forked from solidity-labs-io/kleidi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTimelock.sol
1353 lines (1175 loc) · 52.9 KB
/
Timelock.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
pragma solidity 0.8.25;
import {
AccessControl,
IAccessControl
} from "@openzeppelin-contracts/contracts/access/AccessControl.sol";
import {AccessControlEnumerable} from
"@openzeppelin-contracts/contracts/access/extensions/AccessControlEnumerable.sol";
import {IERC1155Receiver} from
"@openzeppelin-contracts/contracts/token/ERC1155/IERC1155Receiver.sol";
import {IERC721Receiver} from
"@openzeppelin-contracts/contracts/token/ERC721/IERC721Receiver.sol";
import {
IERC165,
ERC165
} from "@openzeppelin-contracts/contracts/utils/introspection/ERC165.sol";
import {EnumerableSet} from
"@openzeppelin-contracts/contracts/utils/structs/EnumerableSet.sol";
import {Safe} from "@safe/Safe.sol";
import {BytesHelper} from "src/BytesHelper.sol";
import {ConfigurablePause} from "src/ConfigurablePause.sol";
import {
MIN_DELAY,
MAX_DELAY,
_DONE_TIMESTAMP,
MAX_PROPOSAL_COUNT
} from "src/utils/Constants.sol";
/// @notice DO NOT DEPLOY OUTSIDE OF INSTANCE DEPLOYER
/// @notice known issues:
/// - a malicious pauser can cancel all in flight proposals,
/// for the pause duration, effectively locking funds for
/// this period.
/// - a recovery spell or other gnosis safe module could bypass all
/// pause restrictions on proposing actions to the timelock. This is
/// because module transactions are not checked against a guard. The
/// current implemention of recovery spells bypass the waiting period to
/// rotate signers.
/// - incorrectly formed whitelisted calldata can allow safe
/// owners the ability to steal funds. E.g. whitelist a calldata
/// to approve a token transfer to an arbitrary address.
/// the owner must ensure no calldata is created that allows this.
/// There are no checks on native asset balance enshrined into this contract
/// because it is impossible to reason about the state of the native asset
/// given this contract may withdraw from DeFi protocols, or wrap or unwrap
/// WETH, thus increasing or decreasing the native balance.
/// => means implies
/// @notice protocol invariants:
/// - there should be no whitelisted calldata checks for the timelock itself.
/// this ensures there is no way to instantly make modifications to the
/// timelock.
/// - all parameter changes must pass through the timelock proposing to itself
/// - only safe can propose actions to the timelock.
/// - only hot signers can execute whitelisted calldatas.
/// - anyone can execute a proposal that has passed the timelock if it has not
/// expired.
/// - whitelisted calldata can be executed at any time the contract is not
/// paused.
/// - pausing clears all queued timelock actions
/// - the timelock can only be paused by the pause guardian
/// - pausing the timelock revokes the pause guardian
/// - the timelock automatically unpauses after the pause duration
/// - getAllProposals length gt 0 => contract is not paused
/// - contract is paused => getAllProposals length is 0
/// - getAllProposal length eq 0 does not => contract is paused
/// This contract is self administered, meaning administration
/// tasks have to go through the timelock process. The gnosis safe can
/// propose timelocked operations which then modify the timelock parameters.
contract Timelock is
ConfigurablePause,
AccessControlEnumerable,
IERC1155Receiver,
IERC721Receiver
{
using EnumerableSet for EnumerableSet.Bytes32Set;
using BytesHelper for bytes;
/// ---------------------------------------------------------
/// ---------------------------------------------------------
/// ----------------------- IMMUTABLE -----------------------
/// ---------------------------------------------------------
/// ---------------------------------------------------------
/// @notice the safe address that governs this timelock
address public immutable safe;
/// @notice role for hot wallet signers that can instantly execute actions
/// in DeFi
bytes32 public constant HOT_SIGNER_ROLE = keccak256("HOT_SIGNER_ROLE");
/// ---------------------------------------------------------
/// ---------------------------------------------------------
/// ------------------- STORAGE VARIABLES -------------------
/// ---------------------------------------------------------
/// ---------------------------------------------------------
/// @notice whether the contract has been initialized
bool public initialized;
/// @notice minimum delay for all timelock proposals
uint256 public minDelay;
/// @notice the period of time after which a proposal will be considered
/// expired if it has not been executed.
