feat: correct roles transfer for the DG deployment

sandstone-ag · sandstone-ag · commit 2e73c48cbe5d · 2025-09-26T15:24:33.000+04:00
diff --git a/contracts/0.4.24/template/LidoTemplate.sol b/contracts/0.4.24/template/LidoTemplate.sol
@@ -41,6 +41,7 @@ contract LidoTemplate is IsContract {
     string private constant ERROR_BAD_AMOUNTS_LEN = "TMPL_BAD_AMOUNTS_LEN";
     string private constant ERROR_INVALID_ID = "TMPL_INVALID_ID";
     string private constant ERROR_UNEXPECTED_TOTAL_SUPPLY = "TMPL_UNEXPECTED_TOTAL_SUPPLY";
+    string private constant ERROR_INVALID_DG_ADMIN_EXECUTOR = "TMPL_INVALID_DG_ADMIN_EXECUTOR";
 
     // Operational errors
     string private constant ERROR_PERMISSION_DENIED = "TMPL_PERMISSION_DENIED";
@@ -420,13 +421,50 @@ contract LidoTemplate is IsContract {
 
         _setupPermissions(state, repos);
         _transferRootPermissionsFromTemplateAndFinalizeDAO(state.dao, state.voting);
-        _resetState();
 
         aragonID.register(keccak256(abi.encodePacked(_daoName)), state.dao);
 
         emit TmplDaoFinalized();
     }
 
+    function finalizePermissionsAfterDGDeployment(address dgAdminExecutor) external onlyOwner {
+        require(dgAdminExecutor != address(0), ERROR_INVALID_DG_ADMIN_EXECUTOR);
+
+        DeployState memory state = deployState;
+
+        state.acl.grantPermission(dgAdminExecutor, address(state.agent), state.agent.RUN_SCRIPT_ROLE());
+        state.acl.grantPermission(dgAdminExecutor, address(state.agent), state.agent.EXECUTE_ROLE());
+
+        state.acl.revokePermission(address(state.voting), address(state.agent), state.agent.RUN_SCRIPT_ROLE());
+        state.acl.revokePermission(address(state.voting), address(state.agent), state.agent.EXECUTE_ROLE());
+
+        state.acl.setPermissionManager(address(state.agent), address(state.agent), state.agent.RUN_SCRIPT_ROLE());
+        state.acl.setPermissionManager(address(state.agent), address(state.agent), state.agent.EXECUTE_ROLE());
+
+        Kernel apmDAO = Kernel(state.lidoRegistry.kernel());
+        ACL apmACL = ACL(apmDAO.acl());
+        _transferPermissionFromTemplate(apmACL, apmACL, address(state.agent), apmACL.CREATE_PERMISSIONS_ROLE());
+
+        _transferPermissionFromTemplate(state.acl, address(state.acl), address(state.agent), state.acl.CREATE_PERMISSIONS_ROLE(), address(state.agent));
+
+        _resetState();
+    }
+
+    function finalizePermissionsWithoutDGDeployment() external onlyOwner {
+        DeployState memory state = deployState;
+
+        state.acl.setPermissionManager(address(state.voting), address(state.agent), state.agent.RUN_SCRIPT_ROLE());
+        state.acl.setPermissionManager(address(state.voting), address(state.agent), state.agent.EXECUTE_ROLE());
+
+        Kernel apmDAO = Kernel(state.lidoRegistry.kernel());
+        ACL apmACL = ACL(apmDAO.acl());
+        _transferPermissionFromTemplate(apmACL, apmACL, address(state.agent), apmACL.CREATE_PERMISSIONS_ROLE());
+
+        _transferPermissionFromTemplate(state.acl, address(state.acl), address(state.voting), state.acl.CREATE_PERMISSIONS_ROLE(), address(state.voting));
+
+        _resetState();
+    }
+
     /* DAO AND APPS */
 
