feat: user access management (#870)

* feat: unified access management fix: test/compile chore: use helper func in modifier chore: remove extra * test: add UAM to unit tests * refactor: delegate -> appointee * refactor: setAdmin -> addAdmin * fix: prevent 0 admins * refactor: bitshift encode/decode * feat: short-circuit _checkCanCall * test: basic reversability * feat: admin 2-step fix: remove external call * chore: fix compile/test * feat: use opSet length as avs check * chore: format * refactor: getoperatorsetcount * fix: msg.sender in delegatoinapproverupdated * chore: format
Layr-Labs · Nov 26, 2024 · eb9a614 · eb9a614
1 parent d1c9402
commit eb9a614
Show file tree

Hide file tree

Showing 35 changed files with 1,584 additions and 311 deletions.
diff --git a/docs/release/slashing/AllocationManager.md b/docs/release/slashing/AllocationManager.md
@@ -22,21 +22,12 @@ The AllocationManager contract manages the allocation and reallocation of operat
 
 ```solidity
 /**
- * @notice Called by the delagation manager to set delay when operators register.
+ * @notice Called by operators or the delegation manager to set their allocation delay.
  * @param operator The operator to set the delay on behalf of.
  * @param delay The allocation delay in seconds.
- * @dev msg.sender is assumed to be the delegation manager.
  */
 function setAllocationDelay(address operator, uint32 delay) external;
 
-/**
- * @notice Called by operators to set their allocation delay.
- * @param delay the allocation delay in seconds
- * @dev msg.sender is assumed to be the operator
- */
-function setAllocationDelay(uint32 delay) external;
-```
-
 These functions allow operators to set their allocation delay. The first variant is called by the DelegationManager upon operator registration for all new operators created after the slashing release. The second variant is called by operators themselves to update their allocation delay or set it for the first time if they joined before the slashing release.
 
 The allocation delay takes effect in `ALLOCATION_CONFIGURATION_DELAY` seconds.

diff --git a/script/deploy/devnet/deploy_from_scratch.s.sol b/script/deploy/devnet/deploy_from_scratch.s.sol
@@ -13,6 +13,7 @@ import "../../../src/contracts/core/DelegationManager.sol";
 import "../../../src/contracts/core/AVSDirectory.sol";
 import "../../../src/contracts/core/RewardsCoordinator.sol";
 import "../../../src/contracts/core/AllocationManager.sol";
+import "../../../src/contracts/permissions/PermissionController.sol";
 
 import "../../../src/contracts/strategies/StrategyBaseTVLLimits.sol";
 import "../../../src/contracts/strategies/StrategyFactory.sol";
@@ -60,6 +61,8 @@ contract DeployFromScratch is Script, Test {
     StrategyBase public baseStrategyImplementation;
     AllocationManager public allocationManagerImplementation;
     AllocationManager public allocationManager;
+    PermissionController public permissionController;
+    PermissionController public permissionControllerImplementation;
 
     EmptyContract public emptyContract;
 
@@ -210,6 +213,9 @@ contract DeployFromScratch is Script, Test {
         strategyFactory = StrategyFactory(
             address(new TransparentUpgradeableProxy(address(emptyContract), address(eigenLayerProxyAdmin), ""))
         );
+        permissionController = PermissionController(
+            address(new TransparentUpgradeableProxy(address(emptyContract), address(eigenLayerProxyAdmin), ""))
+        );
 
         // if on mainnet, use the ETH2 deposit contract address
         if (chainId == 1) {
@@ -228,7 +234,7 @@ contract DeployFromScratch is Script, Test {
 
         // Second, deploy the *implementation* contracts, using the *proxy contracts* as inputs
 
-        delegationImplementation = new DelegationManager(avsDirectory, strategyManager, eigenPodManager, allocationManager, eigenLayerPauserReg, MIN_WITHDRAWAL_DELAY);
+        delegationImplementation = new DelegationManager(avsDirectory, strategyManager, eigenPodManager, allocationManager, eigenLayerPauserReg, permissionController, MIN_WITHDRAWAL_DELAY);
         strategyManagerImplementation = new StrategyManager(delegation, eigenLayerPauserReg);
         avsDirectoryImplementation = new AVSDirectory(delegation, eigenLayerPauserReg);
         eigenPodManagerImplementation = new EigenPodManager(
@@ -241,14 +247,17 @@ contract DeployFromScratch is Script, Test {
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegation,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,
             REWARDS_COORDINATOR_MAX_FUTURE_LENGTH,
             REWARDS_COORDINATOR_GENESIS_REWARDS_TIMESTAMP
         );
-        allocationManagerImplementation = new AllocationManager(delegation, eigenLayerPauserReg, DEALLOCATION_DELAY, ALLOCATION_CONFIGURATION_DELAY);
+        allocationManagerImplementation = new AllocationManager(delegation, eigenLayerPauserReg, permissionController, DEALLOCATION_DELAY, ALLOCATION_CONFIGURATION_DELAY);
+        permissionControllerImplementation = new PermissionController();
         strategyFactoryImplementation = new StrategyFactory(strategyManager, eigenLayerPauserReg);
 
         // Third, upgrade the proxy contracts to use the correct implementation contracts and initialize them.