uint256 public expirationPeriod;
/// @notice store list of all live proposals, remove from set once executed or cancelled
EnumerableSet.Bytes32Set private _liveProposals;
/// @notice mapping of proposal id to execution time
mapping(bytes32 proposalId => uint256 executionTime) public timestamps;
/// @notice mapping of contract address to function selector to array of Index structs
mapping(
address contractAddress
=> mapping(bytes4 selector => Index[] calldataChecks)
) private _calldataList;
/// minDelay >= MIN_DELAY && minDelay <= MAX_DELAY
/// 1. proposed and not ready for execution
/// - propose
/// liveProposals adds id
/// timestamps maps the time the proposal will be ready to execute
/// - if you have just proposed, timestamps map should be gt 1
/// if proposalId in _liveProposals => timestamps[proposalId] >= MIN_DELAY
/// 2. proposed and ready for execution
/// - propose
/// - wait
/// 3. proposed and executed
/// - propose
/// - execute
/// liveProposals removes id
/// timestamps map should be 1
/// timestamps[proposalId] == 1 => id not in _liveProposals
/// 3. proposed and not executable
/// - propose
/// - wait too long
/// - proposal cannot be executed as it has expired
/// - cleanup can remove the proposalId from the enumerable set
/// - the timestamp will remain in the timestamps mapping forever
/// check if lte or lt
/// if timestamps[proposalId] + expirationPeriod < block.timestamp
/// => not executable => id in liveProposals
/// 4. proposed and canceled
/// - pause
/// - cancel
/// liveProposals removes id
/// timestamps map should be 0
/// ---------------------------------------------------------
/// ---------------------------------------------------------
/// ------------------------ EVENTS -------------------------
/// ---------------------------------------------------------
/// ---------------------------------------------------------
/// @notice Emitted when a call is scheduled as part of operation `id`.
/// @param id unique identifier for the operation
/// @param index index of the call within the operation, non zero if not first call in a batch
/// @param target the address of the contract to call
/// @param value the amount of native asset to send with the call
/// @param data the calldata to send with the call
/// @param salt the salt to be used in the operation
/// @param delay the delay before the operation becomes valid
event CallScheduled(
bytes32 indexed id,
uint256 indexed index,
address indexed target,
uint256 value,
bytes data,
bytes32 salt,
uint256 delay
);
/// @notice Emitted when a call is performed as part of operation `id`.
/// @param id unique identifier for the operation
/// @param index index of the call within the operation, non zero if not first call in a batch
/// @param target the address of the contract called
/// @param value the amount of native asset sent with the call
/// @param data the calldata sent with the call
event CallExecuted(
bytes32 indexed id,
uint256 indexed index,
address target,
uint256 value,
bytes data
);
/// @notice Emitted when operation `id` is cancelled.
/// @param id unique identifier for the canceled operation
event Cancelled(bytes32 indexed id);
/// @notice Emitted when operation `id` is cleaned up.
/// @param id unique identifier for the cleaned operation
event Cleanup(bytes32 indexed id);
/// @notice Emitted when the minimum delay for future operations is modified.