     /**
@@ -580,7 +618,6 @@ contract LidoTemplate is IsContract {
 
         _transferPermissionFromTemplate(apmACL, _state.lidoRegistry, voting, _state.lidoRegistry.CREATE_REPO_ROLE());
         apmACL.setPermissionManager(agent, apmDAO, apmDAO.APP_MANAGER_ROLE());
-        _transferPermissionFromTemplate(apmACL, apmACL, agent, apmACL.CREATE_PERMISSIONS_ROLE());
         apmACL.setPermissionManager(voting, apmRegistrar, apmRegistrar.CREATE_NAME_ROLE());
         apmACL.setPermissionManager(voting, apmRegistrar, apmRegistrar.POINT_ROOTNODE_ROLE());
 
@@ -651,8 +688,8 @@ contract LidoTemplate is IsContract {
     }
 
     function _createAgentPermissions(ACL _acl, Agent _agent, address _voting) internal {
-        _createPermissionForVoting(_acl, _agent, _agent.EXECUTE_ROLE(), _voting);
-        _createPermissionForVoting(_acl, _agent, _agent.RUN_SCRIPT_ROLE(), _voting);
+        _acl.createPermission(_voting, _agent, _agent.EXECUTE_ROLE(), address(this));
+        _acl.createPermission(_voting, _agent, _agent.RUN_SCRIPT_ROLE(), address(this));
     }
 
     function _createVaultPermissions(ACL _acl, Vault _vault, address _finance, address _voting) internal {
@@ -695,7 +732,6 @@ contract LidoTemplate is IsContract {
     function _transferRootPermissionsFromTemplateAndFinalizeDAO(Kernel _dao, address _voting) private {
         ACL _acl = ACL(_dao.acl());
         _transferPermissionFromTemplate(_acl, _dao, _voting, _dao.APP_MANAGER_ROLE(), _voting);
-        _transferPermissionFromTemplate(_acl, _acl, _voting, _acl.CREATE_PERMISSIONS_ROLE(), _voting);
     }
 
     function _transferPermissionFromTemplate(ACL _acl, address _app, address _to, bytes32 _permission) private {
diff --git a/lib/dg-installation.ts b/lib/dg-installation.ts
@@ -3,7 +3,7 @@ import fs from "node:fs/promises";
 import util from "node:util";
 
 const DG_REPOSITORY_URL = "https://github.com/lidofinance/dual-governance.git";
-const DG_REPOSITORY_BRANCH = "feature/scratch-deploy-support"; // TODO: use release branch
+const DG_REPOSITORY_BRANCH = "feature/scratch-deploy-support2"; // TODO: use release branch
 const DG_INSTALL_DIR = `${process.cwd()}/dg`;
 
 async function main() {
diff --git a/scripts/dao-local-deploy.sh b/scripts/dao-local-deploy.sh
@@ -23,3 +23,10 @@ yarn hardhat --network $NETWORK run --no-compile scripts/utils/mine.ts
 
 # Run acceptance tests
 yarn test:integration:fork:local
+
+# If Dual Governance was deployed
+if grep "dg:dual_governance" $NETWORK_STATE_FILE -q; then
+  # Run DG regression tests
+  echo "Run Dual Governance regression tests"
+  (cd dg && npm run test:regressions)
+fi
diff --git a/scripts/dao-local-upgrade.sh b/scripts/dao-local-upgrade.sh
@@ -22,3 +22,10 @@ yarn hardhat --network $NETWORK run --no-compile scripts/utils/mine.ts
 
