This repo contains a set of contracts used for administering Chainlink contracts, most notably CCIP.
The contracts in this repo's main branch are considered production-grade and
have been reviewed as part of a code4rena contest.
We use foundry. The tests rely on some ffi code written in Go 1.18 (see testCommands/).
See the official Go docs for installation instructions.
Once you have Go running, forge test --ffi should do the trick.
Format code with forge fmt.
Generate a code coverage report by running ./coverage.sh.
The CallProxy, ManyChainMultiSig, RBACTimelock contracts are all part of a system of owner contracts that is supposed to administer other contracts (henceforth referred to as OWNED). OWNED contracts represent any system of contracts that (1) have an owner or similar role (e.g. using OpenZeppelin's OwnableInterface) and that (2) are potentially deployed across multiple chains.
Here is a diagram of how we envision these contracts to interact:
graph LR;
owned[OWNED contracts];
prop[ManyChainMultiSig for proposers];
cancel[ManyChainMultiSig for cancellers];
forwarder[CallProxy];
timelock[RBACTimelock];
emerg[ManyChainMultiSig for bypassers];
prop --> |PROPOSER| timelock;
prop --> |CANCELLER| timelock;
cancel --> |CANCELLER| timelock;
forwarder --> |EXECUTOR| timelock;
timelock --> |ADMIN| timelock;
timelock --> |OWNER| owned;
timelock --> |OWNER| emerg;
timelock --> |OWNER| cancel;
timelock --> |OWNER| prop;
emerg --> |BYPASSER| timelock;
Regular administration of the OWNED contracts is expected to happen through
the RBACTimelock's Proposer/Executor/Canceller roles. The Bypasser role is
expected to only become active in "break-glass" type emergency scenarios where
waiting for RBACTimelock.minDelay would be harmful.
Proposers can also cancel so that they may "undo" proposals with mistakes in them.
Gas cost isn't particularly important for these contracts because they're not expected to be called often. Correctness matters much more.
We expect to set RBACTimelock.minDelay and delay to ~ 24 hours, but in general values
between 1 hour and 1 month should be supported.
This enables anyone to inspect configuration changes to the OWNED contracts before
they take effect. For example, a user that disagrees with a configuration change might choose
to withdraw funds stored in OWNED contracts before they can be executed.
We may use RBACTimelock.blockFunctionSelector to prevent specific functions on the
OWNED contracts from being called through the regular propose-execute flow.
RBACTimelock is based on an OpenZeppelin contract. We intentionally use the
old require syntax (and some other old techniques) in RBACTimelock to keep
the diff vs the original OZ contract smaller.
The CallProxy is intentionally callable by anyone. Offchain tooling used for
generating configuration changes will make appropriate use of the RBACTimelock's
support for predecessors to ensure that configuration changes are sequenced properly
even if an adversary is executing them. Since the adversary can control the gas amount
and gas price, callees are expected to not have gas-dependent behavior other than
reverting if insufficient gas is supplied.
The CallProxy is not expected to be used with contracts that could SELFDESTRUCT. It thus has no
EXTCODESIZE-check prior to making a call. We expect it to be configured correctly (i.e. pointing to a real RBACTimelock) on deployment.
Unlike standard multi-sig contracts, ManyChainMultiSig supports signing many transactions
targeting many chains with a single set of signatures. (We currently only target EVM chains
and all EVM chains support the same ECDSA secp256k1 standard.) This is useful for administering
systems of contracts spanning many chains without increasing signing overhead linearly with the
number of supported chains. We expect to use the same set of EOA signers across many chains. Consequently, ManyChainMultiSig only supports EOAs as signers, not other smart contracts.
Similar to the rest of the system, anyone who can furnish a correct Merkle proof is allowed to execute authorized calls on the ManyChainMultiSig, including a potential adversary. The
adversary will be able to control the gas price and gas amount for the execution.
