feat(host-contracts): new upgrade mechanism (#325)

* feat(host-contracts): new upgrade mechanism

* chore(host-contracts): fix forge tests

Author: jatZama

host-contracts/contracts/ACL.sol

@@ -2,7 +2,7 @@
 pragma solidity ^0.8.24;
 
 import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
-import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
+import {UUPSUpgradeableEmptyProxy} from "./shared/UUPSUpgradeableEmptyProxy.sol";
 import {Ownable2StepUpgradeable} from "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
 import {PausableUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";
 import {fhevmExecutorAdd} from "../addresses/FHEVMExecutorAddress.sol";
@@ -15,7 +15,7 @@ import {ACLEvents} from "./ACLEvents.sol";
  * or decrypt encrypted values in fhEVM. By defining and enforcing these permissions, the ACL ensures that encrypted data remains
  * secure while still being usable within authorized contexts.
  */
-contract ACL is UUPSUpgradeable, Ownable2StepUpgradeable, PausableUpgradeable, ACLEvents {
+contract ACL is UUPSUpgradeableEmptyProxy, Ownable2StepUpgradeable, PausableUpgradeable, ACLEvents {
     /// @notice Returned if the delegatee contract is already delegatee for sender & delegator addresses.
     /// @param delegatee delegatee address.
     /// @param contractAddress contract address.
@@ -63,7 +63,7 @@ contract ACL is UUPSUpgradeable, Ownable2StepUpgradeable, PausableUpgradeable, A
     uint256 private constant MAJOR_VERSION = 0;
 
     /// @notice Minor version of the contract.
-    uint256 private constant MINOR_VERSION = 1;
+    uint256 private constant MINOR_VERSION = 2;
 
     /// @notice Patch version of the contract.
     uint256 private constant PATCH_VERSION = 0;
@@ -83,10 +83,11 @@ contract ACL is UUPSUpgradeable, Ownable2StepUpgradeable, PausableUpgradeable, A
     }
 
     /**
-     * @notice Re-initializes the contract.
+     * @notice  Initializes the contract.
+     * @param initialPauser Pauser address
      */
     /// @custom:oz-upgrades-validate-as-initializer
-    function reinitialize(address initialPauser) public virtual reinitializer(2) {
+    function initializeFromEmptyProxy(address initialPauser) public virtual onlyFromEmptyProxy reinitializer(3) {
         __Ownable_init(owner());
         __Pausable_init();
 
@@ -98,6 +99,19 @@ contract ACL is UUPSUpgradeable, Ownable2StepUpgradeable, PausableUpgradeable, A
         $.pauser = initialPauser;
     }
 
+    /**
+     * @notice Re-initializes the contract from V1, adding new storage variable pauser.
+     * @param initialPauser Pauser address
+     */
+    function reinitializeV2(address initialPauser) public virtual reinitializer(3) {
+        if (initialPauser == address(0)) {
+            revert InvalidNullPauser();
+        }
+
+        ACLStorage storage $ = _getACLStorage();
+        $.pauser = initialPauser;
+    }
+
     /**
      * @notice Allows the use of `handle` for the address `account`.
      * @dev The caller must be allowed to use `handle` for allow() to succeed. If not, allow() reverts.

host-contracts/contracts/FHEVMExecutor.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.24;
 
 import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
 import {Ownable2StepUpgradeable} from "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
-import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
+import {UUPSUpgradeableEmptyProxy} from "./shared/UUPSUpgradeableEmptyProxy.sol";
 
 import {ACL} from "./ACL.sol";
 import {HCULimit} from "./HCULimit.sol";
@@ -31,7 +31,7 @@ interface IInputVerifier {
  *           main responsibilities is to deterministically generate ciphertext handles.
  * @dev      This contract is deployed using an UUPS proxy.
  */
-contract FHEVMExecutor is UUPSUpgradeable, Ownable2StepUpgradeable, FHEEvents {
+contract FHEVMExecutor is UUPSUpgradeableEmptyProxy, Ownable2StepUpgradeable, FHEEvents {
     /// @notice         Returned when the handle is not allowed in the ACL for the account.
     /// @param handle   Handle.
     /// @param account  Address of the account.
@@ -122,7 +122,7 @@ contract FHEVMExecutor is UUPSUpgradeable, Ownable2StepUpgradeable, FHEEvents {
     uint256 private constant MAJOR_VERSION = 0;
 
     /// @notice Minor version of the contract.
-    uint256 private constant MINOR_VERSION = 1;
+    uint256 private constant MINOR_VERSION = 2;
 
     /// @notice Patch version of the contract.
     uint256 private constant PATCH_VERSION = 0;
@@ -146,13 +146,18 @@ contract FHEVMExecutor is UUPSUpgradeable, Ownable2StepUpgradeable, FHEEvents {
     }
 