@@ -310,6 +319,14 @@ contract DeployFromScratch is Script, Test {
             )
         );
 
+        eigenLayerProxyAdmin.upgradeAndCall(
+            ITransparentUpgradeableProxy(payable(address(permissionController))),
+            address(permissionControllerImplementation),
+            abi.encodeWithSelector(
+                PermissionController.initialize.selector
+            )
+        );
+
         // Deploy strategyFactory & base
         // Create base strategy implementation
         baseStrategyImplementation = new StrategyBase(strategyManager, eigenLayerPauserReg);

diff --git a/script/deploy/holesky/Deploy_Test_RewardsCoordinator.s.sol b/script/deploy/holesky/Deploy_Test_RewardsCoordinator.s.sol
@@ -46,7 +46,9 @@ contract Deploy_Test_RewardsCoordinator is ExistingDeploymentParser {
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegationManager,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,
@@ -79,7 +81,9 @@ contract Deploy_Test_RewardsCoordinator is ExistingDeploymentParser {
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegationManager,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,
@@ -120,7 +124,9 @@ contract Deploy_Test_RewardsCoordinator is ExistingDeploymentParser {
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegationManager,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,

diff --git a/script/deploy/holesky/M2_Deploy_From_Scratch.s.sol b/script/deploy/holesky/M2_Deploy_From_Scratch.s.sol
@@ -77,7 +77,7 @@ contract M2_Deploy_Holesky_From_Scratch is ExistingDeploymentParser {
 
         eigenPodBeacon = new UpgradeableBeacon(address(eigenPodImplementation));
         avsDirectoryImplementation = new AVSDirectory(delegationManager, eigenLayerPauserReg);
-        delegationManagerImplementation = new DelegationManager(avsDirectory, strategyManager, eigenPodManager, allocationManager, eigenLayerPauserReg, MIN_WITHDRAWAL_DELAY);
+        delegationManagerImplementation = new DelegationManager(avsDirectory, strategyManager, eigenPodManager, allocationManager, eigenLayerPauserReg, permissionController, MIN_WITHDRAWAL_DELAY);
         strategyManagerImplementation = new StrategyManager(delegationManager, eigenLayerPauserReg);
         eigenPodManagerImplementation = new EigenPodManager(
             IETHPOSDeposit(ETHPOSDepositAddress),
@@ -86,7 +86,8 @@ contract M2_Deploy_Holesky_From_Scratch is ExistingDeploymentParser {
             delegationManager,
             eigenLayerPauserReg
         );
-        allocationManagerImplementation = new AllocationManager(delegationManager, eigenLayerPauserReg, DEALLOCATION_DELAY, ALLOCATION_CONFIGURATION_DELAY);
+        allocationManagerImplementation = new AllocationManager(delegationManager, eigenLayerPauserReg, permissionController, DEALLOCATION_DELAY, ALLOCATION_CONFIGURATION_DELAY);
+        permissionControllerImplementation = new PermissionController();
 
         // Third, upgrade the proxy contracts to point to the implementations
         IStrategy[] memory initializeStrategiesToSetDelayBlocks = new IStrategy[](0);
@@ -150,6 +151,14 @@ contract M2_Deploy_Holesky_From_Scratch is ExistingDeploymentParser {
                 ALLOCATION_MANAGER_INIT_PAUSED_STATUS
             )
         );
+        // PermissionController
+        eigenLayerProxyAdmin.upgradeAndCall(
+            ITransparentUpgradeableProxy(payable(address(permissionController))),
+            address(permissionControllerImplementation),
+            abi.encodeWithSelector(
+                PermissionController.initialize.selector
