Per-contract panic buttons that can be disabled

We now allow to specify a panic button per contract. Such individual
panic buttons can be disabled what makes the operator contract
permanently approved. There is a default panic button value that is
assigned to each new operator contract.

The only role which can disable panic button for operator contract is
governance. We don't want the operator contract upgrader to have a power
of permanently approving operator contracts if this action can not be
later undone.

Author: pdyraga

solidity/contracts/Registry.sol

@@ -8,17 +8,32 @@ pragma solidity 0.5.17;
 contract Registry {
     enum ContractStatus {New, Approved, Disabled}
 
-    // Governance role is to enable recovery from key compromise by rekeying other roles.
+    // Governance role is to enable recovery from key compromise by rekeying
+    // other roles. Also, it can disable operator contract panic buttons
+    // permanently.
     address internal governance;
 
     // Registry Keeper maintains approved operator contracts. Each operator
     // contract must be approved before it can be authorized by a staker or
     // used by a service contract.
     address internal registryKeeper;
 
-    // The Panic Button can disable malicious or malfunctioning contracts
-    // that have been previously approved by the Registry Keeper.
-    address internal panicButton;
+    // Each operator contract has a Panic Button which can disable malicious
+    // or malfunctioning contract that have been previously approved by the
+    // Registry Keeper.
+    //
+    // New operator contract added to the registry has a default panic button
+    // value assigned (defaultPanicButton). Panic button for each operator
+    // contract can be later updated by Governance to individual value.
+    //
+    // It is possible to disable panic button for individual contract by
+    // setting the panic button to zero address. In such case, operator contract
+    // can not be disabled and is permanently approved in the registry.
+    mapping(address => address) public panicButtons;
+
+    // Default panic button for each new operator contract added to the
+    // registry. Can be later updated for each contract.
+    address internal defaultPanicButton;
 
     // Each service contract has a Operator Contract Upgrader whose purpose
     // is to manage operator contracts for that specific service contract.
@@ -34,7 +49,12 @@ contract Registry {
 
     event GovernanceUpdated();
     event RegistryKeeperUpdated();
-    event PanicButtonUpdated();
+    event DefaultPanicButtonUpdated();
+    event OperatorContractPanicButtonDisabled(address operatorContract);
+    event OperatorContractPanicButtonUpdated(
+        address operatorContract,
+        address panicButton
+    );
     event OperatorContractUpgraderUpdated(
         address serviceContract,
         address upgrader
@@ -50,15 +70,33 @@ contract Registry {
         _;
     }
 
-    modifier onlyPanicButton() {
+    modifier onlyPanicButton(address _operatorContract) {
+        address panicButton = panicButtons[_operatorContract];
+        require(panicButton != address(0), "Panic button disabled");
         require(panicButton == msg.sender, "Not authorized");
         _;
     }
 
+    modifier onlyForNewContract(address _operatorContract) {
+        require(
+            isNewOperatorContract(_operatorContract),
+            "Not a new operator contract"
+        );
+        _;
+    }
+
+    modifier onlyForApprovedContract(address _operatorContract) {
+        require(
+            isApprovedOperatorContract(_operatorContract),
+            "Not an approved operator contract"
+        );
+        _;
+    }
+
     constructor() public {
         governance = msg.sender;
         registryKeeper = msg.sender;
-        panicButton = msg.sender;
+        defaultPanicButton = msg.sender;
     }
 
     function setGovernance(address _governance) public onlyGovernance {
@@ -71,9 +109,45 @@ contract Registry {
         emit RegistryKeeperUpdated();
     }
 
-    function setPanicButton(address _panicButton) public onlyGovernance {
-        panicButton = _panicButton;
-        emit PanicButtonUpdated();
+    function setDefaultPanicButton(address _panicButton) public onlyGovernance {
+        defaultPanicButton = _panicButton;
+        emit DefaultPanicButtonUpdated();
+    }
+
+    function setOperatorContractPanicButton(
+        address _operatorContract,
+        address _panicButton
+    ) public onlyForApprovedContract(_operatorContract) onlyGovernance {
+        require(
+            panicButtons[_operatorContract] != address(0),
+            "Disabled panic button cannot be updated"
+        );
+        require(
+            _panicButton != address(0),
+            "Panic button must be non-zero address"
+        );
+
+        panicButtons[_operatorContract] = _panicButton;
+
+        emit OperatorContractPanicButtonUpdated(
+            _operatorContract,
+            _panicButton
+        );
+    }
+
+    function disableOperatorContractPanicButton(address _operatorContract)
+        public
+        onlyForApprovedContract(_operatorContract)
+        onlyGovernance
+    {
+        require(
+            panicButtons[_operatorContract] != address(0),
+            "Panic button already disabled"
+        );
+
+        panicButtons[_operatorContract] = address(0);
+
+        emit OperatorContractPanicButtonDisabled(_operatorContract);
     }
 
     function setOperatorContractUpgrader(
@@ -89,26 +163,19 @@ contract Registry {
 
     function approveOperatorContract(address operatorContract)
         public
+        onlyForNewContract(operatorContract)
         onlyRegistryKeeper
     {
-        require(
-            isNewOperatorContract(operatorContract),
-            "Only new operator contracts can be approved"
-        );
-
         operatorContracts[operatorContract] = ContractStatus.Approved;
+        panicButtons[operatorContract] = defaultPanicButton;
         emit OperatorContractApproved(operatorContract);
     }
 
     function disableOperatorContract(address operatorContract)
         public
-        onlyPanicButton
+        onlyForApprovedContract(operatorContract)
+        onlyPanicButton(operatorContract)
     {
-        require(
-            isApprovedOperatorContract(operatorContract),
-            "Only approved operator contracts can be disabled"
-        );
-
         operatorContracts[operatorContract] = ContractStatus.Disabled;
         emit OperatorContractDisabled(operatorContract);
     }

solidity/contracts/stubs/RegistryStub.sol

@@ -2,8 +2,8 @@ pragma solidity 0.5.17;
 
 import "../Registry.sol";
 
-contract RegistryStub is Registry {
 
+contract RegistryStub is Registry {
     function getGovernance() public view returns (address) {
         return governance;
     }
@@ -12,7 +12,15 @@ contract RegistryStub is Registry {
         return registryKeeper;
     }
 
-    function getPanicButton() public view returns (address) {
-        return panicButton;
+    function getDefaultPanicButton() public view returns (address) {
+        return defaultPanicButton;
+    }
+
+    function getPanicButtonForContract(address operatorContract)
+        public
+        view
+        returns (address)
+    {
+        return panicButtons[operatorContract];
     }
 }