feat: add contract upgrade/migration framework with time-lock governance#201
Open
GazzyLee wants to merge 1 commit into
Open
feat: add contract upgrade/migration framework with time-lock governance#201GazzyLee wants to merge 1 commit into
GazzyLee wants to merge 1 commit into
Conversation
- Fix critical contract bugs: duplicate DataKey, dead code, allowance/token accounting - Add TokenAction::Upgrade variant for multi-sig upgrade proposals - Implement two-phase upgrade: upgrade() schedules with delay, execute_upgrade() replaces WASM - Implement migrate() with strict version-increasing enforcement - Add contract_version() view function and bump version() to 2.0.0 - Set UPGRADE_DELAY_LEDGERS = 5000 (~7 hours) for governance safety - Add UPGRADE_SCHEDULED, UPGRADE_EXECUTED, MIGRATED events - Rewrite test.rs with 41 tests covering all functionality (39 pass core, 2 verify upgrade scheduling) - Update SDK client.ts with executeUpgrade(), migrate(), getContractVersion() methods - Update SDK events.ts with new event types - Update SDK README.md with full upgrade/migration documentation
|
@GazzyLee Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements a secure, two-phase contract upgrade mechanism with a time-lock delay, version tracking, migration guards, and multi-sig support. Additionally fixes several critical bugs discovered in the token and admin crates.
Bug Fixes
contracts/token: Removed duplicateAllowance(Address,Address)variant fromDataKeyenumcontracts/token: Cleaned dead code after early return inread_allowance()contracts/token: Fixedtransfer_from()doublemove_balanceandwrite_allowancecallscontracts/token: Fixedburn_from()doublewrite_allowancecallscontracts/admin: Removed undefinedaction_typefield fromProposalconstructionUpgrade Architecture
The upgrade follows a three-phase lifecycle with governance safeguards:
upgrade(new_wasm_hash)(admin-only) — Schedules a pending upgrade by storing the target WASM hash and setting a deadline = current ledger +UPGRADE_DELAY_LEDGERS(5000, ~7 hours). EmitsUPGRADE_SCHEDULEDevent.execute_upgrade()(anyone, after deadline) — Anyone can call once the deadline passes. Invokesupdate_current_contract_wasm()and clears the pending upgrade state. EmitsUPGRADE_EXECUTEDevent. Panics if no upgrade is pending or if called before the deadline.migrate(version)(admin-only) — Updates the on-chain contract version number. Panics if a pending upgrade exists (must execute first), if version ≤ current version, or if caller is not admin. EmitsMIGRATEDevent.Upgrade via Multi-Sig
Added
TokenAction::Upgrade(BytesN<32>)variant to the admin crate, enabling multi-sig proposals for contract upgrades viapropose_action→approve_proposal→execute_proposal.New Data Keys
ContractVersionu32PendingUpgradeHashBytesN<32>UpgradeDeadlineu32New Token Error
NotInitialized([Docs]: Add inline code examples to SDK README #2) — repurposed to also signal "no pending upgrade" inexecute_upgradeVersion
version()now returns"2.0.0"SDK Updates
client.ts: AddedexecuteUpgrade(source),migrate(version, source),getContractVersion()methods;proposeAction()now accepts{ Upgrade: [wasmHash] }action typeevents.ts: AddedUPGRADE_SCHEDULED,UPGRADE_EXECUTED,MIGRATEDevent typesREADME.md: Documented three-phase upgrade lifecycle with code examplesTesting
Notes
update_current_contract_wasm) requires a properly compiled Soroban WASM and cannot be fully exercised in native unit tests — recommended for integration/acceptance testingUPGRADE_DELAY_LEDGERS = 5000as a module-level const for governance safetyCloses #161