+            )
+        );
 
         // Deploy Strategies
         baseStrategyImplementation = new StrategyBaseTVLLimits(strategyManager, eigenLayerPauserReg);

diff --git a/script/deploy/holesky/v0.4.3-upgrade_testnet_rewardsCoordinator.s.sol b/script/deploy/holesky/v0.4.3-upgrade_testnet_rewardsCoordinator.s.sol
@@ -24,7 +24,9 @@ contract Upgrade_Testnet_RewardsCoordinator is Deploy_Test_RewardsCoordinator, T
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegationManager,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,

diff --git a/script/deploy/local/Deploy_From_Scratch.s.sol b/script/deploy/local/Deploy_From_Scratch.s.sol
@@ -13,6 +13,7 @@ import "../../../src/contracts/core/DelegationManager.sol";
 import "../../../src/contracts/core/AVSDirectory.sol";
 import "../../../src/contracts/core/RewardsCoordinator.sol";
 import "../../../src/contracts/core/AllocationManager.sol";
+import "../../../src/contracts/permissions/PermissionController.sol";
 
 import "../../../src/contracts/strategies/StrategyBaseTVLLimits.sol";
 
@@ -63,6 +64,8 @@ contract DeployFromScratch is Script, Test {
     StrategyBase public baseStrategyImplementation;
     AllocationManager public allocationManagerImplementation;
     AllocationManager public allocationManager;
+    PermissionController public permissionController;
+    PermissionController public permissionControllerImplementation;
 
     EmptyContract public emptyContract;
 
@@ -216,6 +219,9 @@ contract DeployFromScratch is Script, Test {
         allocationManager = AllocationManager(
             address(new TransparentUpgradeableProxy(address(emptyContract), address(eigenLayerProxyAdmin), ""))
         );
+        permissionController = PermissionController(
+            address(new TransparentUpgradeableProxy(address(emptyContract), address(eigenLayerProxyAdmin), ""))
+        );
 
         // if on mainnet, use the ETH2 deposit contract address
         if (chainId == 1) {
@@ -234,7 +240,7 @@ contract DeployFromScratch is Script, Test {
 
         // Second, deploy the *implementation* contracts, using the *proxy contracts* as inputs
 
-        delegationImplementation = new DelegationManager(avsDirectory, strategyManager, eigenPodManager, allocationManager, eigenLayerPauserReg, MIN_WITHDRAWAL_DELAY);
+        delegationImplementation = new DelegationManager(avsDirectory, strategyManager, eigenPodManager, allocationManager, eigenLayerPauserReg, permissionController, MIN_WITHDRAWAL_DELAY);
         strategyManagerImplementation = new StrategyManager(delegation, eigenLayerPauserReg);
         avsDirectoryImplementation = new AVSDirectory(delegation, eigenLayerPauserReg);
         eigenPodManagerImplementation = new EigenPodManager(
@@ -247,14 +253,17 @@ contract DeployFromScratch is Script, Test {
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegation,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,
             REWARDS_COORDINATOR_MAX_FUTURE_LENGTH,
             REWARDS_COORDINATOR_GENESIS_REWARDS_TIMESTAMP
         );
-        allocationManagerImplementation = new AllocationManager(delegation, eigenLayerPauserReg, DEALLOCATION_DELAY, ALLOCATION_CONFIGURATION_DELAY);
+        allocationManagerImplementation = new AllocationManager(delegation, eigenLayerPauserReg, permissionController, DEALLOCATION_DELAY, ALLOCATION_CONFIGURATION_DELAY);
+        permissionControllerImplementation = new PermissionController();
 
         // Third, upgrade the proxy contracts to use the correct implementation contracts and initialize them.
