction_hash;
+    tracing::info!(%receipt.gas_used, %tx_hash, "admin role granted");
+    Ok(receipt)
+}
+
 /// helper function to decide if the contract at given address `addr` is a proxy contract
 pub async fn is_proxy_contract(provider: impl Provider, addr: Address) -> Result<bool> {
     // when the implementation address is not equal to zero, it's a proxy
@@ -3468,4 +3479,115 @@ mod tests {
 
         Ok(())
     }
+
+    #[test_log::test(tokio::test)]
+    async fn test_grant_admin_role_reward_claim() -> Result<()> {
+        let (_anvil, provider, l1_client) =
+            ProviderBuilder::new().connect_anvil_with_l1_client()?;
+
+        let mut contracts = Contracts::new();
+        let deployer = l1_client.get_accounts().await?[0];
+        let new_admin = Address::random();
+
+        // Deploy RewardClaim
+        let esp_token_addr = deploy_token_proxy(
+            &provider,
+            &mut contracts,
+            deployer,
+            deployer,
+            U256::from(10_000_000u64),
+            "Test Token",
+            "TEST",
+        )
+        .await?;
+        let lc_addr = deploy_light_client_contract(&provider, &mut contracts, false).await?;
+        let reward_claim_addr = deploy_reward_claim_proxy(
+            &provider,
+            &mut contracts,
+            esp_token_addr,
+            lc_addr,
+            deployer,
+            deployer, // pauser
+        )
+        .await?;
+
+        // Verify initial admin
+        let reward_claim = RewardClaim::new(reward_claim_addr, &provider);
+        let admin_role = reward_claim.DEFAULT_ADMIN_ROLE().call().await?;
+        assert!(reward_claim.hasRole(admin_role, deployer).call().await?);
+        assert!(!reward_claim.hasRole(admin_role, new_admin).call().await?);
+
+        // Grant admin role
+        let receipt = grant_admin_role(
+            &provider,
+            Contract::RewardClaimProxy,
+            reward_claim_addr,
+            new_admin,
+        )
+        .await?;
+
+        assert!(receipt.inner.is_success());
+
+        // Verify new admin has role and old admin doesn't
+        assert!(reward_claim.hasRole(admin_role, new_admin).call().await?);
+        assert!(!reward_claim.hasRole(admin_role, deployer).call().await?);
+
+        Ok(())
+    }
+
+    #[test_log::test(tokio::test)]
+    async fn test_transfer_ownership_from_eoa_reward_claim_routes_to_grant_role() -> Result<()> {
+        let (anvil, provider, l1_client) = ProviderBuilder::new().connect_anvil_with_l1_client()?;
+
+        let mut contracts = Contracts::new();
+        let deployer = l1_client.get_accounts().await?[0];
+        let new_admin = Address::random();
+
+        // Deploy RewardClaim
+        let esp_token_addr = deploy_token_proxy(
+            &provider,
+            &mut contracts,
+            deployer,
+            deployer,
+            U256::from(10_000_000u64),
+            "Test Token",
+            "TEST",
+        )
+        .await?;
+        let lc_addr = deploy_light_client_contract(&provider, &mut contracts, false).await?;
+        let reward_claim_addr = deploy_reward_claim_proxy(
+            &provider,
+            &mut contracts,
+            esp_token_addr,
+            lc_addr,
+            deployer,
+            deployer, // pauser
+        )
+        .await?;
+
+        // Verify initial admin
+        let reward_claim = RewardClaim::new(reward_claim_addr, &provider);
+        let admin_role = reward_claim.DEFAULT_ADMIN_ROLE().call().await?;
+        assert!(reward_claim.hasRole(admin_role, deployer).call().await?);
+        assert!(!reward_claim.hasRole(admin_role, new_admin).call().await?);
+
+        use builder::DeployerArgsBuilder;
+
+        let mut args_builder = DeployerArgsBuilder::default();
+        args_builder
+            .deployer(provider.clone())
+            .rpc_url(anvil.endpoint_url())
+            .transfer_ownership_from_eoa(true)
+            .target_contract("rewardclaim".to_string())
+            .transfer_ownership_new_owner(new_admin);
+        let args = args_builder.build()?;
+
+        args.transfer_ownership_from_eoa(&mut contracts).await?;
+
+        // Verify new admin has role and old admin doesn't
+        assert!(reward_claim.hasRole(admin_role, new_admin).call().await?);
+        assert!(!reward_claim.hasRole(admin_role, deployer).call().await?);
+
+        Ok(())
+    }
 }

contracts/rust/deployer/src/lib.rs

@@ -224,7 +224,7 @@ build-docker-images:
 
 # generate rust bindings for contracts
 VERSIONED := "LightClient(Arbitrum)?(V\\d+)?(Mock)?|PlonkVerifier(V\\d+)?|StakeTable(V\\d+)?|EspToken(V\\d+)?|RewardClaim(V\\d+)?"
-EXACT := "FeeContract|ERC1967Proxy|OpsTimelock|SafeExitTimelock|OwnableUpgradeable|IRewardClaim|IPlonkVerifier"
+EXACT := "FeeContract|ERC1967Proxy|OpsTimelock|SafeExitTimelock|OwnableUpgradeable|AccessControlUpgradeable|IRewardClaim|IPlonkVerifier"
 REGEXP := "^(" + VERSIONED + "|" + EXACT + ")$"
 gen-bindings:
     # Update the git submodules
@@ -248,7 +248,7 @@ gen-bindings:
 export-contract-abis:
     rm -rv contracts/artifacts/abi
     mkdir -p contracts/artifacts/abi
-    for contract in LightClient{,Mock,V2{,Mock}} StakeTable{,V2} EspToken IRewardClaim; do \
+    for contract in LightClient{,Mock,V2{,Mock}} StakeTable{,V2} EspToken{,V2} IRewardClaim; do \
         cat "contracts/out/${contract}.sol/${contract}.json" | jq .abi > "contracts/artifacts/abi/${contract}.json"; \
     done