Merge branch 'main' into bm/simulate-in-ci

.circleci/config.yml

@@ -59,7 +59,6 @@ commands:
               --justfile ../../../nested.just \
               simulate council
 
-
 jobs:
   check_sepolia_rpc_endpoints:
     circleci_ip_ranges: true
@@ -225,14 +224,21 @@ jobs:
             just simulate-council
             just prepare-json
             just simulate-council # simulate again to make sure the json is still valid
-  
-  simulate_eth_021:
+
+  just_simulate_permissionless_fp_upgrade:
+    docker:
+      - image: << pipeline.parameters.ci_builder_image >>
+    steps:
+      - simulate_nested:
+          task: "/eth/ink-001-permissionless-proofs"
+
+  just_simulate_ink_respected_game_type:
     docker:
       - image: << pipeline.parameters.ci_builder_image >>
     steps:
       - simulate:
-          task: "eth/021-holocene-protocol-versions"
-            
+          task: "/eth/ink-002-set-respected-game-type"
+
   forge_build:
     docker:
       - image: <<pipeline.parameters.ci_builder_image>>
@@ -279,13 +285,6 @@ jobs:
             yq --version
             forge --version
 
-  simulate_eth_022:
-    docker:
-      - image: << pipeline.parameters.ci_builder_image >>
-    steps:
-      - simulate_nested:
-          task: "eth/022-holocene-fp-upgrade"
-
 workflows:
   main:
     jobs:
@@ -313,10 +312,10 @@ workflows:
       - just_simulate_sc_rehearsal_1
       - just_simulate_sc_rehearsal_2
       - just_simulate_sc_rehearsal_4
+      - just_simulate_permissionless_fp_upgrade
+      - just_simulate_ink_respected_game_type
       # Simulate non-terminal tasks. 
       # This process finds all non-terminal tasks that currently
       # exist in the task list and simulates them to ensure that
       # they are still valid.
-      - simulate_non_terminal_tasks
-      - simulate_eth_021
-      - simulate_eth_022
+      - simulate_non_terminal_tasks

NESTED-VALIDATION.md

@@ -1,7 +1,7 @@
 # Validation - Nested Safe
 
-This document describes the generic validation steps for running a Mainnet or Sepolia tasks for the
-nested 2/2 Security Council/Foundation Safe.
+This document describes the generic validation steps for running a Mainnet or Sepolia tasks for any
+nested 2/2 Safe involving either the Security Council & Foundation Upgrade Safe or the Base and Foundation Operations Safe.
 
 ## State Overrides
 
@@ -10,27 +10,31 @@ The following state overrides related to the nested Safe execution must be seen:
 ### `GnosisSafeProxy` - the 2/2 `ProxyAdminOwner` Safe
 
 The `ProxyAdminOwner` has the following address:
-- Mainnet: [`0x5a0Aae59D09fccBdDb6C6CcEB07B7279367C3d2A`](https://etherscan.io/address/0x5a0Aae59D09fccBdDb6C6CcEB07B7279367C3d2A)
-- Sepolia: [`0x1Eb2fFc903729a0F03966B917003800b145F56E2`](https://sepolia.etherscan.io/address/0x1Eb2fFc903729a0F03966B917003800b145F56E2)
+- Mainnet: 
+    - Superchain: [`0x5a0Aae59D09fccBdDb6C6CcEB07B7279367C3d2A`](https://etherscan.io/address/0x5a0Aae59D09fccBdDb6C6CcEB07B7279367C3d2A)
+    - Base/OP: [0x7bB41C3008B3f03FE483B28b8DB90e19Cf07595c](https://etherscan.io/address/0x7bB41C3008B3f03FE483B28b8DB90e19Cf07595c)
+- Sepolia Superchain: [`0x1Eb2fFc903729a0F03966B917003800b145F56E2`](https://sepolia.etherscan.io/address/0x1Eb2fFc903729a0F03966B917003800b145F56E2)
 
-These addresses are attested to in the [Optimism Docs](https://docs.optimism.io/chain/security/privileged-roles#addresses).
+The Superchain addresses are attested to in the [Optimism Docs](https://docs.optimism.io/chain/security/privileged-roles#addresses).
 
 Enables the simulation by setting the threshold to 1:
 
 - **Key:** `0x0000000000000000000000000000000000000000000000000000000000000004` <br/>
   **Value:** `0x0000000000000000000000000000000000000000000000000000000000000001`
   **Meaning:** The threshold is set to 1.
 
