fix: add pauser role to tss

[skosito]

add pauser role to tss in all evm contracts

Related to zeta-chain/node#3000

Summary by CodeRabbit

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced role management for the TSS address, including the addition of the PAUSER_ROLE and WITHDRAWER_ROLE.
  • New deposit functions for ETH and ERC20 tokens, allowing for more flexible fund transfers and interactions with omnichain smart contracts.
  • Improved event tracking for contract interactions with the introduction of new events.

• Bug Fixes

  • Deprecated the deposit function to streamline operations and improve clarity.

• Tests

  • Updated test contracts to reflect changes in address management and maintain access control integrity.

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

The pull request introduces significant modifications across several contracts, focusing on role management and the handling of the TSS (Threshold Signature Scheme) address. Key updates include granting the PAUSER_ROLE to the TSS address in multiple contracts, enhancing the updateTSSAddress function to manage role revocations and assignments, and marking the deposit function as deprecated. New functionalities for depositing assets and managing custody and connector addresses have also been added, along with updates to the testing contracts to reflect these changes.

Changes

File	Change Summary
v2/contracts/evm/ERC20Custody.sol	Updated constructor and updateTSSAddress for role management; deprecated deposit function.
v2/contracts/evm/GatewayEVM.sol	Modified initialize for role assignments; added depositAndCall, setCustody, and setConnector functions.
v2/contracts/evm/ZetaConnectorBase.sol	Constructor updated for role assignment; updateTSSAddress remains unchanged.
v2/test/ERC20Custody.t.sol	Introduced foo variable for testing; updated access control tests.
v2/test/GatewayEVM.t.sol	Added foo variable; modified tests for pause/unpause functionalities.
v2/test/ZetaConnectorNative.t.sol	Added foo variable; updated tests for pause/unpause functionalities.
v2/test/ZetaConnectorNonNative.t.sol	Introduced foo variable; modified tests for pause/unpause functionalities.
v2/test/utils/GatewayEVMUpgradeTest.sol	Updated initialize for role assignment; modified event emissions in execute function.

Possibly related PRs

• fix: missing tss update in erc20custody, zetaConnector and gatewayEVM #363: The changes in this PR directly relate to the updateTSSAddress function in the ERC20Custody and GatewayEVM contracts, which are also modified in the main PR to manage TSS address updates and role assignments.
• fix: cleanup tss updater changes #368: This PR addresses the removal of an unnecessary _execute function in GatewayEVM, which is relevant as it relates to the overall functionality and management of the TSS address updates in the contract.
• feat: limit msg and payload size #376: The modifications in this PR regarding payload size limits in the GatewayEVM contract are relevant as they enhance the overall robustness of the contract, which is consistent with the main PR's focus on improving contract functionality and security.
• feat: ERC20Custody and ZetaConnector uups upgradable #385: This PR focuses on making the ERC20Custody and ZetaConnector contracts upgradeable, which is directly related to the main PR's changes that enhance role management for the TSS address, ensuring that these functionalities remain intact during upgrades.

Suggested reviewers

• fadeev
• CharlieMc0
• andresaiello
• brewmaster012
• lumtis
• fbac

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.80%. Comparing base (282fdaa) to head (f23d061).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #386      +/-   ##
==========================================
+ Coverage   84.69%   84.80%   +0.11%     
==========================================
  Files           8        8              
  Lines         405      408       +3     
  Branches      134      134              
==========================================
+ Hits          343      346       +3     
  Misses         62       62              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (13)

v2/contracts/evm/ZetaConnectorBase.sol (1)

51-51: Approved: PAUSER_ROLE granted to tssAddress, aligning with PR objective.

The addition of _grantRole(PAUSER_ROLE, tssAddress_); successfully implements the PR objective of introducing a pauser role to the TSS. This change allows the TSS address to pause the contract, potentially improving emergency response capabilities.

However, it's important to note the security implications:

1. Granting PAUSER_ROLE to tssAddress_ increases the number of entities that can pause the contract.
2. This change slightly increases the attack surface of the contract.

