Merge pull request #1623 from keep-network/panic

eth-r · web-flow · commit b60833e2c47b · 2020-04-17T23:11:42.000+01:00
Panic button per operator contract with a possibility of being disabled
diff --git a/solidity/contracts/Registry.sol b/solidity/contracts/Registry.sol
@@ -6,20 +6,34 @@ pragma solidity 0.5.17;
  * @dev Governance owned registry of approved contracts and roles.
  */
 contract Registry {
+    enum ContractStatus {New, Approved, Disabled}
 
-    enum ContractStatus { New, Approved, Disabled }
-
-    // Governance role is to enable recovery from key compromise by rekeying other roles.
+    // Governance role is to enable recovery from key compromise by rekeying
+    // other roles. Also, it can disable operator contract panic buttons
+    // permanently.
     address internal governance;
 
     // Registry Keeper maintains approved operator contracts. Each operator
     // contract must be approved before it can be authorized by a staker or
     // used by a service contract.
     address internal registryKeeper;
 
-    // The Panic Button can disable malicious or malfunctioning contracts
-    // that have been previously approved by the Registry Keeper.
-    address internal panicButton;
+    // Each operator contract has a Panic Button which can disable malicious
+    // or malfunctioning contract that have been previously approved by the
+    // Registry Keeper.
+    //
+    // New operator contract added to the registry has a default panic button
+    // value assigned (defaultPanicButton). Panic button for each operator
+    // contract can be later updated by Governance to individual value.
+    //
+    // It is possible to disable panic button for individual contract by
+    // setting the panic button to zero address. In such case, operator contract
+    // can not be disabled and is permanently approved in the registry.
+    mapping(address => address) public panicButtons;
+
+    // Default panic button for each new operator contract added to the
+    // registry. Can be later updated for each contract.
+    address internal defaultPanicButton;
 
     // Each service contract has a Operator Contract Upgrader whose purpose
     // is to manage operator contracts for that specific service contract.
@@ -35,8 +49,16 @@ contract Registry {
 
     event GovernanceUpdated();
     event RegistryKeeperUpdated();
-    event PanicButtonUpdated();
-    event OperatorContractUpgraderUpdated(address serviceContract, address upgrader);
+    event DefaultPanicButtonUpdated();
+    event OperatorContractPanicButtonDisabled(address operatorContract);
+    event OperatorContractPanicButtonUpdated(
+        address operatorContract,
+        address panicButton
+    );
+    event OperatorContractUpgraderUpdated(
+        address serviceContract,
+        address upgrader
+    );
 
     modifier onlyGovernance() {
         require(governance == msg.sender, "Not authorized");
@@ -48,15 +70,33 @@ contract Registry {
         _;
     }
 
-    modifier onlyPanicButton() {
+    modifier onlyPanicButton(address _operatorContract) {
+        address panicButton = panicButtons[_operatorContract];
+        require(panicButton != address(0), "Panic button disabled");
         require(panicButton == msg.sender, "Not authorized");
         _;
     }
 
+    modifier onlyForNewContract(address _operatorContract) {
+        require(
+            isNewOperatorContract(_operatorContract),
+            "Not a new operator contract"
+        );
+        _;
+    }
+
+    modifier onlyForApprovedContract(address _operatorContract) {
+        require(
+            isApprovedOperatorContract(_operatorContract),
+            "Not an approved operator contract"
+        );
+        _;
+    }
+
     constructor() public {
         governance = msg.sender;
         registryKeeper = msg.sender;
-        panicButton = msg.sender;
+        defaultPanicButton = msg.sender;
     }
 
     function setGovernance(address _governance) public onlyGovernance {
@@ -69,45 +109,98 @@ contract Registry {
         emit RegistryKeeperUpdated();
     }
 
-    function setPanicButton(address _panicButton) public onlyGovernance {
-        panicButton = _panicButton;
-        emit PanicButtonUpdated();
+    function setDefaultPanicButton(address _panicButton) public onlyGovernance {
+        defaultPanicButton = _panicButton;
+        emit DefaultPanicButtonUpdated();
     }
 
-    function setOperatorContractUpgrader(address _serviceContract, address _operatorContractUpgrader) public onlyGovernance {
-        operatorContractUpgraders[_serviceContract] = _operatorContractUpgrader;
-        emit OperatorContractUpgraderUpdated(_serviceContract, _operatorContractUpgrader);
+    function setOperatorContractPanicButton(
+        address _operatorContract,
+        address _panicButton
+    ) public onlyForApprovedContract(_operatorContract) onlyGovernance {
+        require(
+            panicButtons[_operatorContract] != address(0),
+            "Disabled panic button cannot be updated"
+        );
+        require(
+            _panicButton != address(0),
+            "Panic button must be non-zero address"
+        );
+
+        panicButtons[_operatorContract] = _panicButton;
+
+        emit OperatorContractPanicButtonUpdated(
+            _operatorContract,
+            _panicButton
+        );
     }
 
