Mainnet alias address transfer (#244)

* set up transfer owner script

* remove ledger account specification in env file

* remove comment from script

* fix makefile mistake and add validation file

mainnet/2025-01-08-transfer-proxyadmin-owner-L1alias/.env

@@ -0,0 +1,8 @@
+OP_COMMIT=dff5f16c510e7f44f1be0574372ccb08bfec045c
+BASE_CONTRACTS_COMMIT=494586571e1a4d845ee6f381b65229d63c630986
+
+PROXY_ADMIN=0x4200000000000000000000000000000000000018
+L2_PROXY_ADMIN_OWNER=0x2304CB33d95999dC29f4CeF1e35065e670a70050
+L1_PROXY_ADMIN_OWNER=0x7bB41C3008B3f03FE483B28b8DB90e19Cf07595c
+CB_SIGNER_SAFE_ADDR=0xd94E416cf2c7167608B2515B7e4102B41efff94f
+OP_SIGNER_SAFE_ADDR=0x28EDB11394eb271212ED66c08f2b7893C04C5D65

mainnet/2025-01-08-transfer-proxyadmin-owner-L1alias/Makefile

@@ -0,0 +1,47 @@
+include ../../Makefile
+include ../.env
+include .env
+
+ifndef LEDGER_ACCOUNT
+override LEDGER_ACCOUNT = 0
+endif
+
+##
+# NestedMultisigBuilder commands
+# The following commands can be used for tasks that utilize the NestedMultisigBuilder.
+# Note that --ledger --hd-paths <PATH> can be replaced with --private-key $(PRIVATE_KEY)
+# in any command when using a local key.
+# See more documentation on the various steps in NestedMultisigBuilder.sol.
+##
+
+# This step is run by signers on the "children" safes
+.PHONY: sign-cb
+sign-cb:
+	$(GOPATH)/bin/eip712sign --ledger --hd-paths "m/44'/60'/$(LEDGER_ACCOUNT)'/0/0" -- \
+	forge script --rpc-url $(L2_RPC_URL) TransferOwner \
+	--sig "sign(address)" $(CB_SIGNER_SAFE_ADDR)
+
+.PHONY: sign-op
+sign-op:
+	$(GOPATH)/bin/eip712sign --ledger --hd-paths "m/44'/60'/$(LEDGER_ACCOUNT)'/0/0" -- \
+	forge script --rpc-url $(L2_RPC_URL) TransferOwner \
+	--sig "sign(address)" $(OP_SIGNER_SAFE_ADDR)
+
+# This step is run once per "child" safe, and can be run by anyone (doesn't have to be a signer)
+.PHONY: approve-cb
+approve-cb:
+	forge script --rpc-url $(L2_RPC_URL) TransferOwner \
+	--sig "approve(address,bytes)" $(CB_SIGNER_SAFE_ADDR) $(SIGNATURES) \
+	--ledger --hd-paths "m/44'/60'/$(LEDGER_ACCOUNT)'/0/0" --broadcast
+
+.PHONY: approve-op
+approve-op:
+	forge script --rpc-url $(L2_RPC_URL) TransferOwner \
+	--sig "approve(address,bytes)" $(OP_SIGNER_SAFE_ADDR) $(SIGNATURES) \
+	--ledger --hd-paths "m/44'/60'/$(LEDGER_ACCOUNT)'/0/0" --broadcast
+
+# This step is run once after all children safes have approved and can be run by anyone (doesn't have to be a signer)
+.PHONY: execute
+execute:
+	forge script --rpc-url $(L2_RPC_URL) TransferOwner \
+	--sig "run()" --ledger --hd-paths "m/44'/60'/$(LEDGER_ACCOUNT)'/0/0" --broadcast