Consider adding a comment explaining the rationale behind granting PAUSER_ROLE to tssAddress_. This will help future maintainers understand the design decision.

v2/contracts/evm/ERC20Custody.sol (2)

Line range hint 69-76: LGTM: Improved role management in updateTSSAddress

The changes ensure proper role management when updating the TSS address. Revoking roles from the old address before granting them to the new one is a good security practice.

Consider adding a check to ensure that the new TSS address is different from the current one to avoid unnecessary operations and event emissions.

Here's a suggested improvement:

 function updateTSSAddress(address newTSSAddress) external onlyRole(DEFAULT_ADMIN_ROLE) {
     if (newTSSAddress == address(0)) revert ZeroAddress();
+    if (newTSSAddress == tssAddress) revert SameAddress();
 
     _revokeRole(WITHDRAWER_ROLE, tssAddress);
     _revokeRole(WHITELISTER_ROLE, tssAddress);

---

Line range hint 208-211: LGTM: Improved backward compatibility handling in deposit function

The addition of the supportsLegacy check and marking the function as deprecated are good practices for managing the contract's evolution.

Consider adding a deprecation notice in the revert message to provide more context to users.

Here's a suggested improvement:

 function deposit(
     bytes calldata recipient,
     IERC20 asset,
     uint256 amount,
     bytes calldata message
 )
     external
     nonReentrant
     whenNotPaused
 {
-    if (!supportsLegacy) revert LegacyMethodsNotSupported();
+    if (!supportsLegacy) revert LegacyMethodsNotSupported("deposit function is deprecated");
     if (!whitelisted[address(asset)]) revert NotWhitelisted();

v2/test/ZetaConnectorNonNative.t.sol (2)

57-57: Add a comment explaining the role of the foo address.

The foo address is initialized with a specific value (0x9876). To improve code readability and maintainability, it would be helpful to add a comment explaining what this address represents in the context of these tests. For example, is it meant to represent an unauthorized user, a specific role, or serve some other purpose?

---

105-110: Approve changes and suggest additional test cases.

The modifications to use foo instead of tssAddress for testing unauthorized pause/unpause attempts are good. They verify that an address without the PAUSER_ROLE cannot perform these actions.

However, to ensure comprehensive testing:

1. Consider adding test cases to verify that tssAddress (which should have the PAUSER_ROLE) can successfully pause and unpause the contract.
2. It might be beneficial to add a test case where the PAUSER_ROLE is granted to foo, and then verify that it can pause/unpause the contract.

These additional tests would provide a more complete coverage of the pause functionality and role-based access control.

v2/test/ZetaConnectorNative.t.sol (4)

42-42: Consider using a more descriptive name for the foo variable.

The purpose of the foo address variable is not clear from its name. Consider using a more descriptive name that reflects its intended use in the test cases. Additionally, please provide a comment explaining why this new address is being introduced and how it differs from tssAddress.

Also applies to: 57-57

---

147-148: Approved: Good test for unauthorized access, but consider adding explanatory comments.

The changes correctly test the behavior when an unauthorized address attempts to pause and unpause the contract. This is a valuable test case for ensuring proper access control. However, to improve readability and maintainability:

1. Consider adding a comment explaining why foo is being used instead of tssAddress in these specific test cases.
2. You might want to rename foo to something more descriptive, like unauthorizedAddress, to make the intent of the test clearer.

Also applies to: 151-152

---

155-155: Clarify the different roles or permissions being tested in this function.

The testWithdrawTogglePause function uses both foo (an unauthorized address) and tssAddress for different operations. This mixed usage might be confusing to readers. Consider:

1. Adding comments to explain the different scenarios being tested (e.g., unauthorized pause attempt, authorized pause, etc.).
2. Structuring the test to clearly differentiate between the unauthorized and authorized actions.
3. Ensuring that all relevant permission scenarios are covered in this test.

---

Line range hint 1-385: Overall: Good addition of access control tests, but improve clarity and documentation.