/// @param oldDuration old minimum delay
/// @param newDuration new minimum delay
event MinDelayChange(uint256 indexed oldDuration, uint256 newDuration);
/// @notice Emitted when the expiration period is modified
/// @param oldPeriod old expiration period
/// @param newPeriod new expiration period
event ExpirationPeriodChange(uint256 indexed oldPeriod, uint256 newPeriod);
/// @notice Emitted when native currency is received
/// @param sender the address that sent the native currency
/// @param value the amount of native currency received
event NativeTokensReceived(address indexed sender, uint256 value);
/// @notice event emitted when a new calldata check is added
/// @param contractAddress the address of the contract that the calldata check is added to
/// @param selector the function selector of the function that the calldata check is added to
/// @param startIndex the start index of the calldata
/// @param endIndex the end index of the calldata
/// @param dataHash the hash of the calldata that is stored
event CalldataAdded(
address indexed contractAddress,
bytes4 indexed selector,
uint16 startIndex,
uint16 endIndex,
bytes32[] dataHash
);
/// @notice event emitted when a calldata check is removed
/// @param contractAddress the address of the contract that the calldata check is removed from
/// @param selector the function selector of the function that the calldata check is removed from
/// @param startIndex the start index of the calldata
/// @param endIndex the end index of the calldata
/// @param dataHash the hash of the calldata that is stored
event CalldataRemoved(
address indexed contractAddress,
bytes4 indexed selector,
uint16 startIndex,
uint16 endIndex,
bytes32[] dataHash
);
/// @notice struct used to store the start and end index of the calldata
/// and the calldata itself.
/// Once the calldata is stored, it can be used to check if the calldata
/// conforms to the expected values.
struct Index {
uint16 startIndex;
uint16 endIndex;
EnumerableSet.Bytes32Set dataHashes;
}
/// @notice struct used to return Index data
struct IndexData {
uint16 startIndex;
uint16 endIndex;
bytes32[] dataHashes;
}
/// @notice Initializes the contract with the following parameters:
/// @param _safe safe contract that owns this timelock
/// @param _minDelay initial minimum delay for operations
/// @param _expirationPeriod timelocked actions expiration period
/// @param _pauser address that can pause the contract
/// @param _pauseDuration duration the contract can be paused for
/// @param hotSigners accounts that can execute whitelisted calldata
constructor(
address _safe,
uint256 _minDelay,
uint256 _expirationPeriod,
address _pauser,
uint128 _pauseDuration,
address[] memory hotSigners
) {
safe = _safe;
require(
_minDelay >= MIN_DELAY && _minDelay <= MAX_DELAY,
"Timelock: delay out of bounds"
);
minDelay = _minDelay;
emit MinDelayChange(0, minDelay);
require(
_expirationPeriod >= MIN_DELAY,
"Timelock: expiration period too short"
);
expirationPeriod = _expirationPeriod;
emit ExpirationPeriodChange(0, _expirationPeriod);
_grantGuardian(_pauser);
_updatePauseDuration(_pauseDuration);
/// grant the timelock the default admin role so that it can manage the
/// hot signer role
_grantRole(DEFAULT_ADMIN_ROLE, address(this));
/// set the admin of the hot signer role to the default admin role
_setRoleAdmin(HOT_SIGNER_ROLE, DEFAULT_ADMIN_ROLE);
for (uint256 i = 0; i < hotSigners.length; i++) {
_grantRole(HOT_SIGNER_ROLE, hotSigners[i]);
}
}
/// @param contractAddresses the address of the contract that the calldata check is added to
/// @param selectors the function selector of the function that the calldata check is added to
/// @param startIndexes the start indexes of the calldata
/// @param endIndexes the end indexes of the calldata
/// @param datas the calldata that is stored
function initialize(
address[] memory contractAddresses,
bytes4[] memory selectors,
uint16[] memory startIndexes,
uint16[] memory endIndexes,
bytes[][] memory datas
) external {
require(!initialized, "Timelock: already initialized");
initialized = true;
_addCalldataChecks(
contractAddresses, selectors, startIndexes, endIndexes, datas
);
}
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------
/// -------------------------- Modifiers --------------------------
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------
/// @notice allows only the safe to call the function
modifier onlySafe() {
require(msg.sender == safe, "Timelock: caller is not the safe");
_;
}
/// @notice allows timelocked actions to make certain parameter changes
modifier onlyTimelock() {
require(
msg.sender == address(this), "Timelock: caller is not the timelock"
);
_;
}
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------
/// --------------------- View Only Functions ---------------------
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------
/// @notice returns all currently non cancelled and non-executed proposals
/// some proposals may not be able to be executed if they have passed the
/// expiration period
function getAllProposals() external view returns (bytes32[] memory) {
return _liveProposals.values();
}
/// @notice returns the proposal id at the specified index in the set
function atIndex(uint256 index) external view returns (bytes32) {
return _liveProposals.at(index);
}
/// @notice returns the current position of the proposal in the live
/// proposals set
function positionOf(bytes32 value) external view returns (uint256) {
return _liveProposals._inner._positions[value];
}
/// @dev See {IERC165-supportsInterface}.
