Yearn BORG

.gitignore

@@ -1,8 +1,11 @@
 cache/
 out/
-.env
+.env*
 test-command.txt
 broadcast/
 
 .DS_Store
+.idea/
 /broadcast_bk
+
+/tmp/

CHANGELOG.md

@@ -0,0 +1,28 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- src/implants/sudoImplant.sol
+  - A Module (implant) for enforcing BORG, DAO co-approvals on Safe admin operations such as toggling Modules or setting Guards
+
+- src/libs/governance/snapShotExecutor.sol
+  - An off-chain (snapshot) voting coordinator contract that enforces BORG, DAO co-approvals on proposals
+
+- scripts/yearnBorg.s.sol
+  - Scripts for deploying Yearn BORG contracts
+
+### Updated
+
+- src/borgCore.sol
+  - Blocks delegate calls by default in blacklist mode and allow whitelisting specific contracts
+  - Maintains the same behaviors in whitelist mode
+
+- src/implants/ejectImplant.sol
+  - Allows admin to allow/disallow a member to reduce threshold when resigning

scripts/yearnBorg.s.sol

@@ -0,0 +1,175 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+pragma solidity 0.8.20;
+
+import {Script} from "forge-std/Script.sol";
+import {console2} from "forge-std/console2.sol";
+import {borgCore} from "../src/borgCore.sol";
+import {ejectImplant} from "../src/implants/ejectImplant.sol";
+import {sudoImplant} from "../src/implants/sudoImplant.sol";
+import {optimisticGrantImplant} from "../src/implants/optimisticGrantImplant.sol";
+import {daoVoteGrantImplant} from "../src/implants/daoVoteGrantImplant.sol";
+import {daoVetoGrantImplant} from "../src/implants/daoVetoGrantImplant.sol";
+import {daoVetoImplant} from "../src/implants/daoVetoImplant.sol";
+import {daoVoteImplant} from "../src/implants/daoVoteImplant.sol";
+import {SignatureCondition} from "../src/libs/conditions/signatureCondition.sol";
+import {BorgAuth} from "../src/libs/auth.sol";
+import {SnapShotExecutor} from "../src/libs/governance/snapShotExecutor.sol";
+import {SafeTxHelper} from "../test/libraries/safeTxHelper.sol";
+import {IGnosisSafe, GnosisTransaction, IMultiSendCallOnly} from "../test/libraries/safe.t.sol";
+
+contract PlaceholderFailSafeImplant {
+    uint256 public immutable IMPLANT_ID = 0;
+
+    error PlaceholderFailSafeImplant_UnexpectedTrigger();
+
+    function recoverSafeFunds() external pure {
+        revert PlaceholderFailSafeImplant_UnexpectedTrigger();
+    }
+}
+
+contract YearnBorgDeployScript is Script {
+    // Safe 1.3.0 Multi Send Call Only @ Ethereum mainnet
+    // https://github.com/safe-global/safe-deployments?tab=readme-ov-file
+    IMultiSendCallOnly multiSendCallOnly = IMultiSendCallOnly(0x40A2aCCbd92BCA938b02010E17A5b8929b49130D);
+
+    // Configs: BORG Core
+
+    IGnosisSafe ychadSafe = IGnosisSafe(0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52); // ychad.eth
+    string borgIdentifier = "Yearn BORG";
+    borgCore.borgModes borgMode = borgCore.borgModes.blacklist;
+    uint256 borgType = 0x3; // devBORG
+
+    // Configs: SnapShowExecutor
+
+    uint256 snapShotWaitingPeriod = 3 days;
+    uint256 snapShotCancelWaitingPeriod = 7 days;
+    uint256 snapShotPendingProposalLimit = 3;
+    uint256 snapShotOracleTtl = 14 days;
+    address oracle = 0xf00c0dE09574805389743391ada2A0259D6b7a00;
+
+    SafeTxHelper safeTxHelper;
+
+    borgCore core;
+    ejectImplant eject;
+    sudoImplant sudo;
+    SnapShotExecutor snapShotExecutor;
+
+    BorgAuth coreAuth;
+    BorgAuth executorAuth;
+    BorgAuth implantAuth;
+
+    /// @dev For running from `forge script`. Provide the deployer private key through env var.
+    function run() public returns(borgCore, ejectImplant, sudoImplant, SnapShotExecutor, GnosisTransaction[] memory) {
+        return run(vm.envUint("DEPLOYER_PRIVATE_KEY"));
+    }
+
+    /// @dev For running in tests
+    function run(uint256 deployerPrivateKey) public returns(borgCore, ejectImplant, sudoImplant, SnapShotExecutor, GnosisTransaction[] memory) {
+        console2.log("Deploy Configs:");
+        console2.log("  BORG name:", borgIdentifier);
+        console2.log("  BORG mode:", uint8(borgMode));
+        console2.log("  BORG type:", borgType);
+        console2.log("  Safe Multisig:", address(ychadSafe));
+        console2.log("  Snapshot waiting period (secs.):", snapShotWaitingPeriod);