The changes introduce valuable tests for unauthorized access attempts, which is crucial for ensuring proper access control in the ZetaConnectorNative contract. However, to enhance the maintainability and readability of the test suite:

1. Use more descriptive variable names (e.g., replace foo with something like unauthorizedAddress).
2. Add comments explaining the purpose of new variables and test scenarios.
3. Consider restructuring the testWithdrawTogglePause function to clearly separate tests for different permission levels.
4. Ensure consistent naming conventions and test structure throughout the file.

These improvements will make the tests more self-explanatory and easier to maintain in the future.

v2/test/utils/GatewayEVMUpgradeTest.sol (2)

Line range hint 35-35: LGTM. Consider updating documentation.

The addition of the ExecutedV2 event enhances the contract's ability to log execution actions in more detail. This change maintains backwards compatibility while allowing for future improvements in event handling.

Consider updating the contract's documentation to reflect this new event and its usage. Also, it might be helpful to add a comment explaining the difference between Executed and ExecutedV2 events for future developers.

---

Line range hint 173-195: LGTM. Consider adding documentation for the new execute function.

The addition of this new execute function provides a simpler interface for non-authenticated calls, which is a good improvement for usability. It maintains the same access controls as the original function, ensuring security.

Consider adding NatSpec documentation for this new function to clarify its purpose and usage, especially highlighting the difference between this and the authenticated execute function. For example:

/// @notice Executes a non-authenticated call to a destination address without ERC20 tokens.
/// @dev This function can only be called by the TSS address and it is payable.
/// @param destination Address to call.
/// @param data Calldata to pass to the call.
/// @return The result of the call.

v2/test/GatewayEVM.t.sol (1)

37-37: Consider using a more descriptive variable name.

The variable name foo is not descriptive and doesn't convey its purpose. Consider using a more meaningful name that reflects its role in the tests, such as nonAuthorizedAddress or unprivilegedUser.

v2/test/ERC20Custody.t.sol (1)

36-36: Consider using a more descriptive variable name.

The variable name foo doesn't provide context about its purpose in the test. Consider using a more descriptive name that reflects its role in the test cases, such as nonPauserAddress or unauthorizedAddress.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 475acfa and 0f4f85c.

📒 Files selected for processing (8)

• v2/contracts/evm/ERC20Custody.sol (1 hunks)
• v2/contracts/evm/GatewayEVM.sol (1 hunks)
• v2/contracts/evm/ZetaConnectorBase.sol (1 hunks)
• v2/test/ERC20Custody.t.sol (3 hunks)
• v2/test/GatewayEVM.t.sol (3 hunks)
• v2/test/ZetaConnectorNative.t.sol (3 hunks)
• v2/test/ZetaConnectorNonNative.t.sol (3 hunks)
• v2/test/utils/GatewayEVMUpgradeTest.sol (1 hunks)

🧰 Additional context used

🔇 Additional comments (8)

v2/contracts/evm/ERC20Custody.sol (2)

46-46: LGTM: Pauser role granted to TSS address

This change aligns well with the PR objective of introducing a pauser role to the TSS. It's consistent with the existing role assignments in the constructor and enhances the contract's control mechanisms.

---

Line range hint 1-228: Overall: Improved role management and backward compatibility

The changes in this file effectively implement the PR objectives by:

1. Introducing the pauser role for the TSS address.
2. Enhancing the updateTSSAddress function with proper role management.
3. Adding backward compatibility support through the supportsLegacy flag.

These improvements enhance the contract's security, flexibility, and maintainability. The code quality is good, with clear and consistent implementations throughout the file.

v2/test/ZetaConnectorNonNative.t.sol (1)

42-42: Clarify the purpose of the foo address variable.

A new address variable foo has been introduced. Could you please explain the intended purpose of this variable in the context of these tests? Understanding its role will help ensure that the tests accurately reflect the contract's behavior under different scenarios.

v2/test/utils/GatewayEVMUpgradeTest.sol (2)

Line range hint 1-686: Overall assessment: LGTM with minor suggestions.

The changes in this file align well with the PR objectives, introducing the pauser role to the TSS and improving the contract's functionality. The new ExecutedV2 event and the additional execute function enhance the contract's capabilities while maintaining backwards compatibility.

