[TIP-120] DAO Vote: PCVGuardian v3 #952
Conversation
eswak
force-pushed
the
feat/pcvguardian-v3
branch
from
52ef5f1 to
04c43b8
Compare
There was a problem hiding this comment.
Really like these changes overall, will be a big quality of life improvement.
Have some feedback on the unit tests - in general I think they should be broken up into many more and each major function should be covered by its own test. Also think the test names could be more descriptive/illustrative
eswak
force-pushed
the
feat/pcvguardian-v3
branch
from
f030292 to
9428149
Compare
rename fixture addresses & fix podexecutor unit tests
| target: 'pcvSentinel', | ||
| values: '0', | ||
| method: 'knight(address)', | ||
| arguments: (addresses) => [addresses.fuseWithdrawalGuard], |
There was a problem hiding this comment.
Really confusing that this one has no version number, and the old has a v1 version number. Thoughts on just using v2 for the new version number?
There was a problem hiding this comment.
we argued about this with @thomas-waite in the dev chat several days ago, the most up to date version doesn't have a version number, otherwise you don't know if there is a V3 you should use instead, when you use the V2
| @@ -54,7 +54,9 @@ contract FuseWithdrawalGuardIntegrationTest is DSTest, StdLib { | |||
| sentinel.knight(address(guard)); | |||
| } | |||
|
|
|||
| function testGuardCanProtec() public { | |||
| // TODO: update Fuse withdrawal guard PCV_GUARDIAN address, | |||
There was a problem hiding this comment.
Commenting for this todo as a reminder.
There was a problem hiding this comment.
thanks can only be fixed after deployment
| @@ -22,7 +22,7 @@ contract FuseWithdrawalGuard is IGuard, CoreRef { | |||
| EnumerableSet.AddressSet private fuseDeposits; | |||
|
|
|||
| /// @notice the PCV mover contract exposed to guardian role | |||
| PCVGuardian public constant pcvGuardian = PCVGuardian(0x02435948F84d7465FB71dE45ABa6098Fc6eC2993); | |||
| PCVGuardian public constant pcvGuardian = PCVGuardian(0x0000000000000000000000000000000000000000); // TODO update | |||
There was a problem hiding this comment.
Commenting to remind of todo.
There was a problem hiding this comment.
thanks can only be fixed after deployment
There was a problem hiding this comment.
This guardian address should be injected in at constructor time no? Otherwise I imagine it's impossible to test this
| pcvDeposit._pause(); | ||
| } | ||
|
|
||
| if (depositAfter) { |
There was a problem hiding this comment.
I think we agreed to leave depositAfter in?
There was a problem hiding this comment.
yes we kept depositAfter, the diff is displaying very weird 🤔 this logic is now in the modifier
| ) external override hasAnyOfThreeRoles(TribeRoles.GOVERNOR, TribeRoles.PCV_SAFE_MOVER_ROLE, TribeRoles.GUARDIAN) { | ||
| require(isSafeAddress(safeAddress), "Provided address is not a safe address!"); | ||
|
|
||
| pcvDeposit._ensureUnpaused(); |
There was a problem hiding this comment.
Do we not need this to withdraw from paused deposits?
There was a problem hiding this comment.
we do, that's why before withdrawals the modifier reads the paused state & unpauses if the deposit is paused
contracts/pcv/PCVGuardian.sol
Outdated
|
|
||
| pcvDeposit._ensureUnpaused(); | ||
| bool paused = pcvDeposit._paused(); | ||
| if (paused) { |
There was a problem hiding this comment.
Why not just use ensureUnpaused here?
There was a problem hiding this comment.
ensureUnpaused reads the pcvDeposit.paused() but does not return it. We need to read the paused state before withdrawal, because after withdrawal we want to re-pause if the deposit was paused in the first place. But yeah essentially it's the same code than what's in the ensureUnpaused function
|
I moved the modifier function to be at the bottom of the file, the diff displays much more nicely now |
There was a problem hiding this comment.
Looks good overall to me.