mainnet/2025-01-08-transfer-proxyadmin-owner-L1alias/README.md

@@ -0,0 +1,167 @@
+# Transfer Proxy Admin Owner L1 Alias
+
+## Description
+
+This script transfers the ownership of the L2 ProxyAdmin contract to the alias address of the L1ProxyAdminOwner. You can read more about address aliasing [here](https://docs.optimism.io/stack/differences#address-aliasing). This allows us to use the same multisig for both L1 and L2 ProxyAdmin owners.
+
+## Procedure
+
+### 1. Update repo:
+
+```bash
+cd contract-deployments
+git pull
+cd mainnet/2025-01-08-transfer-proxyadmin-owner-L1alias
+make deps
+```
+
+### 2. Setup Ledger
+
+Your Ledger needs to be connected and unlocked. The Ethereum
+application needs to be opened on Ledger with the message "Application
+is ready".
+
+### 3. Run relevant script(s)
+
+#### 3.1 Sign the transaction
+
+Coinbase signer:
+
+```bash
+make sign-cb
+```
+
+Optimism signer:
+
+```bash
+make sign-op
+```
+
+You will see a "Simulation link" from the output.
+
+Paste this URL in your browser. A prompt may ask you to choose a
+project, any project will do. You can create one if necessary.
+
+Click "Simulate Transaction".
+
+We will be performing 3 validations and extract the domain hash and
+message hash to approve on your Ledger:
+
+1. Validate integrity of the simulation.
+2. Validate correctness of the state diff.
+3. Validate and extract domain hash and message hash to approve.
+
+##### 3.1.1 Validate integrity of the simulation.
+
+Make sure you are on the "Overview" tab of the tenderly simulation, to
+validate integrity of the simulation, we need to check the following:
+
+1. "Network": Check the network is Ethereum mainnet or Sepolia. This must match the `<NETWORK_DIR>` from above.
+2. "Timestamp": Check the simulation is performed on a block with a
+   recent timestamp (i.e. close to when you run the script).
+3. "Sender": Check the address shown is your signer account. If not see the derivation path Note above.
+
+##### 3.1.2. Validate correctness of the state diff.
+
+Now click on the "State" tab, and refer to the "State Validations" instructions for the transaction you are signing.
+Once complete return to this document to complete the signing.
+
+##### 3.1.3. Extract the domain hash and the message hash to approve.
+
+Now that we have verified the transaction performs the right
+operation, we need to extract the domain hash and the message hash to
+approve.
+
+Go back to the "Overview" tab, and find the
+`GnosisSafe.checkSignatures` call. This call's `data` parameter
+contains both the domain hash and the message hash that will show up
+in your Ledger.
+
+It will be a concatenation of `0x1901`, the domain hash, and the
+message hash: `0x1901[domain hash][message hash]`.
+
+Note down this value. You will need to compare it with the ones
+displayed on the Ledger screen at signing.
+
+Once the validations are done, it's time to actually sign the
+transaction.
+
+> [!WARNING]
+> This is the most security critical part of the playbook: make sure the
+> domain hash and message hash in the following two places match:
+>
+> 1. On your Ledger screen.
+> 2. In the Tenderly simulation. You should use the same Tenderly
+>    simulation as the one you used to verify the state diffs, instead
+>    of opening the new one printed in the console.
+>
+> There is no need to verify anything printed in the console. There is
+> no need to open the new Tenderly simulation link either.
+
+After verification, sign the transaction. You will see the `Data`,
+`Signer` and `Signature` printed in the console. Format should be
+something like this:
+
+```shell
+Data:  <DATA>
+Signer: <ADDRESS>
+Signature: <SIGNATURE>
+```
+
+Double check the signer address is the right one.
+
+### 3.1.4 Send the output to Facilitator(s)
+
+Nothing has occurred onchain - these are offchain signatures which
+will be collected by Facilitators for execution. Execution can occur
+by anyone once a threshold of signatures are collected, so a
+Facilitator will do the final execution for convenience.
+
+Share the `Data`, `Signer` and `Signature` with the Facilitator, and
+congrats, you are done!
+
+## [For Facilitator ONLY] How to execute
+
+### Approve the transaction
+
+1. Collect outputs from all participating signers.
+2. Concatenate all signatures and export it as the `SIGNATURES`
+   environment variable, i.e. `export
+SIGNATURES="[SIGNATURE1][SIGNATURE2]..."`.
+3. Run the `make approve` command as described below to approve the transaction in each multisig.
+
+For example, if the quorum is 2 and you get the following outputs:
+
+```shell
+Data:  0xDEADBEEF
+Signer: 0xC0FFEE01
+Signature: AAAA
+```
+
+```shell
+Data:  0xDEADBEEF
+Signer: 0xC0FFEE02
+Signature: BBBB
+```
+
+Then you should run:
+
+Coinbase facilitator:
+
+```bash
+SIGNATURES=AAAABBBB make approve-cb
+```
+
+Optimism facilitator:
+
+```bash
+SIGNATURES=AAAABBBB make approve-op
+```
+
+### Execute the transaction
+
+Once the signatures have been submitted approving the transaction for all nested Safes run:
+
+```bash
+make execute
+```