-### Security Council Safe or Foundation Safe
+### Safe Signer
 
-Depending on which role (Security Council or Foundation) the task was simulated for,
+Depending on which role the task was simulated for,
 you must see the following overrides for the following address:
 - Mainnet
-    - Council Safe: [`0xc2819DC788505Aac350142A7A707BF9D03E3Bd03`](https://etherscan.io/address/0xc2819DC788505Aac350142A7A707BF9D03E3Bd03)
-    - Foundation Safe: [`0x847B5c174615B1B7fDF770882256e2D3E95b9D92`](https://etherscan.io/address/0x847B5c174615B1B7fDF770882256e2D3E95b9D92)
+    - Security Council Safe: [`0xc2819DC788505Aac350142A7A707BF9D03E3Bd03`](https://etherscan.io/address/0xc2819DC788505Aac350142A7A707BF9D03E3Bd03)
+    - Foundation Upgrade Safe: [`0x847B5c174615B1B7fDF770882256e2D3E95b9D92`](https://etherscan.io/address/0x847B5c174615B1B7fDF770882256e2D3E95b9D92)
+    - Foundation Operations Safe: [`0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A`](https://etherscan.io/address/0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A)
+    - Base Operations Safe: [`0x9855054731540A48b28990B63DcF4f33d8AE46A1`](https://etherscan.io/address/0x9855054731540A48b28990B63DcF4f33d8AE46A1)
 - Sepolia
-    - Council Safe: [`0xf64bc17485f0B4Ea5F06A96514182FC4cB561977`](https://sepolia.etherscan.io/address/0xf64bc17485f0B4Ea5F06A96514182FC4cB561977)
-    - Foundation Safe: [`0xDEe57160aAfCF04c34C887B5962D0a69676d3C8B`](https://sepolia.etherscan.io/address/0xDEe57160aAfCF04c34C887B5962D0a69676d3C8B)
+    - Fake Security Council Safe: [`0xf64bc17485f0B4Ea5F06A96514182FC4cB561977`](https://sepolia.etherscan.io/address/0xf64bc17485f0B4Ea5F06A96514182FC4cB561977)
+    - Fake Foundation Upgrade Safe: [`0xDEe57160aAfCF04c34C887B5962D0a69676d3C8B`](https://sepolia.etherscan.io/address/0xDEe57160aAfCF04c34C887B5962D0a69676d3C8B)
 
 The simulated role will also be called the **Safe Signer** in the remaining document.
 
@@ -88,15 +92,19 @@ The GnosisSafe `approvedHashes` mapping is updated to indicate approval of this
     ```
     The output of this command must match the key of the state change.
 
-### Liveness Guard
+### Liveness Guard (Security Council only)
 
-When the Security Council executes a transaction, the liveness timestamp are updated for each owner that signed the tasks.
-This is updating at the moment of the transaction is submitted (`block.timestamp`) into the [`lastLive`](https://github.com/ethereum-optimism/optimism/blob/e84868c27776fd04dc77e95176d55c8f6b1cc9a3/packages/contracts-bedrock/src/safe/LivenessGuard.sol#L41) mapping located at the slot `0`.
+When the Security Council executes a transaction, the liveness timestamps are updated for each owner that signed the task.
+This is updating at the moment when the transaction is submitted (`block.timestamp`) into the [`lastLive`](https://github.com/ethereum-optimism/optimism/blob/e84868c27776fd04dc77e95176d55c8f6b1cc9a3/packages/contracts-bedrock/src/safe/LivenessGuard.sol#L41) mapping located at the slot `0`.
 
 ### Nonce increments
 
 The only other state changes related to the nested execution are _three_ nonce increments:
 
-- One on the `ProxyAdminOwner` 2/2. If this is not decoded, it corresponds to key `0x05` on a `GnosisSafeProxy`.
-- One on the Council or Foundation Safe. If this is not decoded, it corresponds to key `0x05` on a `GnosisSafeProxy`.
-- One of the EOA that is the first entry in the owner set of the simulated role.
+- One increment of the `ProxyAdminOwner` Safe nonce, located as storage slot
+`0x0000000000000000000000000000000000000000000000000000000000000005` on a
+`GnosisSafeProxy`.
+- One increment of the **Safe Signer** nonce, located as storage slot
+`0x0000000000000000000000000000000000000000000000000000000000000005` on a
+`GnosisSafeProxy`.
+- One increment of the nonce of the EOA that is the first entry in the owner set of the Safe Signer.