Idea about using _beforeWithdrawal() and _afterWithdrawal() hooks instead of a modifier to reduce control flow switching, but no strong feelings.
Also think the FuseWithdrawalGuard should have the PCVGuardian address injected in through it's constructor, otherwise it's impossible to test new pcvGuardians with it before deploying them.
|
|
||
| if (pauseAfter) { | ||
| _; |
There was a problem hiding this comment.
No strong feelings and fine as is, but not a fan of having the control flow jumping about in this modifier. The modifier runs before the function executes and checks permissions etc., then passes the control flow back to the function on line 223, then will take the control flow back once the function is done.
Might be cleaner and a nicer seperation of before and after logic if this modifier was split out into two hooks: _beforeWithdrawal() and _afterWithdrawal() which then get called in the function body
There was a problem hiding this comment.
I think the modifier is better because we want the paused stated read before withdrawal to be used after withdrawal (to re-pause), we can't do that without modifier
| @@ -22,7 +22,7 @@ contract FuseWithdrawalGuard is IGuard, CoreRef { | |||
| EnumerableSet.AddressSet private fuseDeposits; | |||
|
|
|||
| /// @notice the PCV mover contract exposed to guardian role | |||
| PCVGuardian public constant pcvGuardian = PCVGuardian(0x02435948F84d7465FB71dE45ABa6098Fc6eC2993); | |||
| PCVGuardian public constant pcvGuardian = PCVGuardian(0x0000000000000000000000000000000000000000); // TODO update | |||
There was a problem hiding this comment.
This guardian address should be injected in at constructor time no? Otherwise I imagine it's impossible to test this
| @@ -54,7 +54,9 @@ contract FuseWithdrawalGuardIntegrationTest is DSTest, StdLib { | |||
| sentinel.knight(address(guard)); | |||
| } | |||
|
|
|||
| function testGuardCanProtec() public { | |||
| // TODO: update Fuse withdrawal guard PCV_GUARDIAN address, | |||
There was a problem hiding this comment.
I think the guardian should be deployed locally in this integration test and then it's address be injected into the FuseWithdrawalGuard through it's constructor, otherwise you can't test the guard without deploying something to mainnet first
| proposalId: '', | ||
| affectedContractSignoff: [], | ||
| deprecatedContractSignoff: [], | ||
| category: ProposalCategory.DEBUG |
There was a problem hiding this comment.
Will want to change this proposal category to TC I imagine?
There was a problem hiding this comment.
actually has to be submitted to DAO because it revokes & grant Guardian & PCV Controller
| import { TemplatedProposalDescription } from '@custom-types/types'; | ||
|
|
||
| const proposal: TemplatedProposalDescription = { | ||
| title: 'TIP-XYZ: PCV Guardian v3', |
There was a problem hiding this comment.
Will need a TIP number
There was a problem hiding this comment.
I'll take... TIP-120 !
| // Run any validations required on the fip using mocha or console logging | ||
| // IE check balances, check state of contracts, etc. | ||
| const validate: ValidateUpgradeFunc = async (addresses, oldContracts, contracts, logging) => { | ||
| // display pcvStats |
There was a problem hiding this comment.
Being paranoid I would probably make sure that we can move funds here using the newly deployed pcvGuardianV3
A new version of the PCV Guardian :
Adds
**Ratiofunctions to allow to move percentages withwithdraw,withdrawETH, andwithdrawERC20Rewrite all tests in Forge
Factorize the code that is repeated in all withdraw functions inside a modifier (access control, check if target is a safe address, unpause source deposit if paused, deposit after & pause after boolean parameters handling)
Changed the default behavior : if the source deposit is paused before the call, re-pause it after withdrawal even if pauseAfter = false
Very small gas optimization by changing order of role checks because most of the time, TC Timelock (pcv safe mover role) or Guardian (guardian role) will perform the calls, and not the DAO Timelock (governor role), and the order of checks can save some external calls to
core.hasRole(role, address).All Tests Passing
Remove Any .only's on Tests