 # Run acceptance tests
 yarn test:integration:fork:local
+
+# If Dual Governance was deployed
+if grep "dg:dual_governance" $NETWORK_STATE_FILE -q; then
+  # Run DG regression tests
+  echo "Run Dual Governance regression tests"
+  (cd dg && npm run test:regressions)
+fi
diff --git a/scripts/scratch/deployed-testnet-defaults.json b/scripts/scratch/deployed-testnet-defaults.json
@@ -152,46 +152,46 @@
   },
   "dualGovernanceConfig": {
     "dual_governance": {
-      "tiebreaker_activation_timeout": 31536000,
+      "tiebreaker_activation_timeout": 900,
       "sanity_check_params": {
-        "max_min_assets_lock_duration": 4147200,
+        "max_min_assets_lock_duration": 3600,
         "max_sealable_withdrawal_blockers_count": 255,
-        "max_tiebreaker_activation_timeout": 63072000,
-        "min_tiebreaker_activation_timeout": 15768000,
-        "min_withdrawals_batch_size": 4
+        "max_tiebreaker_activation_timeout": 1800,
+        "min_tiebreaker_activation_timeout": 300,
+        "min_withdrawals_batch_size": 1
       }
     },
     "dual_governance_config_provider": {
       "first_seal_rage_quit_support": "10000000000000000",
       "second_seal_rage_quit_support": "100000000000000000",
-      "min_assets_lock_duration": 18000,
+      "min_assets_lock_duration": 300,
       "rage_quit_eth_withdrawals_delay_growth": 1296000,
-      "rage_quit_eth_withdrawals_min_delay": 5184000,
-      "rage_quit_eth_withdrawals_max_delay": 15552000,
-      "rage_quit_extension_period_duration": 604800,
-      "veto_cooldown_duration": 18000,
-      "veto_signalling_deactivation_max_duration": 259200,
-      "veto_signalling_min_active_duration": 18000,
-      "veto_signalling_min_duration": 432000,
-      "veto_signalling_max_duration": 3888000
+      "rage_quit_eth_withdrawals_min_delay": 300,
+      "rage_quit_eth_withdrawals_max_delay": 1800,
+      "rage_quit_extension_period_duration": 300,
+      "veto_cooldown_duration": 300,
+      "veto_signalling_deactivation_max_duration": 1800,
+      "veto_signalling_min_active_duration": 300,
+      "veto_signalling_min_duration": 300,
+      "veto_signalling_max_duration": 1500
     },
     "timelock": {
-      "after_submit_delay": 259200,
-      "after_schedule_delay": 86400,
+      "after_submit_delay": 300,
+      "after_schedule_delay": 300,
       "sanity_check_params": {
-        "min_execution_delay": 259200,
-        "max_after_submit_delay": 2592000,
-        "max_after_schedule_delay": 864000,
-        "max_emergency_mode_duration": 31536000,
-        "max_emergency_protection_duration": 94608000
+        "min_execution_delay": 300,
+        "max_after_submit_delay": 1800,
+        "max_after_schedule_delay": 1800,
+        "max_emergency_mode_duration": 1800,
+        "max_emergency_protection_duration": 31536000
       },
       "emergency_protection": {
-        "emergency_mode_duration": 2592000,
+        "emergency_mode_duration": 900,
         "emergency_protection_end_date": 1781913600
       }
     },
     "tiebreaker": {
-      "execution_delay": 2592000
+      "execution_delay": 900
     }
   }
 }
diff --git a/scripts/scratch/steps/0150-transfer-roles.ts b/scripts/scratch/steps/0150-transfer-roles.ts
@@ -28,7 +28,9 @@ export async function main() {
   for (const contract of ozAdminTransfers) {
     const contractInstance = await loadContract(contract.name, contract.address);
     await makeTx(contractInstance, "grantRole", [DEFAULT_ADMIN_ROLE, agent], { from: deployer });
-    await makeTx(contractInstance, "renounceRole", [DEFAULT_ADMIN_ROLE, deployer], { from: deployer });
+    if (process.env.DG_DEPLOYMENT_ENABLED == "false" || contract.name !== "WithdrawalQueueERC721") {
+      await makeTx(contractInstance, "renounceRole", [DEFAULT_ADMIN_ROLE, deployer], { from: deployer });
+    }
   }
 
   // Change admin for OssifiableProxy contracts
diff --git a/scripts/scratch/steps/0160-deploy-dual-governance.ts b/scripts/scratch/steps/0160-deploy-dual-governance.ts
@@ -4,7 +4,11 @@ import util from "node:util";
 
 import { ethers } from "hardhat";
 
+import { LidoTemplate, WithdrawalQueueERC721 } from "typechain-types";
+
 import { log } from "lib";
+import { loadContract } from "lib/contract";
+import { makeTx } from "lib/deploy";
 import { DeploymentState, getAddress, readNetworkState, Sk, updateObjectInState } from "lib/state-file";
 
 const DG_INSTALL_DIR = `${process.cwd()}/dg`;
@@ -13,6 +17,7 @@ const DG_DEPLOY_ARTIFACTS_DIR = `${DG_INSTALL_DIR}/deploy-artifacts`;
 export async function main() {
   if (process.env.DG_DEPLOYMENT_ENABLED == "false") {
     log.header("DG deployment disabled");
+    await finalizePermissionsWithoutDGDeployment();
     return;
   }
 