         {
@@ -320,6 +329,14 @@ contract DeployFromScratch is Script, Test {
             )
         );
 
+        eigenLayerProxyAdmin.upgradeAndCall(
+            ITransparentUpgradeableProxy(payable(address(permissionController))),
+            address(permissionControllerImplementation),
+            abi.encodeWithSelector(
+                PermissionController.initialize.selector
+            )
+        );
+
         // deploy StrategyBaseTVLLimits contract implementation
         baseStrategyImplementation = new StrategyBaseTVLLimits(strategyManager, eigenLayerPauserReg);
         // create upgradeable proxies that each point to the implementation and initialize them

diff --git a/script/deploy/local/deploy_from_scratch.slashing.s.sol b/script/deploy/local/deploy_from_scratch.slashing.s.sol
@@ -13,6 +13,7 @@ import "../../../src/contracts/core/DelegationManager.sol";
 import "../../../src/contracts/core/AVSDirectory.sol";
 import "../../../src/contracts/core/RewardsCoordinator.sol";
 import "../../../src/contracts/core/AllocationManager.sol";
+import "../../../src/contracts/permissions/PermissionController.sol";
 
 import "../../../src/contracts/strategies/StrategyBaseTVLLimits.sol";
 
@@ -63,6 +64,8 @@ contract DeployFromScratch is Script, Test {
     StrategyBase public baseStrategyImplementation;
     AllocationManager public allocationManagerImplementation;
     AllocationManager public allocationManager;
+    PermissionController public permissionControllerImplementation;
+    PermissionController public permissionController;
 
     EmptyContract public emptyContract;
 
@@ -217,6 +220,9 @@ contract DeployFromScratch is Script, Test {
         allocationManager = AllocationManager(
             address(new TransparentUpgradeableProxy(address(emptyContract), address(eigenLayerProxyAdmin), ""))
         );
+        permissionController = PermissionController(
+            address(new TransparentUpgradeableProxy(address(emptyContract), address(eigenLayerProxyAdmin), ""))
+        );
 
         // if on mainnet, use the ETH2 deposit contract address
         if (chainId == 1) {
@@ -235,7 +241,7 @@ contract DeployFromScratch is Script, Test {
 
         // Second, deploy the *implementation* contracts, using the *proxy contracts* as inputs
 
-        delegationImplementation = new DelegationManager(avsDirectory, strategyManager, eigenPodManager, allocationManager, eigenLayerPauserReg, MIN_WITHDRAWAL_DELAY);
+        delegationImplementation = new DelegationManager(avsDirectory, strategyManager, eigenPodManager, allocationManager, eigenLayerPauserReg, permissionController, MIN_WITHDRAWAL_DELAY);
         strategyManagerImplementation = new StrategyManager(delegation, eigenLayerPauserReg);
         avsDirectoryImplementation = new AVSDirectory(delegation, eigenLayerPauserReg);
         eigenPodManagerImplementation = new EigenPodManager(
@@ -248,14 +254,17 @@ contract DeployFromScratch is Script, Test {
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegation,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,
             REWARDS_COORDINATOR_MAX_FUTURE_LENGTH,
             REWARDS_COORDINATOR_GENESIS_REWARDS_TIMESTAMP
         );
-        allocationManagerImplementation = new AllocationManager(delegation, eigenLayerPauserReg, DEALLOCATION_DELAY, ALLOCATION_CONFIGURATION_DELAY);
+        allocationManagerImplementation = new AllocationManager(delegation, eigenLayerPauserReg, permissionController, DEALLOCATION_DELAY, ALLOCATION_CONFIGURATION_DELAY);
+        permissionControllerImplementation = new PermissionController();
 
         // Third, upgrade the proxy contracts to use the correct implementation contracts and initialize them.