The proposer and canceller ManyChainMultiSig contracts are expected to be
configured with a group structure like this, with different sets of signers for each
(exact k-of-n parameters might differ):
┌──────────┐
│Root Group│
┌──►│ 6-of-8 │◄─────────┐
│ └──────────┘ │
│ ▲ │
│ │ │
┌────┴───┐ ┌───┴────┐ ┌────┴───┐
│signer 1│ │signer 2│ ... │signer 8│
└────────┘ └────────┘ └────────┘
The bypasser ManyChainMultiSig contract is expected to be configured with a
more complex group structure like this (exact structure might differ):
graph TD;
root[root group<br>2-of-2];
sub1[subgroup 1<br>6-of-8];
sub2[subgroup 2<br>2-of-3];
sub21[subgroup 2.1<br>6-of-8];
sub22[subgroup 2.2<br>1-of-3];
sub23[subgroup 2.3<br>6-of-8];
sigs1to8[signers 1 ... 8];
sigs9to16[signers 9 ... 16];
sigs17to19[signers 17 ... 19];
sigs20to27[signers 20 ... 27];
root --- sub1;
root --- sub2;
sub2 --- sub21;
sub2 --- sub22;
sub2 --- sub23;
sub1 --- sigs1to8;
sub1 --- sigs1to8;
sub1 --- sigs1to8;
sub1 --- sigs1to8;
sub1 --- sigs1to8;
sub1 --- sigs1to8;
sub1 --- sigs1to8;
sub1 --- sigs1to8;
sub21 --- sigs9to16;
sub21 --- sigs9to16;
sub21 --- sigs9to16;
sub21 --- sigs9to16;
sub21 --- sigs9to16;
sub21 --- sigs9to16;
sub21 --- sigs9to16;
sub21 --- sigs9to16;
sub22 --- sigs17to19;
sub22 --- sigs17to19;
sub22 --- sigs17to19;
sub23 --- sigs20to27;
sub23 --- sigs20to27;
sub23 --- sigs20to27;
sub23 --- sigs20to27;
sub23 --- sigs20to27;
sub23 --- sigs20to27;
sub23 --- sigs20to27;
sub23 --- sigs20to27;
Subgroup 1 has the same signers as the canceller ManyChainMultiSig. No change can ever be enacted
without approval of this group.
In practice, we expect the k-of-n configurations of groups to typically have 1<=k<=32 and
1<=n<=32 (where k<=n and we tolerate the overall limits on groups/signers set in
ManyChainMultiSig code).
We intentionally store chain ids in uint256, foregoing some storage savings. We want to minimize the likelihood of having to change the contract later to support larger chain ids and the cost savings aren't very significant since we don't envision setting new roots all that frequently. We are aware of a proposal to bound chain ids to 64 bits, but it is still unresolved.
We choose the tried-and-true OpenZeppelin Merkle tree. We remain conservative and don't make use of multiproofs for the sake of simplicity. The same KISS approach also leads us to not make use of Merkle tries with support for storing key-value-pairs (e.g. sparse Merkle trees). Such tries would enable us to compute a unique key for each Op, preventing e.g. two Ops with the same nonce and multisig contract from being included in the trie. However, the practical benefit of doing so seems limited: a faulty set of signers can take far more damaging actions that putting two conflicting transactions in the trie.
The following steps need to be performed for a set of onchain maintenance operations on the OWNED contracts:
- [offchain, out of scope] Merkle tree generation & signing: A Merkle tree containing all the required
ManyChainMultiSigops (containingRBACTimelock.scheduleBatchcalls) for the desired maintenance operations is generated by the proposers. A quorum of signers from the proposerManyChainMultiSigmust sign (offchain) the Merkle root. setRootcall on all relevantManyChainMultiSigcontracts across chains: The signed Merkle root is then sent toManyChainMultiSigs. Anyone who has been given the root and the signatures offchain can send it toManyChainMultiSigs.executeonManyChainMultiSig: To propose an action to theRBACTimelock, a multi-sig op is executed by providing a Merkle proof for that specific op. Anyone who has been given the full Merkle tree offchain can propose the action.executeBatchonRBACTimelock: After the timelock wait period expires, the proposed actions in TimeLock can be executed. This assumes that the cancellers have not cancelled them in the meantime. Anyone can execute the actions because all the required information is available on the blockchain through event logs.
This can be thought of as an optional step of the propose-and-execute flow. If a quorum of cancellers disapproves of an action pending on the
RBACTimelock, they can create a set of ManyChainMultiSig.Ops that calls RBACTimelock.cancel on
all relevant RBACTimelocks.
This is completely independent of the propose-and-execute flow.
Bypassers create a set of ManyChainMultiSig.Ops that calls RBACTimelock.bypasserExecuteBatch on
all relevant RBACTimelocks.