     /**
-     * @notice  Re-initializes the contract.
+     * @notice  Initializes the contract.
      */
     /// @custom:oz-upgrades-validate-as-initializer
-    function reinitialize() public virtual reinitializer(2) {
+    function initializeFromEmptyProxy() public virtual onlyFromEmptyProxy reinitializer(3) {
         __Ownable_init(owner());
     }
 
+    /**
+     * @notice Re-initializes the contract from V1.
+     */
+    function reinitializeV2() public virtual reinitializer(3) {}
+
     /**
      * @notice              Computes FHEAdd operation.
      * @param lhs           LHS.

host-contracts/contracts/HCULimit.sol

@@ -2,7 +2,7 @@
 pragma solidity ^0.8.24;
 
 import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
-import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
+import {UUPSUpgradeableEmptyProxy} from "./shared/UUPSUpgradeableEmptyProxy.sol";
 import {Ownable2StepUpgradeable} from "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
 import {fhevmExecutorAdd} from "../addresses/FHEVMExecutorAddress.sol";
 
@@ -14,7 +14,7 @@ import {FheType} from "./shared/FheType.sol";
  * transaction level, including the maximum number of homomorphic complexity units (HCU) per transaction.
  * @dev The contract is designed to be used with the FHEVMExecutor contract.
  */
-contract HCULimit is UUPSUpgradeable, Ownable2StepUpgradeable {
+contract HCULimit is UUPSUpgradeableEmptyProxy, Ownable2StepUpgradeable {
     /// @notice Returned if the sender is not the FHEVMExecutor.
     error CallerMustBeFHEVMExecutorContract();
 
@@ -37,7 +37,7 @@ contract HCULimit is UUPSUpgradeable, Ownable2StepUpgradeable {
     uint256 private constant MAJOR_VERSION = 0;
 
     /// @notice Minor version of the contract.
-    uint256 private constant MINOR_VERSION = 1;
+    uint256 private constant MINOR_VERSION = 2;
 
     /// @notice Patch version of the contract.
     uint256 private constant PATCH_VERSION = 0;
@@ -63,13 +63,18 @@ contract HCULimit is UUPSUpgradeable, Ownable2StepUpgradeable {
     }
 
     /**
-     * @notice  Re-initializes the contract.
+     * @notice  Initializes the contract.
      */
     /// @custom:oz-upgrades-validate-as-initializer
-    function reinitialize() public virtual reinitializer(2) {
+    function initializeFromEmptyProxy() public virtual onlyFromEmptyProxy reinitializer(3) {
         __Ownable_init(owner());
     }
 
+    /**
+     * @notice Re-initializes the contract from V1.
+     */
+    function reinitializeV2() public virtual reinitializer(3) {}
+
     /**
      * @notice Check the homomorphic complexity units limit for FheAdd.
      * @param resultType Result type.

host-contracts/contracts/InputVerifier.sol

@@ -5,8 +5,8 @@ import {FHEVMExecutor} from "./FHEVMExecutor.sol";
 
 // Importing OpenZeppelin contracts for cryptographic signature verification and access control.
 import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
-import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
 import {Ownable2StepUpgradeable} from "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
+import {UUPSUpgradeableEmptyProxy} from "./shared/UUPSUpgradeableEmptyProxy.sol";
 import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
 import {EIP712UpgradeableCrossChain} from "./shared/EIP712UpgradeableCrossChain.sol";
 
@@ -16,7 +16,7 @@ import {EIP712UpgradeableCrossChain} from "./shared/EIP712UpgradeableCrossChain.
  *           This contract is called by the FHEVMExecutor inside verifyCiphertext function
  * @dev      The contract uses EIP712UpgradeableCrossChain for cryptographic operations.
  */
-contract InputVerifier is UUPSUpgradeable, Ownable2StepUpgradeable, EIP712UpgradeableCrossChain {
+contract InputVerifier is UUPSUpgradeableEmptyProxy, Ownable2StepUpgradeable, EIP712UpgradeableCrossChain {
     /// @notice         Emitted when a signer is added.
     /// @param signer   The address of the signer that was added.
     event SignerAdded(address indexed signer);
@@ -127,14 +127,17 @@ contract InputVerifier is UUPSUpgradeable, Ownable2StepUpgradeable, EIP712Upgrad
     }
 
     /**
-     * @notice  Re-initializes the contract.
+     * @notice  Initializes the contract.
+     * @param verifyingContractSource InputVerification contract address from Gateway chain.
+     * @param chainIDSource chainID of Gateway chain.
+     * @param initialSigners initial set of coprocessors.
      */
     /// @custom:oz-upgrades-validate-as-initializer
-    function reinitialize(
+    function initializeFromEmptyProxy(
         address verifyingContractSource,
         uint64 chainIDSource,
         address[] calldata initialSigners
-    ) public virtual reinitializer(2) {
+    ) public virtual onlyFromEmptyProxy reinitializer(2) {
         __Ownable_init(owner());
         __EIP712_init(CONTRACT_NAME_SOURCE, "1", verifyingContractSource, chainIDSource);
         uint256 initialSignersLen = initialSigners.length;