justfile

@@ -12,7 +12,7 @@ install-eip712sign:
   PATH="$REPO_ROOT/bin:$PATH"
   cd $REPO_ROOT
   mkdir -p bin || true
-  GOBIN="$REPO_ROOT/bin" go install github.com/base-org/[email protected].8
+  GOBIN="$REPO_ROOT/bin" go install github.com/base-org/[email protected].10
 
 # Bundle path should be provided including the .json file extension.
 add-transaction bundlePath to sig *params:

runbooks/key-handover.md

@@ -4,7 +4,7 @@ This document describes how to generate upgrade playbooks to upgrade chains to t
 
 ## Context
 
-One of the requirement for getting to Stage, 1 as defined by [L2Beat](https://medium.com/l2beat/introducing-stages-a-framework-to-evaluate-rollups-maturity-d290bb22befe) is having a Security Council in place. The Security Council acts as a safeguard in the system, ready to step in in the event of bugs or issues with the proof system. It must function through a multisig setup consisting of at least 8 participants and require a 50% consensus threshold. Furthermore, at least half of the participants must be external to the organization running the rollup, with a minimum of two outsiders required for consensus.
+One of the requirements for getting to Stage, 1 as defined by [L2Beat](https://medium.com/l2beat/introducing-stages-a-framework-to-evaluate-rollups-maturity-d290bb22befe) is having a Security Council in place. The Security Council acts as a safeguard in the system, ready to step in in the event of bugs or issues with the proof system. It must function through a multisig setup consisting of at least 8 participants and require a 50% consensus threshold. Furthermore, at least half of the participants must be external to the organization running the rollup, with a minimum of two outsiders required for consensus.
 
 This setup ensures a diversity of viewpoints and minimizes the risk of any single party exerting undue influence. For the sake of transparency and accountability, the identities (or the pseudonyms) of the council participants should also be publicly disclosed.
 

script/verification/DisputeGameUpgrade.s.sol

@@ -18,26 +18,34 @@ interface IASR {
     function superchainConfig() external view returns (address superchainConfig_);
 }
 
+interface IMIPS is ISemver {
+    function oracle() external view returns (address oracle_);
+}
+
 abstract contract DisputeGameUpgrade is VerificationBase, SuperchainRegistry {
     using LibString for string;
 
     bytes32 immutable expAbsolutePrestate;
     address immutable expFaultDisputeGame;
     address immutable expPermissionedDisputeGame;
+    DisputeGameFactory immutable dgfProxy;
 
     constructor(bytes32 _absolutePrestate, address _faultDisputeGame, address _permissionedDisputeGame) {
         expAbsolutePrestate = _absolutePrestate;
         expFaultDisputeGame = _faultDisputeGame;
         expPermissionedDisputeGame = _permissionedDisputeGame;
 
+        dgfProxy = DisputeGameFactory(proxies.DisputeGameFactory);
+
         addAllowedStorageAccess(proxies.DisputeGameFactory);
+
+        precheckDisputeGames();
     }
 
     /// @notice Public function that must be called by the verification script.
     function checkDisputeGameUpgrade() public view {
         console.log("check dispute game implementations");
 
-        DisputeGameFactory dgfProxy = DisputeGameFactory(proxies.DisputeGameFactory);
         FaultDisputeGame faultDisputeGame = FaultDisputeGame(address(dgfProxy.gameImpls(GameTypes.CANNON)));
         PermissionedDisputeGame permissionedDisputeGame =
             PermissionedDisputeGame(address(dgfProxy.gameImpls(GameTypes.PERMISSIONED_CANNON)));
@@ -86,4 +94,53 @@ abstract contract DisputeGameUpgrade is VerificationBase, SuperchainRegistry {
 