+        console2.log("  Snapshot cancel period (secs.):", snapShotCancelWaitingPeriod);
+        console2.log("  Snapshot pending proposal limit:", snapShotPendingProposalLimit);
+
+        address deployerAddress = vm.addr(deployerPrivateKey);
+        console2.log("Deployer:", deployerAddress);
+
+        safeTxHelper = new SafeTxHelper(
+            ychadSafe,
+            multiSendCallOnly,
+            deployerPrivateKey // No-op. We are not supposed to sign any Safe tx here
+        );
+
+        vm.startBroadcast(deployerPrivateKey);
+
+        // Core
+
+        coreAuth = new BorgAuth();
+        core = new borgCore(coreAuth, borgType, borgMode, borgIdentifier, address(ychadSafe));
+
+        // Whitelist MultiSendCallOnly for Operation.DelegateCall
+        core.toggleDelegateCallContract(address(multiSendCallOnly), true);
+
+        // Restrict admin operations
+
+        // Safe.OwnerManager
+        core.addFullAccessOrBlockContract(address(ychadSafe));
+        core.addPolicyMethod(address(ychadSafe), "addOwnerWithThreshold(address,uint256)");
+        core.addPolicyMethod(address(ychadSafe), "removeOwner(address,address,uint256)");
+        core.addPolicyMethod(address(ychadSafe), "swapOwner(address,address,address)");
+        core.addPolicyMethod(address(ychadSafe), "changeThreshold(uint256)");
+
+        // Safe.GuardManager
+        core.addPolicyMethod(address(ychadSafe), "setGuard(address)");
+
+        // Safe.ModuleManager
+        core.addPolicyMethod(address(ychadSafe), "enableModule(address)");
+        core.addPolicyMethod(address(ychadSafe), "disableModule(address,address)");
+
+        // Create SnapShotExecutor
+
+        executorAuth = new BorgAuth();
+        snapShotExecutor = new SnapShotExecutor(executorAuth, address(oracle), snapShotWaitingPeriod, snapShotCancelWaitingPeriod, snapShotPendingProposalLimit, snapShotOracleTtl);
+
+        // Add modules
+
+        implantAuth = new BorgAuth();
+        eject = new ejectImplant(
+            implantAuth,
+            address(ychadSafe),
+            address(new PlaceholderFailSafeImplant()), // Placeholder because Yearn BORG does not use failSafe
+            true, // _allowManagement
+            true, // _allowEjection
+            false // _allowSelfEjectReduce
+        );
+        sudo = new sudoImplant(
+            implantAuth,
+            address(ychadSafe)
+        );
+
+        // Transfer core ownership to SnapShotExecutor
+        coreAuth.updateRole(address(snapShotExecutor), implantAuth.OWNER_ROLE());
+        coreAuth.zeroOwner();
+
+        // Transfer executor ownership to ychad.eth
+        executorAuth.updateRole(address(ychadSafe), executorAuth.OWNER_ROLE());
+        executorAuth.zeroOwner();
+
+        // Transfer eject implant ownership to SnapShotExecutor
+        implantAuth.updateRole(address(snapShotExecutor), implantAuth.OWNER_ROLE());
+        implantAuth.zeroOwner();
+
+        vm.stopBroadcast();
+
+        console2.log("Deployed addresses:");
+        console2.log("  Core: ", address(core));
+        console2.log("  Eject Implant: ", address(eject));
+        console2.log("  Sudo Implant: ", address(sudo));
+        console2.log("  SnapShotExecutor: ", address(snapShotExecutor));
+        console2.log("  Core Auth: ", address(coreAuth));
+        console2.log("  Executor Auth: ", address(executorAuth));
+        console2.log("  Implant Auth: ", address(implantAuth));
+
+        // Prepare Safe TXs for ychad.eth to execute
+
+        GnosisTransaction[] memory safeTxs = new GnosisTransaction[](3);
+        safeTxs[0] = safeTxHelper.getAddModuleData(address(eject));
+        safeTxs[1] = safeTxHelper.getAddModuleData(address(sudo));
+        safeTxs[2] = safeTxHelper.getSetGuardData(address(core)); // Note we must set guard last because it may block ychad.eth from adding any more modules
+
+        console2.log("Safe TXs:");
+        for (uint256 i = 0 ; i < safeTxs.length ; i++) {
+            console2.log("  #", i);
+            console2.log("    to:", safeTxs[i].to);
+            console2.log("    value:", safeTxs[i].value);
+            console2.log("    data:");
+            console2.logBytes(safeTxs[i].data);
+            console2.log("");
+        }
+
+        return (core, eject, sudo, snapShotExecutor, safeTxs);
+    }
+}

