fix upgrade to upgrade multiple clients

bluele · bluele · commit a2bc58e70940 · 2025-09-10T14:30:27.000+09:00
also, disable the 'dead code' detector temporarily due to a false positive

Signed-off-by: Jun Kimura &lt;jun.kimura@datachain.jp&gt;
diff --git a/contracts/toki/TokiLCPClientZKDCAP.sol b/contracts/toki/TokiLCPClientZKDCAP.sol
@@ -11,6 +11,8 @@ import {IIBCClient} from "@hyperledger-labs/yui-ibc-solidity/contracts/core/02-c
 /// @notice TokiLCPClientZKDCAP is LCPClientZKDCAPOwnableUpgradeable with state recovery functionality for TOKI operations.
 /// @custom:oz-upgrades-unsafe-allow external-library-linking
 contract TokiLCPClientZKDCAP is LCPClientZKDCAPOwnableUpgradeable {
+    // --------------------- Data structures ---------------------
+
     struct NewClientState {
         string clientId;
         bytes mrenclave;
@@ -25,11 +27,15 @@ contract TokiLCPClientZKDCAP is LCPClientZKDCAPOwnableUpgradeable {
         ConsensusState consensusState;
     }
 
+    // --------------------- Immutable fields ---------------------
+
     // A unique version is assigned to the implementation contract.
     // To ensure the initialization process is only allowed once, it is checked by the reinitializer modifier.
     /// @custom:oz-upgrades-unsafe-allow state-variable-immutable
     uint64 public immutable RECOVERED_VERSION;
 
+    // --------------------- Constructor ---------------------
+
     /// @custom:oz-upgrades-unsafe-allow constructor
     constructor(
         address ibcHandler,
@@ -41,25 +47,42 @@ contract TokiLCPClientZKDCAP is LCPClientZKDCAPOwnableUpgradeable {
         RECOVERED_VERSION = recoveredVersion;
     }
 
+    // --------------------- Public methods ---------------------
+
     /**
-    * @dev `upgrade` should only be called once through UUPSUpgradeable.upgradeToAndCall.
-    *      This function is used in the following situations:
-    *      - When a critical security vulnerability is discovered in the LCP enclave or zkDCAP quote verifier, requiring an urgent upgrade.
-    *      - When a newly issued security advisory of SGX, which is not critical to LCP security or operations, needs to be permitted.
-    *      - When an ELC corresponding to the client state's `mrenclave` needs to be upgraded due to a hard fork.
-    * @param newClientState New client state to upgrade.
-    * @param newConsensusState New consensus state to upgrade.
-    */
-    function upgrade(NewClientState memory newClientState, NewConsensusState memory newConsensusState)
+     * @dev `upgrade` should only be called once through UUPSUpgradeable.upgradeToAndCall.
+     *      This function is used in the following situations:
+     *      - When a critical security vulnerability is discovered in the LCP enclave or zkDCAP quote verifier, requiring an urgent upgrade.
+     *      - When a newly issued security advisory of SGX, which is not critical to LCP security or operations, needs to be permitted.
+     *      - When an ELC corresponding to the client state's `mrenclave` needs to be upgraded due to a hard fork.
+     * @param newClientStates New client states to upgrade. The order of the client states should be the same as the order of the consensus states.
+     * @param newConsensusStates New consensus states to upgrade. The order of the consensus states should be the same as the order of the client states.
+     *      The consensus state with height zero is ignored.
+     */
+    function upgrade(NewClientState[] memory newClientStates, NewConsensusState[] memory newConsensusStates)
         external
         reinitializer(RECOVERED_VERSION)
         onlyOwner
     {
-        return _upgrade(newClientState, newConsensusState);
+        _upgrade(newClientStates, newConsensusStates);
+    }
+
+    // --------------------- Internal methods ---------------------
+
+    function _upgrade(NewClientState[] memory newClientStates, NewConsensusState[] memory newConsensusStates)
+        internal
+    {
+        require(newClientStates.length == newConsensusStates.length);
+        for (uint256 i = 0; i < newClientStates.length; i++) {
+            _upgradeState(newClientStates[i], newConsensusStates[i]);
+        }
     }
 