         require(address(faultDisputeGame.weth()) != address(permissionedDisputeGame.weth()), "weth-200");
     }
+
+    function precheckDisputeGames() internal view {
+        _precheckDisputeGameImplementation(GameType.wrap(0), expFaultDisputeGame);
+        _precheckDisputeGameImplementation(GameType.wrap(1), expPermissionedDisputeGame);
+    }
+
+    // _precheckDisputeGameImplementation checks that the new game being set has the same
+    // configuration as the existing implementation.
+    function _precheckDisputeGameImplementation(GameType _targetGameType, address _newImpl) internal view {
+        console.log("pre-check new game implementation", _targetGameType.raw());
+
+        FaultDisputeGame currentGame = FaultDisputeGame(address(dgfProxy.gameImpls(GameType(_targetGameType))));
+        FaultDisputeGame newGame = FaultDisputeGame(_newImpl);
+
+        if (vm.envOr("DISPUTE_GAME_CHANGE_WETH", false)) {
+            console.log("Expecting DelayedWETH to change");
+            require(address(currentGame.weth()) != address(newGame.weth()), "pre-10");
+        } else {
+            console.log("Expecting DelayedWETH to stay the same");
+            require(address(currentGame.weth()) == address(newGame.weth()), "pre-10");
+        }
+
+        require(_targetGameType.raw() == newGame.gameType().raw(), "pre-20");
+        require(address(currentGame.anchorStateRegistry()) == address(newGame.anchorStateRegistry()), "pre-30");
+        require(currentGame.l2ChainId() == newGame.l2ChainId(), "pre-40");
+        require(currentGame.splitDepth() == newGame.splitDepth(), "pre-50");
+        require(currentGame.maxGameDepth() == newGame.maxGameDepth(), "pre-60");
+        require(currentGame.maxClockDuration().raw() == newGame.maxClockDuration().raw(), "pre-70");
+        require(currentGame.clockExtension().raw() == newGame.clockExtension().raw(), "pre-80");
+
+        if (_targetGameType.raw() == GameTypes.PERMISSIONED_CANNON.raw()) {
+            PermissionedDisputeGame currentPDG = PermissionedDisputeGame(address(currentGame));
+            PermissionedDisputeGame newPDG = PermissionedDisputeGame(address(newGame));
+            require(address(currentPDG.proposer()) == address(newPDG.proposer()), "pre-90");
+            require(address(currentPDG.challenger()) == address(newPDG.challenger()), "pre-100");
+        }
+
+        _precheckVm(newGame, currentGame);
+    }
+
+    // _precheckVm checks that the new VM has the same oracle as the old VM.
+    function _precheckVm(FaultDisputeGame _newGame, FaultDisputeGame _currentGame) internal view {
+        console.log("pre-check VM implementation", _newGame.gameType().raw());
+
+        IMIPS newVm = IMIPS(address(_newGame.vm()));
+        IMIPS currentVm = IMIPS(address(_currentGame.vm()));
+
+        require(newVm.oracle() == currentVm.oracle(), "vm-10");
+    }
 }

script/verification/Verification.s.sol

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.15;
 
+import {console2 as console} from "forge-std/console2.sol";
 import {LibString} from "solady/utils/LibString.sol";
 import {Types} from "@eth-optimism-bedrock/scripts/Types.sol";
 import {CommonBase} from "forge-std/Base.sol";
@@ -75,6 +76,7 @@ contract SuperchainRegistry is CommonBase {
         opContractsReleaseQ = string.concat("\"op-contracts/", _opContractsRelease, "\"");
         _readSuperchainConfig();
         _readStandardVersions();
+        _applyOverrides();
     }
 
     /// @notice Reads the contract addresses from the superchain registry.
@@ -162,4 +164,15 @@ contract SuperchainRegistry is CommonBase {
     {
         sv_.version = stdToml.readString(data, string.concat("$.RELEASE.", key, ".version"));
     }
+
+    function _applyOverrides() internal {
+        try vm.envAddress("SCR_OVERRIDE_MIPS_ADDRESS") returns (address mips) {
+            console.log("SuperchainRegistry: overriding MIPS address to %s", mips);
+            standardVersions.MIPS.Address = mips;
+        } catch { /* Ignore, no override */ }
+        try vm.envString("SCR_OVERRIDE_MIPS_VERSION") returns (string memory ver) {
+            console.log("SuperchainRegistry: overriding MIPS version to %s", ver);
+            standardVersions.MIPS.version = ver;
+        } catch { /* Ignore, no override */ }
+    }
 }

tasks/eth/022-holocene-fp-upgrade/.env

@@ -7,4 +7,5 @@ SAFE_NONCE=6                                             # noop
 SAFE_NONCE_0XC2819DC788505AAC350142A7A707BF9D03E3BD03=8  # noop
 SAFE_NONCE_0X847B5C174615B1B7FDF770882256E2D3E95B9D92=11 # +1, task 021
 
-SIMULATE_WITHOUT_LEDGER=0 # 1
+# we change the WETH in this task, which is non-standard
+DISPUTE_GAME_CHANGE_WETH=true

tasks/eth/022-holocene-fp-upgrade/README.md

@@ -1,6 +1,6 @@
 # Holocene Hardfork Upgrade - OP Mainnet
 
-Status: READY TO SIGN
+Status: [EXECUTED](https://etherscan.io/tx/0x22ab07b0bb1bc8504256835d555307ff522b78651dca33c9cd5b05591ca5b4f7)
 
 ## Objective
 
@@ -10,8 +10,8 @@ The proposal was:
 
 - [X] [Posted](https://gov.optimism.io/t/upgrade-proposal-11-holocene-network-upgrade/9313) on the governance forum.
 - [X] [Approved](https://vote.optimism.io/proposals/20127877429053636874064552098716749508236019236440427814457915785398876262515) by Token House voting.
-- [ ] Not vetoed by the Citizens' house.
-- [ ] Executed on OP Mainnet.
+- [X] Not vetoed by the Citizens' house.
+- [X] Executed on OP Mainnet.
 