-    function approveOperatorContract(address operatorContract) public onlyRegistryKeeper {
+    function disableOperatorContractPanicButton(address _operatorContract)
+        public
+        onlyForApprovedContract(_operatorContract)
+        onlyGovernance
+    {
         require(
-            isNewOperatorContract(operatorContract),
-            "Only new operator contracts can be approved"
+            panicButtons[_operatorContract] != address(0),
+            "Panic button already disabled"
         );
 
-        operatorContracts[operatorContract] = ContractStatus.Approved;
-        emit OperatorContractApproved(operatorContract);
+        panicButtons[_operatorContract] = address(0);
+
+        emit OperatorContractPanicButtonDisabled(_operatorContract);
     }
 
-    function disableOperatorContract(address operatorContract) public onlyPanicButton {
-        require(
-            isApprovedOperatorContract(operatorContract),
-            "Only approved operator contracts can be disabled"
+    function setOperatorContractUpgrader(
+        address _serviceContract,
+        address _operatorContractUpgrader
+    ) public onlyGovernance {
+        operatorContractUpgraders[_serviceContract] = _operatorContractUpgrader;
+        emit OperatorContractUpgraderUpdated(
+            _serviceContract,
+            _operatorContractUpgrader
         );
+    }
+
+    function approveOperatorContract(address operatorContract)
+        public
+        onlyForNewContract(operatorContract)
+        onlyRegistryKeeper
+    {
+        operatorContracts[operatorContract] = ContractStatus.Approved;
+        panicButtons[operatorContract] = defaultPanicButton;
+        emit OperatorContractApproved(operatorContract);
+    }
 
+    function disableOperatorContract(address operatorContract)
+        public
+        onlyForApprovedContract(operatorContract)
+        onlyPanicButton(operatorContract)
+    {
         operatorContracts[operatorContract] = ContractStatus.Disabled;
         emit OperatorContractDisabled(operatorContract);
     }
 
-    function isNewOperatorContract(address operatorContract) public view returns (bool) {
+    function isNewOperatorContract(address operatorContract)
+        public
+        view
+        returns (bool)
+    {
         return operatorContracts[operatorContract] == ContractStatus.New;
     }
 
-    function isApprovedOperatorContract(address operatorContract) public view returns (bool) {
+    function isApprovedOperatorContract(address operatorContract)
+        public
+        view
+        returns (bool)
+    {
         return operatorContracts[operatorContract] == ContractStatus.Approved;
     }
 
-    function operatorContractUpgraderFor(address _serviceContract) public view returns (address) {
+    function operatorContractUpgraderFor(address _serviceContract)
+        public
+        view
+        returns (address)
+    {
         return operatorContractUpgraders[_serviceContract];
     }
 }
diff --git a/solidity/contracts/stubs/RegistryStub.sol b/solidity/contracts/stubs/RegistryStub.sol
@@ -2,8 +2,8 @@ pragma solidity 0.5.17;
 
 import "../Registry.sol";
 
-contract RegistryStub is Registry {
 
+contract RegistryStub is Registry {
     function getGovernance() public view returns (address) {
         return governance;
     }
@@ -12,7 +12,15 @@ contract RegistryStub is Registry {
         return registryKeeper;
     }
 
-    function getPanicButton() public view returns (address) {
-        return panicButton;
+    function getDefaultPanicButton() public view returns (address) {
+        return defaultPanicButton;
+    }
+
+    function getPanicButtonForContract(address operatorContract)
+        public
+        view
+        returns (address)
+    {
+        return panicButtons[operatorContract];
     }
 }
diff --git a/solidity/test/TestRegistry.js b/solidity/test/TestRegistry.js

Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,8 @@ pragma solidity 0.5.17;`
`2`	`2`
`3`	`3`	`import "../Registry.sol";`
`4`	`4`
`5`		`-contract RegistryStub is Registry {`
`6`	`5`
	`6`	`+contract RegistryStub is Registry {`
`7`	`7`	`function getGovernance() public view returns (address) {`
`8`	`8`	`return governance;`
`9`	`9`	`}`
`@@ -12,7 +12,15 @@ contract RegistryStub is Registry {`
`12`	`12`	`return registryKeeper;`
`13`	`13`	`}`
`14`	`14`
`15`		`- function getPanicButton() public view returns (address) {`
`16`		`- return panicButton;`
	`15`	`+ function getDefaultPanicButton() public view returns (address) {`
	`16`	`+ return defaultPanicButton;`
	`17`	`+ }`
	`18`	`+`
	`19`	`+ function getPanicButtonForContract(address operatorContract)`
	`20`	`+ public`
	`21`	`+ view`
	`22`	`+ returns (address)`
	`23`	`+ {`
	`24`	`+ return panicButtons[operatorContract];`
`17`	`25`	`}`
`18`	`26`	`}`