Key points:

1. The PAUSER_ROLE is now granted to the TSS address, allowing for emergency pausing.
2. A new ExecutedV2 event has been added for more detailed logging.
3. An additional execute function has been introduced for non-authenticated calls.

While the changes look good, consider the following minor improvements:

1. Document the security implications of granting PAUSER_ROLE to the TSS address.
2. Update the contract's documentation to reflect the new ExecutedV2 event and its usage.
3. Add NatSpec documentation for the new execute function to clarify its purpose and usage.

These changes enhance the contract's functionality and maintainability. Good job!

---

68-68: LGTM, but consider security implications.

The addition of _grantRole(PAUSER_ROLE, tssAddress_); aligns with the PR objective of introducing a pauser role to the TSS. This allows the TSS to pause the contract in emergency situations, which can be beneficial for system security.

However, it's important to consider the security implications of granting this role to the TSS address. If the TSS is compromised, an attacker could potentially pause the contract. Please ensure that appropriate safeguards are in place to protect the TSS and consider implementing additional checks or a multi-sig approach for pausing.

To verify the role assignment, you can run the following script:

✅ Verification successful

PAUSER_ROLE assignment to tssAddress_ verified.

The line _grantRole(PAUSER_ROLE, tssAddress_); is present in v2/test/utils/GatewayEVMUpgradeTest.sol as specified.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify PAUSER_ROLE assignment to tssAddress in initialize function
# Expected: The script should find the line granting PAUSER_ROLE to tssAddress_

rg --type solidity '_grantRole\(PAUSER_ROLE,\s*tssAddress_\)' v2/test/utils/GatewayEVMUpgradeTest.sol

Length of output: 136

---

Script:

#!/bin/bash
# Description: Verify PAUSER_ROLE assignment to tssAddress in initialize function
# Expected: The script should find the line granting PAUSER_ROLE to tssAddress_

rg '_grantRole\(PAUSER_ROLE,\s*tssAddress_\)' v2/test/utils/GatewayEVMUpgradeTest.sol -g "*.sol"

Length of output: 144

v2/test/ERC20Custody.t.sol (2)

230-231: LGTM: Good test for unauthorized pause attempt.

This change correctly tests that an unauthorized address (foo) cannot pause the contract. It's a good practice to ensure proper access control for critical functions like pause.

---

234-235: Verify the use of gateway for unpause test.

This change correctly tests that an unauthorized address (foo) cannot unpause the contract. However, it's testing the unpause function on the gateway instead of custody. Is this intentional? If not, consider changing it to custody.unpause() for consistency with the previous pause test and the overall test function name.

v2/contracts/evm/GatewayEVM.sol (1)

66-66: Appropriate assignment of PAUSER_ROLE to tssAddress_

Granting the PAUSER_ROLE to tssAddress_ allows the TSS to pause the contract when necessary, enhancing control and security over contract operations.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (4)

v2/contracts/evm/ZetaConnectorBase.sol (2)

75-75: Approved: Enhanced role management for TSS address

The addition of _grantRole(PAUSER_ROLE, tssAddress_); is a good security enhancement. It allows the TSS address to pause the contract in case of emergencies or when upgrades are needed, which aligns with its existing roles (WITHDRAWER_ROLE and TSS_ROLE).

Consider adding a comment above this line to explain why the TSS address is granted the PAUSER_ROLE, for better code documentation. For example:

// Grant PAUSER_ROLE to TSS for enhanced security and quicker response to potential issues
_grantRole(PAUSER_ROLE, tssAddress_);

---

Line range hint 84-97: Update updateTSSAddress function to handle PAUSER_ROLE

The updateTSSAddress function currently doesn't manage the PAUSER_ROLE when updating the TSS address. This could lead to inconsistency in role management.