/// @notice supports 1155 and 721 receiver
/// also supports ERC165 interface id
function supportsInterface(bytes4 interfaceId)
public
view
override(IERC165, AccessControlEnumerable)
returns (bool)
{
return interfaceId == type(IERC1155Receiver).interfaceId
|| interfaceId == type(IERC721Receiver).interfaceId
|| super.supportsInterface(interfaceId);
}
/// @dev Returns whether an id corresponds to a registered operation. This
/// includes Pending, Ready, Done and Expired operations.
/// Cancelled operations will return false.
function isOperation(bytes32 id) public view returns (bool) {
return timestamps[id] > 0;
}
/// @dev Returns whether an operation is ready for execution.
/// Note that a "ready" operation is also "pending".
/// cannot be executed after the expiry period.
function isOperationReady(bytes32 id) public view returns (bool) {
/// cache timestamp, save up to 2 extra SLOADs
uint256 timestamp = timestamps[id];
return timestamp > _DONE_TIMESTAMP && timestamp <= block.timestamp
&& timestamp + expirationPeriod > block.timestamp;
}
/// @dev Returns whether an operation is done or not.
function isOperationDone(bytes32 id) public view returns (bool) {
return timestamps[id] == _DONE_TIMESTAMP;
}
/// @dev Returns whether an operation is expired
/// @notice operations expire on their expiry timestamp, not after
function isOperationExpired(bytes32 id) public view returns (bool) {
/// if operation is done, save an extra SLOAD
uint256 timestamp = timestamps[id];
/// if timestamp is 0, the operation is not scheduled, revert
require(timestamp != 0, "Timelock: operation non-existent");
require(timestamp != 1, "Timelock: operation already executed");
return block.timestamp >= timestamp + expirationPeriod;
}
/// @dev Returns the identifier of an operation containing a single transaction.
/// @param target the address of the contract to call
/// @param value the value in native tokens to send in the call
/// @param data the calldata to send in the call
/// @param salt the salt to be used in the operation
function hashOperation(
address target,
uint256 value,
bytes calldata data,
bytes32 salt
) public pure returns (bytes32) {
return keccak256(abi.encode(target, value, data, salt));
}
/// @dev Returns the identifier of an operation containing a batch of transactions.
/// @param targets the addresses of the contracts to call
/// @param values the values to send in the calls
/// @param payloads the calldatas to send in the calls
/// @param salt the salt to be used in the operation
function hashOperationBatch(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata payloads,
bytes32 salt
) public pure returns (bytes32) {
return keccak256(abi.encode(targets, values, payloads, salt));
}
/// @notice get the calldata checks for a specific contract and function selector
function getCalldataChecks(address contractAddress, bytes4 selector)
public
view
returns (IndexData[] memory indexDatas)
{
Index[] storage indexes = _calldataList[contractAddress][selector];
indexDatas = new IndexData[](indexes.length);
for (uint256 i = 0; i < indexes.length; i++) {
indexDatas[i] = IndexData(
indexes[i].startIndex,
indexes[i].endIndex,
indexes[i].dataHashes.values()
);
}
}
/// @notice check if the calldata conforms to the expected values
/// extracts indexes and checks that the data within the indexes
/// matches the expected data
/// @param contractAddress the address of the contract that the calldata check is applied to
/// @param data the calldata to check
function checkCalldata(address contractAddress, bytes memory data)
public
view
{
bytes4 selector = data.getFunctionSignature();
Index[] storage calldataChecks =
_calldataList[contractAddress][selector];
require(
calldataChecks.length > 0, "CalldataList: No calldata checks found"
);
for (uint256 i = 0; i < calldataChecks.length; i++) {
Index storage calldataCheck = calldataChecks[i];
if (calldataCheck.startIndex == calldataCheck.endIndex) {
return;
}
require(
calldataCheck.dataHashes.contains(
data.getSlicedBytesHash(
calldataCheck.startIndex, calldataCheck.endIndex
)
),
"CalldataList: Calldata does not match expected value"
);
}
}
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------
/// -------------------- Timelock Functions -----------------------
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------
/// @dev Schedule an operation containing a single transaction.
