feat(contract): add ability for admin to freeze diamond #674
Conversation
thomas-nguy
requested review from
vladbochok and
StanislavBreadless
as code owners
|
Hey @thomas-nguy, currently freezing is designed to be controlled by the Governance mechanism, which means the governance can unfreeze/freeze ZK chains. Moreover, anyone can unfreeze the chain by calling the Let me know if you still think this change makes sense to include, otherwise I will close the PR. Thank you. |
|
The goal is to implement a circuit breaker that would trigger I don't think human intervention would be quick enough for such case. Now I understand that initially the I respect this decision that is why I am not adding the hyperchain's "admin" permission to unfreeze the chain
does it make sense? |
|
The idea behind State Transition Manager is that it is trust zone between chains. All the chains use the same implementation, so the bug in one chain means the bug in all STM chains. Therefore, If a chain has emergency, all the STM chains will have emergency. On additional note, the funds are stored in the shared bridge, so the damage there means damage to the each and every ZK chain, that contract can be frozen only by the Governance protocol too. At the same time, the decision to freeze the protocol is made by the Security Council body with low threshold and high SLA for many members, so fast reaction is expected behaviour. |
|
The condition to trigger freezing may not be related to bug in the STM but protocol hack (dapps), scams or bad managements of the keys( 90% of the case?). In that case we would like to have the ability to react quickly. I understand that some chain would not require any intervention for some cases but some others would. I think having the ability to freeze its own chain is harmless for the ecosystems but yet could be useful for the chain operators. I need to hear more about this security council. We had some discussion about it previously but I am quite sceptical on the speed of intervention, especially for emergency that are specifics for one hyperchain |
|
@thomas-nguy We talked a bit internally and we think it is okay to add the ability to freeze one specific chain. But it is just not a oneliner, a new storage slot needs to be added to track whether the chain locked itself also. We will also need to store whether the main STM has frozen the chain. Upon each freeze/unfreeze we'll have to decide whether to full freeze/unfreeze the chain or not, since both the chain admin and the security council should be okay with the chain being unfrozen |
|
okay let me clarify the specs
Is that correct? |
|
@thomas-nguy yes |
There was a problem hiding this comment.
@vladbochok this PR presumes that it will be always possible to call the unfreezeDiamond via STM. This will be the case for mainnet, but will this be the case for e.g. testnet/stage?
|
I am also assuming that the "admin facet" is not freezable I think it is already the case, but better to be careful when upgrading facets |
|
@thomas-nguy yes, it is the case |
|
@vladbochok @StanislavBreadless this PR has been hanging for a while Beside fixing conflicts, anything else we need to discuss? |
|
Hey @thomas-nguy, we discussed with @vladbochok and we worried that with this change a malicious admin could abuse his powers and freeze the chain indefinitely to lock users away from their funds, which violate guarantees that we try to provide as rollup where users can always withdraw funds no matter what. To prevent these cases, we started work on developing a more enhanced version of the So TLDR: we are fine with your change, but it should go into the branch after the new version of ChainAdmin is included (there is still some WIP things to do, but we are close) |
|
Okay I think this is an acceptable concern However from risk perspective, it is less likely to have a malicious admin trying to "lock" user funds rather than hack happening on chain. The zkstack has been build with the assumption that admin is not malicious and there are already too much power given to the admin that I don't think giving the ability to freeze would make much difference. Trying to protect users from admin would require a lot of change imo But I agree that we need to walk into this direction for future development |
thomas-nguy
force-pushed
the
thomas/admin-freeze-diamond-dev
branch
from
1e36a22
to
1da1865
Compare
| @@ -51,6 +51,10 @@ error DiamondAlreadyFrozen(); | |||
| error DiamondFreezeIncorrectState(); | |||
| // 0xa7151b9a | |||
| error DiamondNotFrozen(); | |||
| // | |||
There was a problem hiding this comment.
how do you compute the hex?
There was a problem hiding this comment.
https://soliditylang.org/blog/2021/04/21/custom-errors/ you can read more about custom errors and how to compute the hex here
TLDR: abi encode
There was a problem hiding this comment.
But if the question is whether we have some automated tooling for that, then no, not atm
thomas-nguy
force-pushed
the
thomas/admin-freeze-diamond-dev
branch
from
1da1865
to
96251bf
Compare
What ❔
add more control for hyperchain's admin