Consider updating the updateTSSAddress function to handle the PAUSER_ROLE:

 function updateTSSAddress(address newTSSAddress) external onlyRole(DEFAULT_ADMIN_ROLE) {
     if (newTSSAddress == address(0)) revert ZeroAddress();

     _revokeRole(WITHDRAWER_ROLE, tssAddress);
     _revokeRole(TSS_ROLE, tssAddress);
+    _revokeRole(PAUSER_ROLE, tssAddress);

     _grantRole(WITHDRAWER_ROLE, newTSSAddress);
     _grantRole(TSS_ROLE, newTSSAddress);
+    _grantRole(PAUSER_ROLE, newTSSAddress);

     tssAddress = newTSSAddress;

     emit UpdatedZetaConnectorTSSAddress(newTSSAddress);
 }

This change ensures that the PAUSER_ROLE is properly transferred to the new TSS address, maintaining consistency with the other roles.

v2/test/ZetaConnectorNonNative.t.sol (2)

59-59: Consider using a more descriptive name for the new address variable.

The initialization of foo with a specific address (0x9876) is correct for testing purposes. However, to improve code readability and maintainability, consider using a more descriptive name that reflects its role or purpose in the tests, such as unauthorizedAddress or nonPauserAddress.

---

114-119: Approve changes and suggest additional test case.

The modifications to use foo instead of tssAddress for testing unauthorized access are appropriate. These changes correctly verify that an address without the PAUSER_ROLE cannot pause or unpause the contract.

To further strengthen the test suite, consider adding an additional test case that verifies the following:

1. Grant the PAUSER_ROLE to the foo address.
2. Verify that foo can now successfully pause and unpause the contract.

This would provide complete coverage of the role-based access control for the pause functionality.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 0f4f85c and b0a6908.

📒 Files selected for processing (7)

• v2/contracts/evm/ERC20Custody.sol (1 hunks)
• v2/contracts/evm/ZetaConnectorBase.sol (1 hunks)
• v2/test/ERC20Custody.t.sol (3 hunks)
• v2/test/GatewayEVM.t.sol (3 hunks)
• v2/test/ZetaConnectorNative.t.sol (3 hunks)
• v2/test/ZetaConnectorNonNative.t.sol (3 hunks)
• v2/test/utils/upgrades/GatewayEVMUpgradeTest.sol (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• v2/contracts/evm/ERC20Custody.sol
• v2/test/ERC20Custody.t.sol
• v2/test/GatewayEVM.t.sol
• v2/test/ZetaConnectorNative.t.sol

🧰 Additional context used

🔇 Additional comments (6)

v2/test/ZetaConnectorNonNative.t.sol (2)

42-42: Clarify the purpose of the foo address variable.

A new address variable foo has been introduced. Could you please explain its intended use and how it differs from existing address variables like tssAddress? This will help in understanding the context of the changes made to the test cases.

---

Line range hint 1-424: Overall, the changes improve test coverage and clarity.

The introduction of the new address variable (currently named foo) and the corresponding updates to the testWithdrawTogglePause function enhance the test suite by explicitly verifying the behavior for unauthorized access attempts. These changes strengthen the validation of the contract's access control mechanisms.

To further improve the test file:

1. Consider using a more descriptive name for the foo variable.
2. Add an additional test case to verify the behavior when the new address is granted the PAUSER_ROLE.

These modifications will result in a more comprehensive and easily understandable test suite for the ZetaConnectorNonNative contract.

v2/test/utils/upgrades/GatewayEVMUpgradeTest.sol (4)

Line range hint 41-41: LGTM: New event ExecutedV2 added

The addition of the ExecutedV2 event is a good practice for versioning and maintaining backward compatibility. It allows for distinguishing between different execution scenarios while preserving the existing Executed event.

---

68-68: LGTM: Granting PAUSER_ROLE to TSS address

Granting the PAUSER_ROLE to the TSS address is a good security measure. It allows the TSS to pause the contract if necessary, which is consistent with its existing permissions and responsibilities.

---

Line range hint 132-157: LGTM: Updated execute function with MessageContext

The changes to this execute function enhance its capabilities by including a MessageContext parameter. This modification allows for better handling of cross-chain message context. The function correctly emits the original Executed event, maintaining backward compatibility.

---

Line range hint 164-185: LGTM: New overloaded execute function added

The addition of this overloaded execute function is a good design choice. It maintains the existing functionality for calls that don't require message context, while emitting the new ExecutedV2 event. This approach provides flexibility and backward compatibility.