/// Emits {CallSalt} if salt is nonzero, and {CallScheduled}.
/// the caller must be the safe.
/// Callable only by the safe and when the contract is not paused
/// @param target to call
/// @param value amount of native token to spend
/// @param data calldata to send target
/// @param salt to be used in the operation
/// @param delay the delay before the operation becomes valid
function schedule(
address target,
uint256 value,
bytes calldata data,
bytes32 salt,
uint256 delay
) external onlySafe whenNotPaused {
bytes32 id = hashOperation(target, value, data, salt);
/// this is technically a duplicate check as _schedule makes the same
/// check again
require(_liveProposals.add(id), "Timelock: duplicate id");
/// SSTORE timestamps[id] = block.timestamp + delay
/// check delay >= minDelay
_schedule(id, delay);
emit CallScheduled(id, 0, target, value, data, salt, delay);
}
/// @dev Schedule an operation containing a batch of transactions.
/// Emits {CallSalt} if salt is nonzero, and one {CallScheduled} event per
/// transaction in the batch.
/// Callable only by the safe and when the contract is not paused
/// @param targets the addresses of the contracts to call
/// @param values the values to send in the calls
/// @param payloads the calldata to send in the calls
/// @param salt the salt to be used in the operation
/// @param delay the delay before the operation becomes valid
function scheduleBatch(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata payloads,
bytes32 salt,
uint256 delay
) external onlySafe whenNotPaused {
require(
targets.length == values.length && targets.length == payloads.length,
"Timelock: length mismatch"
);
bytes32 id = hashOperationBatch(targets, values, payloads, salt);
/// this is technically a duplicate check as _schedule makes the same
/// check again
require(_liveProposals.add(id), "Timelock: duplicate id");
/// SSTORE timestamps[id] = block.timestamp + delay
/// check delay >= minDelay
_schedule(id, delay);
for (uint256 i = 0; i < targets.length; i++) {
emit CallScheduled(
id, i, targets[i], values[i], payloads[i], salt, delay
);
}
}
/// @dev Execute a ready operation containing a single transaction.
/// cannot execute the operation if it has expired.
/// This function can reenter, but it doesn't pose a risk because
/// _afterCall checks that the proposal is pending, thus any modifications
/// to the operation during reentrancy should be caught.
/// slither-disable-next-line reentrancy-eth
/// @param target the address of the contract to call
/// @param value the value in native tokens to send in the call
/// @param payload the calldata to send in the call
/// @param salt the salt to be used in the operation of creating the ID.
function execute(
address target,
uint256 value,
bytes calldata payload,
bytes32 salt
) external payable whenNotPaused {
bytes32 id = hashOperation(target, value, payload, salt);
/// first reentrancy check, impossible to reenter and execute the same
/// proposal twice
require(_liveProposals.remove(id), "Timelock: proposal does not exist");
require(isOperationReady(id), "Timelock: operation is not ready");
_execute(target, value, payload);
emit CallExecuted(id, 0, target, value, payload);
/// second reentrancy check, second check that operation is ready,
/// operation will be not ready if already executed as timestamp will
/// be set to 1
_afterCall(id);
}
/// @dev Execute an (ready) operation containing a batch of transactions.
/// Requirements:
/// - the operation has not expired.