         {
@@ -321,6 +330,12 @@ contract DeployFromScratch is Script, Test {
             )
         );
 
+        eigenLayerProxyAdmin.upgradeAndCall(
+            ITransparentUpgradeableProxy(payable(address(permissionController))),
+            address(permissionControllerImplementation),
+            abi.encodeWithSelector(PermissionController.initialize.selector)
+        );
+
         // deploy StrategyBaseTVLLimits contract implementation
         baseStrategyImplementation = new StrategyBaseTVLLimits(strategyManager, eigenLayerPauserReg);
         // create upgradeable proxies that each point to the implementation and initialize them

diff --git a/script/deploy/mainnet/v0.3.0-mainnet-rewards.s.sol b/script/deploy/mainnet/v0.3.0-mainnet-rewards.s.sol
@@ -52,7 +52,9 @@ contract MainnetRewardsCoordinatorDeploy is ExistingDeploymentParser {
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegationManager,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,
@@ -85,7 +87,9 @@ contract MainnetRewardsCoordinatorDeploy is ExistingDeploymentParser {
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegationManager,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,

diff --git a/script/deploy/mainnet/v0.4.3-upgrade_rewardsCoordinator.s.sol b/script/deploy/mainnet/v0.4.3-upgrade_rewardsCoordinator.s.sol
@@ -49,7 +49,9 @@ contract Upgrade_Mainnet_RewardsCoordinator is ExistingDeploymentParser, Timeloc
         rewardsCoordinatorImplementation = new RewardsCoordinator(
             delegationManager,
             strategyManager,
+            allocationManager,
             eigenLayerPauserReg,
+            permissionController,
             REWARDS_COORDINATOR_CALCULATION_INTERVAL_SECONDS,
             REWARDS_COORDINATOR_MAX_REWARDS_DURATION,
             REWARDS_COORDINATOR_MAX_RETROACTIVE_LENGTH,

diff --git a/script/tasks/allocate_operatorSet.s.sol b/script/tasks/allocate_operatorSet.s.sol
@@ -51,7 +51,7 @@ contract AllocateOperatorSet is Script, Test {
         });
 
         // Perform allocation
-        am.modifyAllocations(allocations);
+        am.modifyAllocations(msg.sender, allocations);
 
         // STOP RECORDING TRANSACTIONS FOR DEPLOYMENT
         vm.stopBroadcast();

diff --git a/script/tasks/register_operator_to_operatorSet.s.sol b/script/tasks/register_operator_to_operatorSet.s.sol
@@ -60,23 +60,23 @@ contract RegisterOperatorToOperatorSets is Script, Test {
             operatorSetId: 1,
             strategies: strategies
         });
-        allocationManager.createOperatorSets(sets);
+        allocationManager.createOperatorSets(msg.sender, sets);
 
         // Register the Operator to the AVS
         avsDirectory.registerOperatorToAVS(
             operator, ISignatureUtils.SignatureWithSaltAndExpiry(abi.encodePacked(r, s, v), bytes32(uint256(0) + 1), expiry)
         );
 
-        // Deploy and set registrar
-        allocationManager.setAVSRegistrar(new AVSRegistrar());
+        // Deploy and set registrar.
+        allocationManager.setAVSRegistrar(msg.sender, new AVSRegistrar());
 
         // Register OperatorSet(s)
         IAllocationManagerTypes.RegisterParams memory register = IAllocationManagerTypes.RegisterParams({
             avs: operator,
             operatorSetIds: oids,
             data: ""
         });
-        allocationManager.registerForOperatorSets(register);
+        allocationManager.registerForOperatorSets(operator, register);
 
         // STOP RECORDING TRANSACTIONS FOR DEPLOYMENT
         vm.stopBroadcast();

diff --git a/script/tasks/slash_operatorSet.s.sol b/script/tasks/slash_operatorSet.s.sol
@@ -35,7 +35,7 @@ contract SlashOperatorSet is Script, Test {
         });
 
         // Perform slashing
-        am.slashOperator(slashing);
+        am.slashOperator(operator, slashing);
 
         // STOP RECORDING TRANSACTIONS FOR DEPLOYMENT
         vm.stopBroadcast();