Merge pull request #19 from hokunet/sander/validator-gater

feat: validator gater contract

Author: JulissaDantes

.github/workflows/test.yml

@@ -3,7 +3,6 @@ name: CI
 on:
   push:
   pull_request:
-  workflow_dispatch:
 
 env:
   FOUNDRY_PROFILE: ci
@@ -12,7 +11,6 @@ jobs:
   check:
     strategy:
       fail-fast: true
-
     name: Foundry project
     runs-on: ubuntu-latest
     steps:
@@ -33,6 +31,12 @@ jobs:
         run: |
           forge fmt --check
         id: fmt
+      
+      - name: Run Forge clean
+        run: |
+          rm -rf cache out
+          forge clean
+        id: clean
 
       - name: Run Forge build
         run: |

hardhat.config.js

@@ -20,7 +20,7 @@ module.exports = {
     storageLayouts: ".storage-layouts",
   },
   storageLayoutConfig: {
-    contracts: ['src/Hoku.sol:Hoku'],
+    contracts: ['src/Hoku.sol:Hoku', 'src/ValidatorGater.sol:ValidatorGater'],
     fullPath: true
   },
   resolve: {

lib/forge-std

@@ -1,5 +1,5 @@
-// SPDX-License-Identifier: UNLICENSED
-pragma solidity ^0.8.23;
+// SPDX-License-Identifier: MIT OR Apache-2.0
+pragma solidity ^0.8.26;
 
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {Script} from "forge-std/Script.sol";
@@ -10,7 +10,6 @@ import {Environment} from "../src/types/CommonTypes.sol";
 
 contract DeployScript is Script {
     string constant PRIVATE_KEY = "PRIVATE_KEY";
-    address public proxyAddress;
 
     function setUp() public {}
 

script/Faucet.s.sol

@@ -1,5 +1,5 @@
-// SPDX-License-Identifier: UNLICENSED
-pragma solidity ^0.8.23;
+// SPDX-License-Identifier: MIT OR Apache-2.0
+pragma solidity ^0.8.26;
 
 import {Hoku} from "../src/Hoku.sol";
 import {IInterchainTokenService} from

script/Hoku.s.sol

@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: MIT OR Apache-2.0
+pragma solidity ^0.8.26;
+
+import {ValidatorGater} from "../src/ValidatorGater.sol";
+import {SubnetID} from "../src/structs/Subnet.sol";
+
+import {Environment} from "../src/types/CommonTypes.sol";
+import {Options, Upgrades} from "@openzeppelin/foundry-upgrades/Upgrades.sol";
+import {Script, console2} from "forge-std/Script.sol";
+
+contract DeployScript is Script {
+    string constant PRIVATE_KEY = "PRIVATE_KEY";
+    address public proxyAddress;
+
+    function setUp() public {}
+
+    function proxy() public view returns (address) {
+        return proxyAddress;
+    }
+
+    function run(Environment env) public returns (ValidatorGater) {
+        if (vm.envExists(PRIVATE_KEY)) {
+            uint256 privateKey = vm.envUint(PRIVATE_KEY);
+            vm.startBroadcast(privateKey);
+        } else if (env == Environment.Local) {
+            vm.startBroadcast();
+        } else {
+            revert("PRIVATE_KEY not set in non-local environment");
+        }
+        Options memory options;
+        options.unsafeAllow = "external-library-linking";
+
+        proxyAddress =
+            Upgrades.deployUUPSProxy("ValidatorGater.sol", abi.encodeCall(ValidatorGater.initialize, ()), options);
+        vm.stopBroadcast();
+
+        // Check implementation
+        address implAddr = Upgrades.getImplementationAddress(proxyAddress);
+        console2.log("Implementation address: ", implAddr);
+
+        ValidatorGater gater = ValidatorGater(proxyAddress);
+        return gater;
+    }
+}
+
+contract UpgradeGaterProxyScript is Script {
+    function setUp() public {}
+
+    function run() public {
+        // Get proxy owner account
+        uint256 deployerPrivateKey = vm.envUint("PRIVATE_KEY");
+
+        // Get proxy address
+        address proxy = vm.envAddress("PROXY_ADDR");
+        console2.log("proxy address: ", proxy);
+
+        // Check current implementation
+        address implOld = Upgrades.getImplementationAddress(proxy);
+        console2.log("Implementation address: ", implOld);
+
+        // Upgrade proxy to new implementation
+        Options memory opts;
+        opts.referenceContract = "ValidatorGater.sol";
+        vm.startBroadcast(deployerPrivateKey);
+        Upgrades.upgradeProxy(proxy, "ValidatorGater.sol", "", opts);
+        vm.stopBroadcast();
+
+        // Check new implementation
+        address implNew = Upgrades.getImplementationAddress(proxy);
+        console2.log("Implementation address: ", implNew);
+
+        require(implOld != implNew, "Implementation address not changed");
+    }
+}

script/ValidatorGater.s.sol

@@ -1,5 +1,5 @@
-// SPDX-License-Identifier: UNLICENSED
-pragma solidity ^0.8.23;
+// SPDX-License-Identifier: MIT OR Apache-2.0
+pragma solidity ^0.8.26;
 
