design doc for the ocpm superchain upgrade fix

[AmadiMichael]

design doc for the ocpm superchain upgrade fix

[maurelian]

Before we talk about a solution, we first need to outline the requirements. Please try to list the various situations we need to consider, and the correct behaviour in each situation.

[AmadiMichael]

can you re-review?

[mds1]

Towards @maurelian's point, can we move the "Requirements and Expected behaviour" above, so it comes before "Proposed Solution"?

[mds1]

Actually, I see now that the "Requirements and Expected behaviour" is really talking about the Requirements and Expected behaviour needed to successfully implement the proposed solution. I believe what @maurelian is asking for (which I agree with) is a section that comes before "Proposed Solution" to explain what customer and developer requirements are, i.e. for various situations what is the expected behavior when calling upgrade? In slack @maurelian gave some scenarios, here are a few to start with:

Scenario Number	PAO == superchainPAO?	Target version is latest?	SuperchainConfig already on latest?	Expected Output
1	Yes	Yes	Yes	TODO
2	Yes	Yes	No	TODO
3	No	Yes	Yes	TODO
4	No	Yes	No	TODO
5	Yes	No	Yes	TODO
6	Yes	No	No	TODO
7	No	No	Yes	TODO
8	No	No	No	TODO

What should happen in each of those scenarios? It would be great to include a table like this will all the TODOs populated.

Can you think through any other missing scenarios (i.e. headers), and add the completed version to a new "Customer Requirements and Expected Behavior" section before "Proposed Solution"? I think we can also delete the "Requirements and Expected behaviour" header and make that part of the "Proposed Solution" header.

I just really want to make sure we are clear on the "Customer Requirements and Expected Behavior" before agreeing on a solution, and we'll want to get approval from Product on this design doc as well

[mds1]

Alternatively, makes for a nice flowchart

graph TD
    A{PAO == superchainPAO?}
    A -- Yes --> B{Target version is latest?}
    A -- No  --> E{Target version is latest?}

    B -- Yes --> C{SuperchainConfig already upgraded?}
    B -- No  --> D{SuperchainConfig already upgraded?}

    E -- Yes --> F{SuperchainConfig already upgraded?}
    E -- No  --> G{SuperchainConfig already upgraded?}

    C -- Yes --> S1["TODO"]
    C -- No  --> S2["TODO"]

    D -- Yes --> S5["TODO"]
    D -- No  --> S6["TODO"]

    F -- Yes --> S3["TODO"]
    F -- No  --> S4["TODO"]

    G -- Yes --> S7["TODO"]
    G -- No  --> S8["TODO"]

Loading

[AmadiMichael]

just pushed the table

[maurelian]

The second column here doesn't make sense to me.
In any situation where the ChainAPAO != superchainPAO you will always get a revert if you are trying to upgrade contracts with a different PAO.

The more relevant consideration is ChainAProxyAdmin == superchainProxyAdmin?, because that determines whether or not the current interface enables us to access the superchainProxyAdmin.

[maurelian]

When OPCM.upgrade() is called... If not upgraded, it should upgrade the SuperchainConfig...

How can we achieve that? AFAIK there is no way of getting the SuperchainProxyAdmin address from within the upgrade() function.

[AmadiMichael]

achieve what in particular?

[maurelian]

How can we upgrade the superchainConfig, if the SuperchainConfigProxyAdmin is not shared with the OP Chain? I don't think we can unless we add an argument to upgrade()

[AmadiMichael]

if we call upgrade with the superchainPAO and pass in an empty opChainConfig array

[maurelian]

This is safe and does not need checks because if a malicious actor tries doing this, it will fail when trying to actually upgrade the superchainConfig

This seems to imply that the upgrade itself happens within setSuperchainUpgraded() is that correct?

[AmadiMichael]

oh nope, i was talking about when calling the setSuperchainUpgraded from the upgrade function. it is safe since the upgrade will happen next and if the caller is not the superchainProxyAdmin, the tx will revert

[maurelian]

I'm a bit confused by this. If the mitigation is impossible, what can we actually do?

[AmadiMichael]

i am still looking into it currently

[mds1]

We say ProxyAdmin a lot in this section, but is it correct that really it's the ProxyAdmin Owner that matter?

[AmadiMichael]

fixed

[mds1]

Nit, implicit here is that ChainC has a different ProxyAdmin Owner (PAO)—let's state that explicitly for clarity

We should also explain what happens when ChainC has the same PAO

[AmadiMichael]

added

[mds1]

Hmm the control flow here feels a bit confusing and error prone. Is there a solution where we add inputs so the caller can simply specify whether they want to try upgrading the superchainConfig, with the following logic:

• Add bool shouldUpgradeSuperchainConfig as an input to the upgrade method`
• If isRc == false, this input value MUST be true. Revert if this condition is violated
• Otherwise, proceed to do the upgrade as normal and try upgrading superchainConfig when requested
• Note: Downside here is that chains with their own superchainConfig must remember to manually pass in true for this new bool

Alternatively, can we just make the (superchainProxyAdmin.getProxyImplementation(address(superchainConfig)) != impls.superchainConfigImpl)) check smarter to do a greater than/less than semver comparison instead of strict inequality?

[AmadiMichael]

Yeah but we want to try not changing the interface at all

[mds1]

Got it, so would it be fair to say there's two solutions here:

• Short term patches for the existing OPCM where we don't want to change the interface
• Longer term solution (i.e. for all future OPCMs) where we are ok with breaking the interface to simplify things. In these future OPCMs, we can read the PAO from any contract, therefore we can keep the interfaces the same and just have smarter internal logic about when to upgrade?

[AmadiMichael]

yes exactly

[maurelian]

We should remove this section since we added a similar one above.