Safety checks after performing a delegate call

[blmalone]

A new feature in superchain-ops 2.0 is enabling the parent multisig to delegatecall to a contract. Our initial use case involves OPCM. Instead of using Multicall3.sol for batching actions, we are switching to Multicall3Delegatecall.sol, which performs a delegatecall to OPCM.

Why use delegatecall?
The primary reason is to prevent any state changes in OPCM when executing functions. Allowing state modifications in OPCM could lead to non-deterministic behavior for chains integrating with OPCM in the future.

Security precautions to detect unwanted behavior early
By using delegatecall from the upgrade-controller, we introduce a risk: state changes on the upgrade-controller contract itself, which must be avoided at all costs.

To mitigate this, I propose that superchain-ops’ simulation step includes a post-execution check to verify that no state changes occurred in both the upgrade-controller contract and OPCM.

[maurelian]

Agree we definitely need to enforce this property. FWIW we have always been delegatecalling to Multicall3, so this is not entirely new, but it does add more risk since the OPCM logic is more complex and will change overtime.

I think this could be fairly easily done in checkStateDiff(), since the only diff should be the nonce.

[ElliotFriedman]

New PR is up to add the checkStateDiff function #602

The OPCM template PR can implement this functionality.