/// This function can reenter, but it doesn't pose a risk because _afterCall checks that the proposal is pending,
/// thus any modifications to the operation during reentrancy should be caught.
/// slither-disable-next-line reentrancy-eth
/// @param targets the addresses of the contracts to call
/// @param values the values to send in the calls
/// @param payloads the calldata to send in the calls
/// @param salt the salt to be used in the operation
function executeBatch(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata payloads,
bytes32 salt
) external payable whenNotPaused {
require(
targets.length == values.length && targets.length == payloads.length,
"Timelock: length mismatch"
);
bytes32 id = hashOperationBatch(targets, values, payloads, salt);
/// first reentrancy check, impossible to reenter and execute the same
/// proposal twice
require(_liveProposals.remove(id), "Timelock: proposal does not exist");
require(isOperationReady(id), "Timelock: operation is not ready");
for (uint256 i = 0; i < targets.length; i++) {
bytes calldata payload = payloads[i];
_execute(targets[i], values[i], payload);
emit CallExecuted(id, i, targets[i], values[i], payload);
}
/// second reentrancy check, second check that operation is ready,
/// operation will be not ready if already executed as timestamp will
/// be set to 1
_afterCall(id);
}
/// @notice cancel a timelocked operation
/// cannot cancel an already executed operation.
/// not callable while paused, because while paused there should not be any
/// proposals in the _liveProposal set.
/// @param id the identifier of the operation to cancel
function cancel(bytes32 id) external onlySafe whenNotPaused {
require(
isOperation(id) && _liveProposals.remove(id),
"Timelock: operation does not exist"
);
delete timestamps[id];
emit Cancelled(id);
}
/// @notice clean up an expired timelock action
/// not callable while paused, because while paused there should not be any
/// proposals in the _liveProposal set.
/// @param id the identifier of the expired operation
function cleanup(bytes32 id) external whenNotPaused {
require(isOperationExpired(id), "Timelock: operation not expired");
/// unreachable state assert statement
assert(_liveProposals.remove(id));
emit Cleanup(id);
}
/// ----------------------------------------------------------
/// ----------------------------------------------------------
/// ----------------- GUARDIAN ONLY FUNCTION -----------------
/// ----------------------------------------------------------
/// ----------------------------------------------------------
/// @notice cancel all outstanding pending and non executed operations
/// pauses the contract, revokes the guardian
function pause() public override {
/// check that msg.sender is the pause guardian, pause the contract
super.pause();
bytes32[] memory proposals = _liveProposals.values();
for (uint256 i = 0; i < proposals.length; i++) {
bytes32 id = proposals[i];
delete timestamps[id];
assert(_liveProposals.remove(id));
emit Cancelled(id);
}
}
/// ----------------------------------------------------------
/// ----------------------------------------------------------
/// ------------------ HOT SIGNER FUNCTIONS ------------------
/// ----------------------------------------------------------
/// ----------------------------------------------------------
/// @notice any hot signer can call this function and execute
/// a call to whitelisted contracts with whitelisted calldatas
/// no reentrancy checks needed here as the hot signers can execute this
/// whitelisted calldata as many times as they want
/// @param target the addresses of the contracts to call
/// @param value the values to send in the calls
/// @param payload the calldata to send in the calls
function executeWhitelisted(
address target,
uint256 value,
bytes calldata payload
) external payable onlyRole(HOT_SIGNER_ROLE) whenNotPaused {
/// first ensure calldata to target is whitelisted,
/// and that parameters are not malicious
checkCalldata(target, payload);
_execute(target, value, payload);
emit CallExecuted(bytes32(0), 0, target, value, payload);
}
/// @notice any safe owner can call this function and execute calls
/// to whitelisted contracts with whitelisted calldatas
/// @param targets the addresses of the contracts to call
/// @param values the values to send in the calls