@@ -70,33 +75,102 @@ AND
     etherscanApiKey = process.env.ETHERSCAN_API_KEY;
   }
 
+  await unpauseWithdrawalQueue(deployer, state);
+
   await runCommand(
     `DEPLOY_CONFIG_FILE_NAME="${dgDeployConfigFilename}" RPC_URL="${process.env.LOCAL_RPC_URL}" ETHERSCAN_API_KEY="${etherscanApiKey}" DEPLOYER_ADDRESS="${deployer}" npm run forge:script scripts/deploy/DeployConfigurable.s.sol -- --broadcast --slow ${etherscanVerifyOption} --private-key ${deployerPrivateKey}`,
     DG_INSTALL_DIR,
   );
 
-  await runDGRegressionTests(chainId, state, process.env.LOCAL_RPC_URL);
-
   const dgDeployArtifacts = await getDGDeployArtifacts(chainId);
 
+  await transferRoles(deployer, dgDeployArtifacts, state);
+
+  await prepareDGRegressionTestsRun(chainId, state, process.env.LOCAL_RPC_URL);
+
   saveDGNetworkState(dgDeployArtifacts);
 }
 
-async function runDGRegressionTests(networkChainId: string, networkState: DeploymentState, rpcUrl: string) {
-  log.header("Run DG regression tests");
+async function finalizePermissionsWithoutDGDeployment() {
+  const deployer = (await ethers.provider.getSigner()).address;
+  const networkState = readNetworkState({ deployer });
+
+  const lidoTemplateAddress = getAddress(Sk.lidoTemplate, networkState);
+  const lidoTemplate = await loadContract<LidoTemplate>("LidoTemplate", lidoTemplateAddress);
+
+  await makeTx(lidoTemplate, "finalizePermissionsWithoutDGDeployment", [], { from: deployer });
+}
+
+async function transferRoles(deployer: string, dgDeployArtifacts: DGDeployArtifacts, networkState: DeploymentState) {
+  const aragonAgentAddress = getAddress(Sk.appAgent, networkState);
+  const votingAddress = getAddress(Sk.appVoting, networkState);
+  const withdrawalQueueAddress = getAddress(Sk.withdrawalQueueERC721, networkState);
+  const lidoTemplateAddress = getAddress(Sk.lidoTemplate, networkState);
+
+  const lidoTemplate = await loadContract<LidoTemplate>("LidoTemplate", lidoTemplateAddress);
+  const withdrawalQueue = await loadContract<WithdrawalQueueERC721>("WithdrawalQueueERC721", withdrawalQueueAddress);
+
+  const DEFAULT_ADMIN_ROLE = ethers.ZeroHash;
+
+  await makeTx(withdrawalQueue, "grantRole", [DEFAULT_ADMIN_ROLE, aragonAgentAddress], {
+    from: deployer,
+  });
+
+  await makeTx(
+    withdrawalQueue,
+    "grantRole",
+    [await withdrawalQueue.PAUSE_ROLE(), votingAddress /* = reseal_committee */],
+    {
+      from: deployer,
+    },
+  );
+
+  await makeTx(
+    withdrawalQueue,
+    "grantRole",
+    [await withdrawalQueue.RESUME_ROLE(), votingAddress /* = reseal_committee */],
+    {
+      from: deployer,
+    },
+  );
+
+  await makeTx(withdrawalQueue, "grantRole", [await withdrawalQueue.PAUSE_ROLE(), dgDeployArtifacts.reseal_manager], {
+    from: deployer,
+  });
+
+  await makeTx(withdrawalQueue, "grantRole", [await withdrawalQueue.RESUME_ROLE(), dgDeployArtifacts.reseal_manager], {
+    from: deployer,
+  });
+
+  await makeTx(withdrawalQueue, "renounceRole", [await withdrawalQueue.DEFAULT_ADMIN_ROLE(), deployer], {
+    from: deployer,
+  });
+
+  await makeTx(lidoTemplate, "finalizePermissionsAfterDGDeployment", [dgDeployArtifacts.admin_executor], {
+    from: deployer,
+  });
+}
+
+async function unpauseWithdrawalQueue(deployer: string, networkState: DeploymentState) {
+  const withdrawalQueueAddress = getAddress(Sk.withdrawalQueueERC721, networkState);
+  const withdrawalQueue = await loadContract<WithdrawalQueueERC721>("WithdrawalQueueERC721", withdrawalQueueAddress);
+
+  await makeTx(withdrawalQueue, "grantRole", [await withdrawalQueue.RESUME_ROLE(), deployer], {
+    from: deployer,
+  });
+
+  await makeTx(withdrawalQueue, "resume", [], {
+    from: deployer,
+  });
+}
+
+async function prepareDGRegressionTestsRun(networkChainId: string, networkState: DeploymentState, rpcUrl: string) {
+  log.header("Prepare DG regression tests run: update DG .env file");
 