-    function _upgrade(NewClientState memory newClientState, NewConsensusState memory newConsensusState) internal {
+    function _upgradeState(NewClientState memory newClientState, NewConsensusState memory newConsensusState) internal {
         ClientStorage storage clientStorage = clientStorages[newClientState.clientId];
+        if (clientStorage.zkDCAPRisc0ImageId == bytes32(0)) {
+            revert LCPClientZKDCAPRisc0ImageIdNotSet();
+        }
         IbcLightclientsLcpV1ClientState.Data storage clientState = clientStorage.clientState;
 
         if (clientState.frozen) {
diff --git a/slither.config.json b/slither.config.json
@@ -1,4 +1,4 @@
 {
-  "detectors_to_run": "arbitrary-send-erc20,array-by-reference,incorrect-shift,name-reused,rtlo,suicidal,uninitialized-storage,arbitrary-send-erc20-permit,controlled-array-length,controlled-delegatecall,delegatecall-loop,msg-value-loop,reentrancy-eth,unchecked-transfer,weak-prng,domain-separator-collision,erc20-interface,erc721-interface,locked-ether,mapping-deletion,shadowing-abstract,tautology,write-after-write,boolean-cst,reentrancy-no-eth,reused-constructor,tx-origin,unchecked-lowlevel,unchecked-send,variable-scope,void-cst,events-access,events-maths,incorrect-unary,boolean-equal,deprecated-standards,erc20-indexed,function-init-state,pragma,reentrancy-unlimited-gas,immutable-states,var-read-using-this,dead-code",
+  "detectors_to_run": "arbitrary-send-erc20,array-by-reference,incorrect-shift,name-reused,rtlo,suicidal,uninitialized-storage,arbitrary-send-erc20-permit,controlled-array-length,controlled-delegatecall,delegatecall-loop,msg-value-loop,reentrancy-eth,unchecked-transfer,weak-prng,domain-separator-collision,erc20-interface,erc721-interface,locked-ether,mapping-deletion,shadowing-abstract,tautology,write-after-write,boolean-cst,reentrancy-no-eth,reused-constructor,tx-origin,unchecked-lowlevel,unchecked-send,variable-scope,void-cst,events-access,events-maths,incorrect-unary,boolean-equal,deprecated-standards,erc20-indexed,function-init-state,pragma,reentrancy-unlimited-gas,immutable-states,var-read-using-this",
   "filter_paths": "(test/|node_modules/|lib/|contracts/proto/)"
 }
diff --git a/test/toki/TokiLCPClientTest.t.sol b/test/toki/TokiLCPClientTest.t.sol

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		- "detectors_to_run": "arbitrary-send-erc20,array-by-reference,incorrect-shift,name-reused,rtlo,suicidal,uninitialized-storage,arbitrary-send-erc20-permit,controlled-array-length,controlled-delegatecall,delegatecall-loop,msg-value-loop,reentrancy-eth,unchecked-transfer,weak-prng,domain-separator-collision,erc20-interface,erc721-interface,locked-ether,mapping-deletion,shadowing-abstract,tautology,write-after-write,boolean-cst,reentrancy-no-eth,reused-constructor,tx-origin,unchecked-lowlevel,unchecked-send,variable-scope,void-cst,events-access,events-maths,incorrect-unary,boolean-equal,deprecated-standards,erc20-indexed,function-init-state,pragma,reentrancy-unlimited-gas,immutable-states,var-read-using-this,dead-code",
	`2`	+ "detectors_to_run": "arbitrary-send-erc20,array-by-reference,incorrect-shift,name-reused,rtlo,suicidal,uninitialized-storage,arbitrary-send-erc20-permit,controlled-array-length,controlled-delegatecall,delegatecall-loop,msg-value-loop,reentrancy-eth,unchecked-transfer,weak-prng,domain-separator-collision,erc20-interface,erc721-interface,locked-ether,mapping-deletion,shadowing-abstract,tautology,write-after-write,boolean-cst,reentrancy-no-eth,reused-constructor,tx-origin,unchecked-lowlevel,unchecked-send,variable-scope,void-cst,events-access,events-maths,incorrect-unary,boolean-equal,deprecated-standards,erc20-indexed,function-init-state,pragma,reentrancy-unlimited-gas,immutable-states,var-read-using-this",
`3`	`3`	`"filter_paths": "(test/\|node_modules/\|lib/\|contracts/proto/)"`
`4`	`4`	`}`