 The governance proposal should be treated as the source of truth and used to verify the correctness of the onchain operations.
 

tasks/eth/base-003-holocene-fp-upgrade/.env

@@ -0,0 +1,15 @@
+ETH_RPC_URL="https://ethereum.publicnode.com"
+
+# Base L1 PAO
+OWNER_SAFE=0x7bB41C3008B3f03FE483B28b8DB90e19Cf07595c
+# This is Base's safe but the Nested.just file uses council as a keyword and
+# we want to minimize changes
+COUNCIL_SAFE=0x9855054731540A48b28990B63DcF4f33d8AE46A1
+# Foundation Operations Safe
+FOUNDATION_SAFE=0x9BA6e03D8B90dE867373Db8cF1A58d2F7F006b3A
+
+# No nonce overrides needed, this is the next task for B1PAO, BOS, FOS.
+# But doing them anyways.
+SAFE_NONCE=4
+SAFE_NONCE_0X9855054731540A48B28990B63DCF4F33D8AE46A1=16
+SAFE_NONCE_0X9BA6E03D8B90DE867373DB8CF1A58D2F7F006B3A=97

tasks/eth/base-003-holocene-fp-upgrade/NestedSignFromJson.s.sol

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.15;
+
+import {console2 as console} from "forge-std/console2.sol";
+import {Vm} from "forge-std/Vm.sol";
+import {stdJson} from "forge-std/StdJson.sol";
+import {Simulation} from "@base-contracts/script/universal/Simulation.sol";
+import {NestedSignFromJson as OriginalNestedSignFromJson} from "script/NestedSignFromJson.s.sol";
+import {DisputeGameUpgrade} from "script/verification/DisputeGameUpgrade.s.sol";
+import {CouncilFoundationNestedSign} from "script/verification/CouncilFoundationNestedSign.s.sol";
+import {SuperchainRegistry} from "script/verification/Verification.s.sol";
+
+contract NestedSignFromJson is OriginalNestedSignFromJson, CouncilFoundationNestedSign, DisputeGameUpgrade {
+    constructor()
+        SuperchainRegistry("mainnet", "base", "v1.8.0-rc.4")
+        DisputeGameUpgrade(
+            0x03f89406817db1ed7fd8b31e13300444652cdb0b9c509a674de43483b2f83568, // absolutePrestate
+            0xc5f3677c3C56DB4031ab005a3C9c98e1B79D438e, // faultDisputeGame
+            0xF62c15e2F99d4869A925B8F57076cD85335832A2 // permissionedDisputeGame
+        )
+    {}
+
+    function setUp() public view {
+        checkInput();
+    }
+
+    function checkInput() public view {
+        string memory inputJson;
+        string memory path = "/tasks/eth/base-003-holocene-fp-upgrade/input.json";
+        try vm.readFile(string.concat(vm.projectRoot(), path)) returns (string memory data) {
+            inputJson = data;
+        } catch {
+            revert(string.concat("Failed to read ", path));
+        }
+
+        address inputPermissionedDisputeGame =
+            stdJson.readAddress(inputJson, "$.transactions[0].contractInputsValues._impl");
+        address inputFaultDisputeGame = stdJson.readAddress(inputJson, "$.transactions[1].contractInputsValues._impl");
+        require(expPermissionedDisputeGame == inputPermissionedDisputeGame, "input-pdg");
+        require(expFaultDisputeGame == inputFaultDisputeGame, "input-fdg");
+    }
+
+    function _postCheck(Vm.AccountAccess[] memory accesses, Simulation.Payload memory) internal view override {
+        console.log("Running post-deploy assertions");
+        checkStateDiff(accesses);
+        checkDisputeGameUpgrade();
+        console.log("All assertions passed!");
+    }
+
+    function getAllowedStorageAccess() internal view override returns (address[] memory) {
+        return allowedStorageAccess;
+    }
+
+    function getCodeExceptions() internal view override returns (address[] memory) {
+        return codeExceptions;
+    }
+}