scripts/yearnBorgReplaceSnapShotExecutor.s.sol

@@ -0,0 +1,94 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+pragma solidity 0.8.20;
+
+import {CommonBase} from "forge-std/Base.sol";
+import {Script} from "forge-std/Script.sol";
+import {StdChains} from "forge-std/StdChains.sol";
+import {StdCheatsSafe} from "forge-std/StdCheats.sol";
+import {StdUtils} from "forge-std/StdUtils.sol";
+import {console2} from "forge-std/console2.sol";
+import {ejectImplant} from "../src/implants/ejectImplant.sol";
+import {sudoImplant} from "../src/implants/sudoImplant.sol";
+import {BorgAuth} from "../src/libs/auth.sol";
+import {SnapShotExecutor} from "../src/libs/governance/snapShotExecutor.sol";
+import {IGnosisSafe} from "../test/libraries/safe.t.sol";
+
+contract YearnBorgReplaceSnapShotExecutorScript is Script {
+
+    // Warning: review and update the following before run
+
+    IGnosisSafe ychadSafe = IGnosisSafe(0xFEB4acf3df3cDEA7399794D0869ef76A6EfAff52); // ychad.eth
+
+    ejectImplant eject = ejectImplant(0xe44f5c9EAFB87731906AB87156E4F4cB3fa0Eb74);
+    sudoImplant sudo = sudoImplant(0x6766b727aa1489443b34A02ee89c34f39748600b);
+    SnapShotExecutor oldSnapShotExecutor = SnapShotExecutor(0x77691936fb6337d4B71dc62643b05b6bBE19285c);
+
+    // Configs: SnapShowExecutor
+    // Reuse the old one's parameters if we are just upgrading it to a newer version
+    uint256 snapShotWaitingPeriod = oldSnapShotExecutor.waitingPeriod();
+    uint256 snapShotCancelWaitingPeriod = oldSnapShotExecutor.cancelWaitingPeriod();
+    uint256 snapShotPendingProposalLimit = oldSnapShotExecutor.pendingProposalLimit();
+    uint256 snapShotOracleTtl = oldSnapShotExecutor.oracleTtl();
+    address oracle = oldSnapShotExecutor.oracle();
+
+    BorgAuth executorAuth = oldSnapShotExecutor.AUTH();
+    BorgAuth implantAuth = eject.AUTH();
+
+    /// @dev For running from `forge script`. Provide the deployer private key through env var.
+    function run() public returns(SnapShotExecutor, bytes memory, bytes memory) {
+        return run(vm.envUint("DEPLOYER_PRIVATE_KEY"));
+    }
+
+    /// @dev For running in tests
+    function run(uint256 deployerPrivateKey) public returns(SnapShotExecutor, bytes memory, bytes memory) {
+        console2.log("Configs:");
+        console2.log("  Safe Multisig:", address(ychadSafe));
+        console2.log("  Eject Implant:", address(eject));
+        console2.log("  Sudo Implant:", address(sudo));
+        console2.log("  Old SnapShotExecutor:", address(oldSnapShotExecutor));
+
+        address deployerAddress = vm.addr(deployerPrivateKey);
+        console2.log("Deployer:", deployerAddress);
+
+        vm.startBroadcast(deployerPrivateKey);
+
+        // Deploy new SnapShotExecutor
+        SnapShotExecutor newSnapShotExecutor = new SnapShotExecutor(executorAuth, address(oracle), snapShotWaitingPeriod, snapShotCancelWaitingPeriod, snapShotPendingProposalLimit, snapShotOracleTtl);
+
+        vm.stopBroadcast();
+
+        console2.log("Deployed addresses:");
+        console2.log("  New SnapShotExecutor: ", address(newSnapShotExecutor));
+
+        // Generate the proposal calldata for old SnapShotExecutor to transfer its implant ownership to the new one.
+        // We can't just do it here. The proposal must go through the co-approval process to take effect.
+
+        bytes memory grantNewOwnerData = abi.encodeWithSelector(
+            implantAuth.updateRole.selector,
+            address(newSnapShotExecutor),
+            implantAuth.OWNER_ROLE()
+        );
+
+        bytes memory revokeOldOwnerData = abi.encodeWithSelector(
+            implantAuth.updateRole.selector,
+            address(oldSnapShotExecutor),
+            0
+        );
+
+        console2.log("Tx proposal for the old SnapShotExecutor:");
+        console2.log("  to:", address(implantAuth));
+        console2.log("  value: 0");
+        console2.log("  data:");
+        console2.logBytes(grantNewOwnerData);
+        console2.log("");
+
+        console2.log("Tx proposal for the new SnapShotExecutor:");
+        console2.log("  to:", address(implantAuth));
+        console2.log("  value: 0");
+        console2.log("  data:");
+        console2.logBytes(revokeOldOwnerData);
+        console2.log("");
+
+        return (newSnapShotExecutor, grantNewOwnerData, revokeOldOwnerData);
+    }
+}

