Allowlist for Wallet Registry (#3826)

The allowlist contract replaces the Threshold `TokenStaking` contract
and is as an outcome of TIP-092 and TIP-100 governance decisions.
Staking tokens is no longer required to operate nodes. Beta stakers are
selected by the DAO and operate the network based on the allowlist
maintained by the DAO. The contract will be integrated with the
`WalletRegistry` and replace calls to `TokenStaking`.

I have been experimenting with various approaches, and the most extreme
one was to remove most of the `EcdsaAuthorization` logic as well as all
`TokenStaking.seize` calls. This would have cascading effects on tBTC
Bridge contracts as they rely on `WalletRegistry.seize`. That would also
require implementing weight decrease delays in the `Allowlist,` so
essentially doing work that is already done in `WalletRegistry`.
Considering the pros and cons, I decided on the least invasive option.
The `WalletRegistry` still thinks in terms of stake authorization, but
everything is based on the staking provider's weight as set in the
`Allowlist`, and weight decrease delays are enforced by the existing
mechanism in `EcdsaAuthorization`. The `seize` function does nothing
except of emitting an event about detecting beta staker misbehavior.

# To be done

## Deployment script

We need to capture all existing beta stakers along with their current
authorizations and initialize the `Allowlist` contract. We can do it by
either replicating the existing weights or giving them all the same
weight.

## Integrate with `WalletRegistry` and tests

There are two approaches to achieve it. The first one is to get rid of
all references to `TokenStaking` from tests and update them to work with
`Allowlist`. Another approach is to let them work with `TokenStaking`
but introduce another integration test for those two contracts. In this
option, we could use in `WalletRegistry` something like:

```
    modifier onlyStakingContract() {
        address _allowlist = address(allowlist);
        require(
            // If the allowlist is set, accept calls only from the allowlist.
            // This is post-TIP-98 scenario. If the allowlist is not set, accept
            // calls only from the staking contract. This is pre-TIP-98 scenario.
            (_allowlist != address(0) && msg.sender == _allowlist) ||
                (_allowlist == address(0) && msg.sender == address(staking)),
            "Caller is not the staking contract"
        );
        _;
    }

    /// @notice Initializes V2 version of the WalletRegistry operating with the
    ///         Allowlist contract, as a result of TIP-098 and TIP-100 governance
    ///         decisions.
    function initializeV2(address _allowlist) external reinitializer(2) {
        allowlist = Allowlist(_allowlist);
    }

    /// @dev Provides the expected IStaking reference. If the allowlist is set,
    ///      it acts as the staking contract. If it is not set, the TokenStaking
    ///      acts as the staking contract.
    function _staking() internal returns (IStaking) {
        if (address(allowlist) != address(0)) {
            return IStaking(allowlist);
        }

        return staking;
    }
```

Note that the `WalletRegistry` is close to the maximum allowed contract
size and - surprise! - adding the logic above makes it exceed the
allowed size. This could potentially be alleviated by removing some of
the functionality. For example, in the `challengeDkgResult` function we
have a try catch as well as a call to `dkg.requireChallengeExtraGas()`.
This could potentially be eliminated as a no-op `seize` in `Allowlist`
is guaranteed to always succeed. Also, post
[EIP-7702](https://eips.ethereum.org/EIPS/eip-7702), the
`require(msg.sender == tx.origin, "Not EOA")` check is no longer
guaranteed to work as expected.

Author: lrsaturnino

.github/workflows/client.yml

@@ -11,6 +11,7 @@ on:
       - "docs/**"
       - "infrastructure/**"
       - "scripts/**"
+      - "solidity/**"
       - "solidity-v1/**"
       - "token-stakedrop/**"
   pull_request:
@@ -45,7 +46,7 @@ jobs:
         with:
           filters: |
             path-filter:
-              - './!((docs-v1|docs|infrastructure|scripts|solidity-v1|token-stakedrop)/**)'
+              - './!((docs-v1|docs|infrastructure|scripts|solidity|solidity-v1|token-stakedrop)/**)'
 
   electrum-integration-detect-changes:
     runs-on: ubuntu-latest

.github/workflows/contracts-ecdsa.yml

@@ -109,7 +109,7 @@ jobs:
       # As a workaround for a slither issue https://github.com/crytic/slither/issues/1140
       # we disable compilation of dependencies when running slither.
       - name: Run Slither
-        run: SKIP_DEPENDENCY_COMPILER=true slither .
+        run: SKIP_DEPENDENCY_COMPILER=true slither . --compile-force-framework hardhat
 
   contracts-build-and-test:
     needs: contracts-detect-changes

solidity/ecdsa/.env.example

@@ -0,0 +1,47 @@
+# =============================================================================
+# Environment Configuration for keep-core/solidity/ecdsa
+# =============================================================================
+# Copy this file to .env and fill in your values.
+# NEVER commit .env files with private keys!
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# RPC Endpoint (required for Sepolia and Mainnet)
+# -----------------------------------------------------------------------------
+# Use Alchemy, Infura, or another provider
+# Example: https://eth-sepolia.g.alchemy.com/v2/YOUR_API_KEY
+# Example: https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY
+CHAIN_API_URL=
+
+# -----------------------------------------------------------------------------
+# Sepolia Configuration
+# -----------------------------------------------------------------------------
+# Comma-separated list of private keys (without 0x prefix)
+# The first key should correspond to: 0x68ad60CC5e8f3B7cC53beaB321cf0e6036962dBc
+ACCOUNTS_PRIVATE_KEYS=
+
+# -----------------------------------------------------------------------------
+# Mainnet Configuration
+# -----------------------------------------------------------------------------
+# Single private key for the deployer account (without 0x prefix)
+# Should correspond to: 0x716089154304f22a2F9c8d2f8C45815183BF3532
+CONTRACT_OWNER_ACCOUNT_PRIVATE_KEY=
+
+# -----------------------------------------------------------------------------
+# Contract Verification (optional but recommended)
+# -----------------------------------------------------------------------------
+# Get your API key from https://etherscan.io/myapikey
+ETHERSCAN_API_KEY=
+
+# -----------------------------------------------------------------------------
+# Forking Configuration (optional, for local testing)
+# -----------------------------------------------------------------------------
+# URL for forking mainnet state (requires archive node access)
+# FORKING_URL=https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY
+# FORKING_BLOCK=
+
+# -----------------------------------------------------------------------------
+# External Deployments (optional)
+# -----------------------------------------------------------------------------
+# Set to "true" to use external contract deployments
+# USE_EXTERNAL_DEPLOY=false

solidity/ecdsa/.gitignore

@@ -13,3 +13,13 @@ deployments/*
 
 # OpenZeppelin
 .openzeppelin/unknown-*.json
+
+# Environment variables (NEVER commit private keys!)
+.env
+.env.local
+.env.*.local
+.env.sepolia
+.env.mainnet
+
+# Migration results (may contain sensitive info)
+migration-results.json

solidity/ecdsa/.nvmrc

@@ -0,0 +1 @@
+lts/hydrogen