   const deployArtifactFilename = await getLatestDGDeployArtifactFilename(networkChainId);
 
   const dotEnvFile = getDGDotEnvFile(deployArtifactFilename, networkState, rpcUrl);
   await writeDGDotEnvFile(dotEnvFile);
-
-  try {
-    await runCommand("npm run test:regressions", DG_INSTALL_DIR);
-  } catch (error) {
-    // TODO: some of regression tests don't work at the moment, need to fix it.
-    log.error("DG regression tests run failed");
-    log(`${error}`);
-  }
 }
 
 async function runCommand(command: string, workingDirectory: string) {
@@ -168,7 +242,7 @@ function getDGConfig(chainId: string, networkState: DeploymentState) {
     dual_governance: {
       admin_proposer: daoVoting,
       proposals_canceller: daoVoting,
-      sealable_withdrawal_blockers: [], // TODO: add withdrawalQueue
+      sealable_withdrawal_blockers: [withdrawalQueue],
       reseal_committee: daoVoting,
       tiebreaker_activation_timeout:
         networkState[Sk.dualGovernanceConfig].dual_governance.tiebreaker_activation_timeout,
@@ -266,6 +340,7 @@ function getDGDotEnvFile(deployArtifactFilename: string, networkState: Deploymen
   const elRewardsVault = getAddress(Sk.executionLayerRewardsVault, networkState);
   const withdrawalVault = getAddress(Sk.withdrawalVault, networkState);
   const oracleReportSanityChecker = getAddress(Sk.oracleReportSanityChecker, networkState);
+  const stakingRouter = getAddress(Sk.stakingRouter, networkState);
   const acl = getAddress(Sk.aragonAcl, networkState);
   const ldo = getAddress(Sk.ldo, networkState);
   const daoAgent = getAddress(Sk.appAgent, networkState);
@@ -283,11 +358,13 @@ DG_TESTS_LIDO_ACCOUNTING_ORACLE=${accountingOracle}
 DG_TESTS_LIDO_EL_REWARDS_VAULT=${elRewardsVault}
 DG_TESTS_LIDO_WITHDRAWAL_VAULT=${withdrawalVault}
 DG_TESTS_LIDO_ORACLE_REPORT_SANITY_CHECKER=${oracleReportSanityChecker}
+DG_TESTS_LIDO_STAKING_ROUTER=${stakingRouter}
 DG_TESTS_LIDO_DAO_ACL=${acl}
 DG_TESTS_LIDO_LDO_TOKEN=${ldo}
 DG_TESTS_LIDO_DAO_AGENT=${daoAgent}
 DG_TESTS_LIDO_DAO_VOTING=${daoVoting}
 DG_TESTS_LIDO_DAO_TOKEN_MANAGER=${daoTokenManager}
+DG_DISABLE_REGRESSION_TESTS_FOR_SCRATCH_DEPLOY=true
 `;
 }
 
@@ -357,7 +434,6 @@ async function getDGDeployArtifacts(networkChainId: string): Promise<DGDeployArt
 
   (Object.keys(contractsAddressesRe) as (keyof DGDeployArtifacts)[]).forEach((key) => {
     const address = deployArtifactFile.match(contractsAddressesRe[key]);
-    log("ADDRESS", (address && address[0]) || "", (address && address[1]) || "");
     if (!address || address.length < 2 || !address[1].length) {
       throw new Error(`DG deploy artifact file corrupted: ${key} not found`);
     }