/// @param payloads the calldata to send in the calls
function executeWhitelistedBatch(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata payloads
) external payable onlyRole(HOT_SIGNER_ROLE) whenNotPaused {
require(
targets.length == values.length && targets.length == payloads.length,
"Timelock: length mismatch"
);
for (uint256 i = 0; i < targets.length; i++) {
address target = targets[i];
uint256 value = values[i];
bytes calldata payload = payloads[i];
/// first ensure calldata to target is whitelisted,
/// and that parameters are not malicious
checkCalldata(target, payload);
_execute(target, value, payload);
emit CallExecuted(bytes32(0), i, target, value, payload);
}
}
/// Access Control Enumerable Overrides
/// @notice function to grant a role to an address
/// callable only by the timelock as timelock is the only role with admin
/// @param role the role to grant
/// @param account to grant the role to
function grantRole(bytes32 role, address account)
public
override(AccessControl, IAccessControl)
{
require(role != DEFAULT_ADMIN_ROLE, "Timelock: cannot grant admin role");
super.grantRole(role, account);
}
/// @notice function to revoke a role from an address
/// @param role the role to revoke
/// @param account the address to revoke the role from
function revokeRole(bytes32 role, address account)
public
override(AccessControl, IAccessControl)
{
require(
role != DEFAULT_ADMIN_ROLE, "Timelock: cannot revoke admin role"
);
super.revokeRole(role, account);
}
/// @notice function to renounce a role
/// @param role the role to renounce
/// @param account the address to renounce the role from
function renounceRole(bytes32 role, address account)
public
override(AccessControl, IAccessControl)
{
require(
role != DEFAULT_ADMIN_ROLE, "Timelock: cannot renounce admin role"
);
super.renounceRole(role, account);
}
/// Hot Signer Access Control Management Functions
/// @notice function to revoke the hot signer role from an address
/// can only be called by the timelock or the safe
/// @param deprecatedHotSigner the address of the hot signer to revoke
function revokeHotSigner(address deprecatedHotSigner) external onlySafe {
_revokeRole(HOT_SIGNER_ROLE, deprecatedHotSigner);
}
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------
/// ------------------- Timelock Only Functions -------------------
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------
/// @notice function to grant the guardian to a new address
/// resets the pauseStartTime to 0, which unpauses the contract
/// @param newGuardian the address of the new guardian
function setGuardian(address newGuardian) public onlyTimelock {
/// if a new guardian is granted, the contract is automatically unpaused
_setPauseTime(0);
_grantGuardian(newGuardian);
}
/// @notice add multiple calldata checks
/// @param contractAddresses the addresses of the contract that the calldata check is added to
/// @param selectors the function selectors of the function that the calldata check is added to
/// @param startIndexes the start indexes of the calldata
/// @param endIndexes the end indexes of the calldata
/// @param datas the calldatas that are checked for each corresponding function at each index
/// on each contract
function addCalldataChecks(
address[] memory contractAddresses,
bytes4[] memory selectors,
uint16[] memory startIndexes,
uint16[] memory endIndexes,
bytes[][] memory datas
) external onlyTimelock {
_addCalldataChecks(
contractAddresses, selectors, startIndexes, endIndexes, datas
);
}
/// @notice add a single calldata check
/// @param contractAddress the address of the contract that the calldata check is added to
/// @param selector the function selector of the function that the calldata check is added to
/// @param startIndex the start indexes of the calldata
/// @param endIndex the end indexes of the calldata
/// @param data the calldata that is stored
function addCalldataCheck(
address contractAddress,
bytes4 selector,
uint16 startIndex,
uint16 endIndex,
bytes[] memory data
) external onlyTimelock {
_addCalldataCheck(contractAddress, selector, startIndex, endIndex, data);
}
/// @notice remove a single calldata check for a given contract address
/// @param contractAddress the address of the contract that the
/// calldata checks are removed from
/// @param selector the function selector of the function that the