 import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

src/Faucet.sol

@@ -1,5 +1,5 @@
-// SPDX-License-Identifier: MIT
-pragma solidity ^0.8.23;
+// SPDX-License-Identifier: MIT OR Apache-2.0
+pragma solidity ^0.8.26;
 
 import {InterchainTokenStandard} from
     "@axelar-network/interchain-token-service/contracts/interchain-token/InterchainTokenStandard.sol";

src/Hoku.sol

@@ -0,0 +1,102 @@
+// SPDX-License-Identifier: MIT OR Apache-2.0
+pragma solidity ^0.8.26;
+
+import {InvalidSubnet, NotAuthorized, ValidatorPowerChangeDenied} from "./errors/IPCErrors.sol";
+import {IValidatorGater} from "./interfaces/IValidatorGater.sol";
+
+import {SubnetIDHelper} from "./lib/SubnetIDHelper.sol";
+import {SubnetID} from "./structs/Subnet.sol";
+import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/contracts/access/OwnableUpgradeable.sol";
+import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/contracts/proxy/utils/UUPSUpgradeable.sol";
+
+/// The power range that an approved validator can have.
+struct PowerRange {
+    uint256 min;
+    uint256 max;
+}
+
+/// This is a simple implementation of `IValidatorGater`. It makes sure the exact power change
+/// request is approved. This is a very strict requirement.
+contract ValidatorGater is IValidatorGater, UUPSUpgradeable, OwnableUpgradeable {
+    using SubnetIDHelper for SubnetID;
+
+    bool private _active;
+
+    SubnetID public subnet;
+    mapping(address => PowerRange) public allowed;
+    // New active status and who was the owner at change time
+
+    event ActiveStateChange(bool active, address account);
+
+    function initialize() public initializer {
+        __Ownable_init(msg.sender);
+        _active = true;
+    }
+
+    /// @notice Indicates whether the gate is active or not
+    function isActive() external view returns (bool) {
+        return _active;
+    }
+
+    /// @notice Sets the contract as active or inactive.
+    /// @dev Only the owner can change the active state.
+    function setActive(bool active) external onlyOwner {
+        _active = active;
+        emit ActiveStateChange(active, msg.sender);
+    }
+
+    modifier whenActive() {
+        if (!_active) {
+            return; // Skip execution if not active
+        }
+        _; // Continue with function execution if active
+    }
+
+    function setSubnet(SubnetID calldata id) external onlyOwner whenActive {
+        subnet = id;
+    }
+
+    function isAllow(address validator, uint256 power) public view whenActive returns (bool) {
+        PowerRange memory range = allowed[validator];
+        return range.min <= power && power <= range.max;
+    }
+
+    /// Only owner can approve the validator join request
+    function approve(address validator, uint256 minPower, uint256 maxPower) external onlyOwner whenActive {
+        allowed[validator] = PowerRange({min: minPower, max: maxPower});
+    }
+
+    /// Revoke approved power range
+    function revoke(address validator) external onlyOwner whenActive {
+        delete allowed[validator];
+    }
+
+    function interceptPowerDelta(SubnetID memory id, address validator, uint256, /*prevPower*/ uint256 newPower)
+        external
+        view
+        override
+        whenActive
+    {
+        // unstake has checks to avoid newPower being zero, therefore zero means its leaving the network
+        if (newPower == 0) return;
+
+        SubnetID memory targetSubnet = subnet;
+
+        if (!id.equals(targetSubnet)) {
+            revert InvalidSubnet();
+        }
+
+        if (msg.sender != targetSubnet.getAddress()) {
+            revert NotAuthorized(msg.sender);
+        }
+
+        if (!isAllow(validator, newPower)) {
+            revert ValidatorPowerChangeDenied();
+        }
+    }
+
+    /// @dev Function that should revert when `msg.sender` is not authorized to upgrade the contract
+    /// @param newImplementation Address of the new implementation contract
+    function _authorizeUpgrade(address newImplementation) internal view override onlyOwner {} // solhint-disable
+        // no-empty-blocks
+}

src/ValidatorGater.sol

@@ -0,0 +1,6 @@
+// SPDX-License-Identifier: MIT OR Apache-2.0
+pragma solidity ^0.8.26;
+
+error InvalidSubnet();
+error NotAuthorized(address);
+error ValidatorPowerChangeDenied();

src/errors/IPCErrors.sol

@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: MIT OR Apache-2.0
+pragma solidity ^0.8.26;
+
+import {SubnetID} from "../structs/Subnet.sol";
+
+/// @title Validator Gater interface
+/// This interface introduces the ability to intercept validator power updates before it's executed. Power updates could
+/// come from staking, unstaking, and explicit validator membership adjustments (federated membership). With this
+/// interface,
+/// it introduces an extra layer of checking to directly allow or deny the action, according to a user-defined policy.
+interface IValidatorGater {
+    /// This intercepts the power update call.
+    /// @notice This method should revert if the power update is not allowed.
+    function interceptPowerDelta(SubnetID memory id, address validator, uint256 prevPower, uint256 newPower) external;
+}