mainnet/2025-01-08-transfer-proxyadmin-owner-L1alias/VALIDATION.MD

@@ -0,0 +1,43 @@
+# Validation
+
+This document can be used to validate the state diff resulting from the execution of the upgrade
+transactions.
+
+For each contract listed in the state diff, please verify that no contracts or state changes shown in the Tenderly diff are missing from this document. Additionally, please verify that for each contract:
+
+- The following state changes (and none others) are made to that contract. This validates that no unexpected state changes occur.
+- All addresses (in section headers and storage values) match the provided name, using the Etherscan and Superchain Registry links provided. This validates the bytecode deployed at the addresses contains the correct logic.
+- All key values match the semantic meaning provided, which can be validated using the storage layout links provided.
+
+## Nested Safe State Overrides and Changes
+
+This task is executed by the nested 2/2 `ProxyAdminOwner` Safe. Refer to the
+[generic nested Safe execution validation document](https://github.com/ethereum-optimism/superchain-ops/blob/main/NESTED-VALIDATION.md)
+for the expected state overrides and changes.
+
+The `approvedHashes` mapping **key** of the `ProxyAdminOwner` (`0x2304CB33d95999dC29f4CeF1e35065e670a70050`) that should change during the simulation is
+
+- Base simulation: `0xcde595956d54c692d029b4d1dc86fafc883fb82f01147f60b6b964fa00f5c88b`
+- OP simulation: `0xb24bf3776c1f53a87c7f1ef62f639facf7791351b085317bd6ae049622adb10c`
+
+calculated as explained in the nested validation doc:
+
+```sh
+SAFE_HASH=0x95d9b44bbd7e9b4f55023004e327ffa339986d5f7cc24feee87b3b19e0578049 # "Nested hash:"
+SAFE_ROLE=0xd94E416cf2c7167608B2515B7e4102B41efff94f # "Council" - Base
+cast index bytes32 $SAFE_HASH $(cast index address $SAFE_ROLE 8)
+# 0xcde595956d54c692d029b4d1dc86fafc883fb82f01147f60b6b964fa00f5c88b
+
+SAFE_ROLE=0x28EDB11394eb271212ED66c08f2b7893C04C5D65 # OP
+cast index bytes32 $SAFE_HASH $(cast index address $SAFE_ROLE 8)
+# 0xb24bf3776c1f53a87c7f1ef62f639facf7791351b085317bd6ae049622adb10c
+```
+
+## State Changes
+
+### `0x4200000000000000000000000000000000000018` (`ProxyAdmin`)
+
+- **Key**: `0x0000000000000000000000000000000000000000000000000000000000000000` <br/>
+  **Before**: `0x0000000000000000000000002304cb33d95999dc29f4cef1e35065e670a70050` <br/>
+  **After**: `0x0000000000000000000000008cc51c3008b3f03fe483b28b8db90e19cf076a6d` <br/>
+  **Meaning**: Updates the `owner` of the `ProxyAdmin` contract from the current L2 Proxy Admin Owner (`0x2304CB33d95999dC29f4CeF1e35065e670a70050`) to the L1 Proxy Admin Owner alias (`0x8cc51c3008b3f03fe483b28b8db90e19cf076a6d`).