/// checks will be removed from
/// @param index the index of the calldata check to remove
function removeCalldataCheck(
address contractAddress,
bytes4 selector,
uint256 index
) external onlyTimelock {
_removeCalldataCheck(contractAddress, selector, index);
}
/// @notice remove a calldata check by index
/// @param contractAddress the address of the contract that the calldata check is removed from
/// @param selector the function selector of the function that the calldata check is removed from
/// @param index the index of the calldata check to remove
/// @param dataHash the hash of the calldata that is stored
function removeCalldataCheckDatahash(
address contractAddress,
bytes4 selector,
uint256 index,
bytes32 dataHash
) external onlyTimelock {
Index[] storage calldataChecks =
_calldataList[contractAddress][selector];
/// if no calldata checks are found, this check will fail because
/// calldataChecks.length will be 0, and no uint value can be lt 0
require(
index < calldataChecks.length,
"CalldataList: Calldata index out of bounds"
);
/// index check to remove the datahash from
Index storage indexCheck = calldataChecks[index];
uint16 removedStartIndex = indexCheck.startIndex;
uint16 removedEndIndex = indexCheck.endIndex;
/// require instead of assert to have clear error messages
require(
indexCheck.dataHashes.remove(dataHash),
"CalldataList: DataHash does not exist"
);
/// remove the index check if the dataHashes are empty
if (indexCheck.dataHashes.length() == 0) {
/// index check to overwrite the specified index check with
Index storage lastIndexCheck =
calldataChecks[calldataChecks.length - 1];
indexCheck.startIndex = lastIndexCheck.startIndex;
indexCheck.endIndex = lastIndexCheck.endIndex;
bytes32[] memory dataHashes = lastIndexCheck.dataHashes.values();
for (uint256 i = 0; i < dataHashes.length; i++) {
assert(indexCheck.dataHashes.add(dataHashes[i]));
assert(lastIndexCheck.dataHashes.remove(dataHashes[i]));
}
/// remove the last index check for the specified function
calldataChecks.pop();
}
{
bytes32[] memory dataHashes = new bytes32[](1);
dataHashes[0] = dataHash;
emit CalldataRemoved(
contractAddress,
selector,
removedStartIndex,
removedEndIndex,
dataHashes
);
}
}
/// @notice remove all calldata checks for a given contract address
/// @param contractAddresses the address of the contract that the
/// calldata checks are removed from
/// @param selectors the selectors of the functions that the checks will
/// be removed from
function removeAllCalldataChecks(
address[] memory contractAddresses,
bytes4[] memory selectors
) external onlyTimelock {
require(
contractAddresses.length == selectors.length,
"Timelock: arity mismatch"
);
for (uint256 i = 0; i < contractAddresses.length; i++) {
_removeAllCalldataChecks(contractAddresses[i], selectors[i]);
}
}
/// @dev Changes the minimum timelock duration for future operations.
/// Emits a {MinDelayChange} event.
/// Requirements:
/// - the caller must be the timelock itself. This can only be achieved by scheduling and later executing
/// an operation where the timelock is the target and the data is the ABI-encoded call to this function.
/// @param newDelay the new minimum delay
function updateDelay(uint256 newDelay) external onlyTimelock {
require(
newDelay >= MIN_DELAY && newDelay <= MAX_DELAY,
"Timelock: delay out of bounds"
);
emit MinDelayChange(minDelay, newDelay);
minDelay = newDelay;
}
/// @notice update the expiration period for timelocked actions
/// @param newPeriod the new expiration period
function updateExpirationPeriod(uint256 newPeriod) external onlyTimelock {
require(newPeriod >= MIN_DELAY, "Timelock: delay out of bounds");
emit ExpirationPeriodChange(expirationPeriod, newPeriod);
expirationPeriod = newPeriod;
}
/// @notice update the pause period for timelocked actions
/// @dev can only be between 1 day and 30 days
/// @param newPauseDuration the new pause duartion
function updatePauseDuration(uint128 newPauseDuration)
external
onlyTimelock
{
/// min and max checks are done in the internal function
_updatePauseDuration(newPauseDuration);
}
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------
/// ------------------ Private Helper Functions -------------------
/// ---------------------------------------------------------------
/// ---------------------------------------------------------------