-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add petrifiable #355
Add petrifiable #355
Conversation
b79bd7e
to
5e46df1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good to me. My only comment so far is that now we have 2 ways to set the kernel for an app: 1) through this new constructor and 2) through AppProxyBase
. I think it's kind of confusing, so it would be good to put a more explicit comment over this new AragonApp
constructor to explain the difference.
Responding to offline questions from @bingen: As of right now, the only possible states for our base and proxy contracts should be: Base contract:
Proxies:
These cases:
Should be impossible with the change. Once we add
|
I like the idea of being able to freeze bases on deployment, as it reduces a vector of uncertainty. However, this also opens the door for initializing bases with a Kernel that has an EVMScript executor that is able to My proposal is to petrify by default in the contract VotingAppWrapper is VotingApp {
function VotingAppWrapper(IKernel _kernel, address _token...) {
initializationBlock = 0; // unpetrifies
kernel = _kernel;
initialize(_token...)
}
} Using the Kernel or any apps without a proxy is always going to require writing some custom code anyway, as deploying the contract and initializing it atomically is quite important. IMO aragonOS should provide secure and sane defaults and allow for detecting phisy things in the code directly. By allowing to create bases that are either petrified or have a custom kernel, we are pushing extra uncertainty to the deployment process (knowing whether a base can be selfdestructed depends on the deployment + kernel state) and adding an extra aspect that app devs have to think about. |
I agree about petrifying by default. But in essence this is again that question about if aragonOS/apps are intended to be used with all the ingredients (ACLs and Upgradeability) or if we are supporting also the use of ACLs only, without Proxies. I have said before that I like better the first option. If someone really wanted to use our apps without proxies, they would 3 options:
But I would say that we are going the other way (and I'm fine with it, no strong opinion about it). But in that case we shouldn't petrify by default. |
I hadn't considered that someone could use their initialized base contract as an actual base for other proxies on top of it. Thinking about the potential consequences, we should make this path possible only through as much explicit effort as possible (e.g. writing explicit, custom code). |
@bingen on proxyless apps: Given the above (someone mistakenly initializing a base, and then using that base to back other proxies), my current opinion is that we should still make it possible for someone to use an app without a proxy, but both they and the app developer should explicitly desire to do so. My reasoning comes from:
|
…be performed in an kernel or app (#356)
…re integrated logic
Bytecode diff:
|
contracts/kernel/Kernel.sol
Outdated
*/ | ||
function hasPermission(address _who, address _where, bytes32 _what, bytes _how) public view returns (bool) { | ||
return acl().hasPermission(_who, _where, _what, _how); | ||
return hasInitialized() && acl().hasPermission(_who, _where, _what, _how); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm hesitant about adding an extra SLOAD
for a function that will be called as often as kernel.hasPermission(...)
. In all 'write functions' we just revert if they are not initialized.
A cheaper way to do it is to check if the ACL address is 0 and if so return false.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See c128077
Quite a lot of the tests have been revamped, mainly to support parametrization across different base / proxy targets. Also found a few tests that were outdated or completely broken (in terms of what they were testing) 😄.
For tests, see #386.
Note that this also fixes #325.
From https://github.com/ConsenSys/aragonOS-audit-repo/issues/31:
Our current base contracts on both rinkeby and mainnet are uninitialized. While this isn't a problem if everyone uses a proxy on top of them, it can lead to confusion as well as weird situations if someone transfers ETH or tokens to, e.g. the base vault.
Petrifiable
is an attempt at making sure base contracts can be "turned off" as they're deployed. It allows us to disable base contracts without using another storage slot (for, e.g. aninitializer
).For this to be safe, this requires all
AragonApp
s to require initialization before they're used (even in apps that don't require it right now, e.g.Vault
andRepo
) by making sure all publicly accessible functions haveisInitialized
. This also requires changes in all the apps for including the constructor.This also sidesteps the
auth
issue presented in aragon/aragon-apps#385, whereby an app can still be connected to a kernel without having to be behind a proxy.