host-contracts/contracts/KMSVerifier.sol

@@ -2,7 +2,7 @@
 pragma solidity ^0.8.24;
 
 import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
-import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
+import {UUPSUpgradeableEmptyProxy} from "./shared/UUPSUpgradeableEmptyProxy.sol";
 import {EIP712UpgradeableCrossChain} from "./shared/EIP712UpgradeableCrossChain.sol";
 import {Ownable2StepUpgradeable} from "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
 import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
@@ -13,7 +13,7 @@ import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
  *          signature verification functions.
  * @dev     The contract uses EIP712UpgradeableCrossChain for cryptographic operations and is deployed using an UUPS proxy.
  */
-contract KMSVerifier is UUPSUpgradeable, Ownable2StepUpgradeable, EIP712UpgradeableCrossChain {
+contract KMSVerifier is UUPSUpgradeableEmptyProxy, Ownable2StepUpgradeable, EIP712UpgradeableCrossChain {
     /// @notice Returned if the KMS signer to add is already a signer.
     error KMSAlreadySigner();
 
@@ -101,12 +101,12 @@ contract KMSVerifier is UUPSUpgradeable, Ownable2StepUpgradeable, EIP712Upgradea
      * @param initialThreshold Initial threshold, should be non-null and less or equal to the initialSigners length.
      */
     /// @custom:oz-upgrades-validate-as-initializer
-    function reinitialize(
+    function initializeFromEmptyProxy(
         address verifyingContractSource,
         uint64 chainIDSource,
         address[] calldata initialSigners,
         uint256 initialThreshold
-    ) public virtual reinitializer(2) {
+    ) public virtual onlyFromEmptyProxy reinitializer(2) {
         __Ownable_init(owner());
         __EIP712_init(CONTRACT_NAME_SOURCE, "1", verifyingContractSource, chainIDSource);
         defineNewContext(initialSigners, initialThreshold);

host-contracts/contracts/shared/UUPSUpgradeableEmptyProxy.sol

@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: BSD-3-Clause-Clear
+pragma solidity ^0.8.24;
+
+import {UUPSUpgradeable} from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
+
+/**
+ * @title UUPSUpgradeableEmptyProxy
+ * @dev Abstract base contract for upgradeable contracts that are intended to be deployed behind
+ * empty proxies. This contract provides a modifier that ensures functions can only be called
+ * during the first initialization phase (i.e., when initialized version is 1), enforcing
+ * correct deployment from an empty proxy using the UUPSUpgradeable pattern.
+ *
+ * Inheriting contracts should use the `onlyFromEmptyProxy` modifier to protect initialization logic
+ * that must not run on upgrades or reinitializations.
+ */
+abstract contract UUPSUpgradeableEmptyProxy is UUPSUpgradeable {
+    error NotInitializingFromEmptyProxy();
+
+    modifier onlyFromEmptyProxy() {
+        if (_getInitializedVersion() != 1) {
+            revert NotInitializingFromEmptyProxy();
+        }
+        _;
+    }
+}

host-contracts/examples/ACLUpgradedExample.sol

@@ -10,7 +10,7 @@ contract ACLUpgradedExample is ACL {
 
     /// @notice Version of the contract
     uint256 private constant MAJOR_VERSION = 0;
-    uint256 private constant MINOR_VERSION = 2;
+    uint256 private constant MINOR_VERSION = 3;
     uint256 private constant PATCH_VERSION = 0;
 
     /// @notice Getter for the name and version of the contract

host-contracts/examples/ACLUpgradedExample2.sol

@@ -10,7 +10,7 @@ contract ACLUpgradedExample2 is ACL {
 
     /// @notice Version of the contract
     uint256 private constant MAJOR_VERSION = 0;
-    uint256 private constant MINOR_VERSION = 3;
+    uint256 private constant MINOR_VERSION = 4;
     uint256 private constant PATCH_VERSION = 0;
 
     /// @notice Getter for the name and version of the contract

host-contracts/examples/FHEVMExecutorUpgradedExample.sol

@@ -12,7 +12,7 @@ contract FHEVMExecutorUpgradedExample is FHEVMExecutor {
 
     /// @dev Version numbers
     uint256 private constant MAJOR_VERSION = 0;
-    uint256 private constant MINOR_VERSION = 2;
+    uint256 private constant MINOR_VERSION = 3;
     uint256 private constant PATCH_VERSION = 0;
 
     /// @notice Returns the full version string of the contract

host-contracts/examples/HCULimitUpgradedExample.sol

@@ -10,7 +10,7 @@ contract HCULimitUpgradedExample is HCULimit {
 
     /// @notice Version of the contract
     uint256 private constant MAJOR_VERSION = 0;
-    uint256 private constant MINOR_VERSION = 2;
+    uint256 private constant MINOR_VERSION = 3;
     uint256 private constant PATCH_VERSION = 0;
 
     /// @notice Getter for the name and version of the contract