src/borgCore.sol

@@ -83,7 +83,15 @@ contract borgCore is BaseGuard, BorgAuthACL, IEIP4824 {
     string private _daoUri; // URI for the DAO
     LegalAgreement[] public legalAgreements; // array of legal agreements URIs for this BORG
     string public constant VERSION = "1.0.0"; // contract version
+
+    // 0x1 securityBORG/eBORG
+    // 0x2 grantsBORG
+    // 0x3 devBORG
+    // 0x4 finBORG
+    // 0x5 genBORG
+    // 0x6 bzBORG
     uint256 public immutable borgType; // type of the BORG
+
     enum borgModes { 
         whitelist, // everything is restricted except what has been whitelisted
         blacklist, // everything is allowed except contracts and methods that have been blacklisted. Param checks work the same as whitelist
@@ -188,13 +196,18 @@ contract borgCore is BaseGuard, BorgAuthACL, IEIP4824 {
                 lastNativeExecutionTimestamp = block.timestamp;
             } 
 
+            // Block all delegate calls by default in blacklist mode
+            if(operation == Enum.Operation.DelegateCall) {
+                // Only allow if contract is explicitly whitelisted for delegate calls
+                if(!policy[to].enabled || !policy[to].delegateCallAllowed) {
+                    revert BORG_CORE_DelegateCallNotAuthorized();
+                }
+            }
+
             //black list contract calls w/ data
              if (data.length > 0) {
                 if(policy[to].enabled) {
                     if(policy[to].fullAccessOrBlock) revert BORG_CORE_InvalidContract();
-                    if(!policy[to].delegateCallAllowed && operation == Enum.Operation.DelegateCall) {
-                        revert BORG_CORE_DelegateCallNotAuthorized();
-                    }
 
                     if(!isMethodCallAllowed(to, data))
                             revert BORG_CORE_MethodNotAuthorized();
@@ -297,12 +310,19 @@ contract borgCore is BaseGuard, BorgAuthACL, IEIP4824 {
     /// @param _contract address, the address of the contract
     /// @param _allowed bool, the flag to allow delegate calls
     function toggleDelegateCallContract(address _contract, bool _allowed) external onlyOwner {
-       //ensure the contract is allowed before enabling delegate calls
+        //ensure the contract is allowed before enabling delegate calls
        if(policy[_contract].enabled == true)
        {
             policy[_contract].delegateCallAllowed = _allowed;
             emit DelegateCallToggled(_contract, _allowed);
        }
+       else if(borgMode == borgModes.blacklist)
+       {
+        // Toggle will enable the contract policy
+        policy[_contract].enabled = true;
+        policy[_contract].delegateCallAllowed = _allowed;
+        emit DelegateCallToggled(_contract, _allowed);
+       }
        else
         revert BORG_CORE_InvalidContract();
     }
@@ -641,12 +661,12 @@ contract borgCore is BaseGuard, BorgAuthACL, IEIP4824 {
         bytes4 methodSelector = bytes4(_methodCallData[:4]);
         MethodConstraint storage methodConstraint = policy[_contract].methods[methodSelector];
 
-        if (!methodConstraint.enabled && borgMode == borgModes.whitelist) 
+        if (!methodConstraint.enabled && borgMode == borgModes.whitelist)
             return false;
-        
+
 
         if(methodConstraint.enabled && methodConstraint.paramOffsets.length == 0 && borgMode == borgModes.blacklist)
-            return false; 
+            return false;
 
         // Iterate through the whitelist constraints for the method
         for (uint256 i = 0; i < methodConstraint.paramOffsets.length;) {