mainnet/2025-01-08-transfer-proxyadmin-owner-L1alias/foundry.toml

@@ -0,0 +1,21 @@
+[profile.default]
+src = 'src'
+out = 'out'
+libs = ['lib']
+broadcast = 'records'
+fs_permissions = [{ access = "read-write", path = "./" }]
+optimizer = true
+optimizer_runs = 999999
+solc_version = "0.8.15"
+via-ir = false
+remappings = [
+    '@eth-optimism-bedrock/=lib/optimism/packages/contracts-bedrock/',
+    '@openzeppelin/contracts/=lib/openzeppelin-contracts/contracts',
+    '@openzeppelin/contracts-upgradeable/=lib/openzeppelin-contracts-upgradeable/contracts',
+    '@rari-capital/solmate/=lib/solmate/',
+    '@base-contracts/=lib/base-contracts',
+    'solady/=lib/solady/src/',
+]
+evm_version = "shanghai"
+
+# See more config options https://github.com/foundry-rs/foundry/tree/master/config

mainnet/2025-01-08-transfer-proxyadmin-owner-L1alias/script/TransferOwner.s.sol

@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.15;
+
+import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
+import "@base-contracts/script/universal/NestedMultisigBuilder.sol";
+
+contract TransferOwner is NestedMultisigBuilder {
+    address internal _PROXY_ADMIN = vm.envAddress("PROXY_ADMIN");
+    address internal _L2_PROXY_ADMIN_OWNER = vm.envAddress("L2_PROXY_ADMIN_OWNER");
+    address internal _L1_PROXY_ADMIN_OWNER = vm.envAddress("L1_PROXY_ADMIN_OWNER");
+
+    // Using example from OP L1 Proxy Admin to confirm accuracy of `_convertToAliasAddress`
+    address internal constant _OP_L1_PROXY_ADMIN = 0x5a0Aae59D09fccBdDb6C6CcEB07B7279367C3d2A;
+    address internal constant _OP_L1_PROXY_ADMIN_ALIAS = 0x6B1BAE59D09fCcbdDB6C6cceb07B7279367C4E3b;
+
+    /// @dev Confirm the alias address conversion is correct using Optimism L1 Proxy Admin as an example
+    constructor() {
+        require(
+            _convertToAliasAddress(_OP_L1_PROXY_ADMIN) == _OP_L1_PROXY_ADMIN_ALIAS,
+            "Something wrong with ConvertToAlias"
+        );
+    }
+
+    /// @dev Confirm the proxy admin owner is now the alias address of the L1 Proxy Admin Owner
+    function _postCheck(Vm.AccountAccess[] memory, Simulation.Payload memory) internal view override {
+        OwnableUpgradeable proxyAdmin = OwnableUpgradeable(_PROXY_ADMIN);
+        require(
+            proxyAdmin.owner() == _convertToAliasAddress(_L1_PROXY_ADMIN_OWNER), "ProxyAdmin owner did not get updated"
+        );
+    }
+
+    function _buildCalls() internal view override returns (IMulticall3.Call3[] memory) {
+        IMulticall3.Call3[] memory calls = new IMulticall3.Call3[](1);
+
+        calls[0] = IMulticall3.Call3({
+            target: _PROXY_ADMIN,
+            allowFailure: false,
+            callData: abi.encodeCall(OwnableUpgradeable.transferOwnership, (_convertToAliasAddress(_L1_PROXY_ADMIN_OWNER)))
+        });
+
+        return calls;
+    }
+
+    function _ownerSafe() internal view override returns (address) {
+        return _L2_PROXY_ADMIN_OWNER;
+    }
+
+    /// @dev An alias address is the original address + 0x1111000000000000000000000000000000001111
+    function _convertToAliasAddress(address addr) private pure returns (address) {
+        uint160 enumeratedAddress = uint160(addr);
+        uint160 offset = uint160(0x1111000000000000000000000000000000001111);
+        return address(enumeratedAddress + offset);
+    }
+}