contracts-bedrock: upgrade script for post sherlock

Includes a complete upgrade script that can be ran
for upgrading any op-stack based chain that was deployed
before the sherlock audit fixes were all included.

The script is ran with the following command:

```bash
forge script \
    scripts/upgrades/PostSherlock.s.sol \
    --rpc-url $ETH_RPC_URL \
    --private-key $PRIVATE_KEY \
    --sig 'run(address,address)' \
    $SAFE_ADDRESS \
    $PROXY_ADMIN_ADDRESS
```

Signers should run the script and be sure to add any required
flags so that hardware wallets can be used. The script will
submit a single transaction that approves the upgrade and
then checks to see if there have been enough approvals and
then triggers the upgrade if there have been enough approvals.

This comes with test coverage but requires a goerli RPC url.
To run the tests, use the following command:

```bash
forge test --contracts scripts/upgrades --rpc-url $ETH_RPC_URL
```

package.json

@@ -30,7 +30,9 @@
       "@eth-optimism/contracts-periphery/ds-test",
       "@eth-optimism/contracts-periphery/forge-std",
       "@eth-optimism/contracts-periphery/@rari-capital/solmate",
-      "forta-agent"
+      "forta-agent",
+      "@eth-optimism/contracts-bedrock/@safe-global/safe-contracts",
+      "@eth-optimism/contracts-bedrock/solady"
     ]
   },
   "private": true,

packages/contracts-bedrock/foundry.toml

@@ -9,7 +9,9 @@ remappings = [
   '@openzeppelin/contracts/=node_modules/@openzeppelin/contracts/',
   '@rari-capital/solmate/=node_modules/@rari-capital/solmate',
   'forge-std/=node_modules/forge-std/src',
-  'ds-test/=node_modules/ds-test/src'
+  'ds-test/=node_modules/ds-test/src',
+  '@safe-global/safe-contracts=node_modules/@safe-global/safe-contracts/',
+  'solady/=node_modules/solady/src'
 ]
 extra_output = ['devdoc', 'userdoc', 'metadata', 'storageLayout']
 bytecode_hash = 'none'

packages/contracts-bedrock/package.json

@@ -80,6 +80,8 @@
     "forge-std": "https://github.com/foundry-rs/forge-std.git#46264e9788017fc74f9f58b7efa0bc6e1df6d410",
     "glob": "^7.1.6",
     "hardhat-deploy": "^0.11.4",
+    "@safe-global/safe-contracts": "https://github.com/safe-global/safe-contracts.git#v1.3.0-libs.0",
+    "solady": "https://github.com/Vectorized/solady.git#v0.0.85",
     "solhint": "^3.3.7",
     "solhint-plugin-prettier": "^0.0.5",
     "ts-node": "^10.9.1",

packages/contracts-bedrock/scripts/upgrades/PostSherlock.s.sol

+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.15;
+
+import { console } from "forge-std/console.sol";
+import { Script } from "forge-std/Script.sol";
+import { IMulticall3 } from "forge-std/interfaces/IMulticall3.sol";
+import { GnosisSafe } from "@safe-global/safe-contracts/contracts/GnosisSafe.sol";
+import { LibSort } from "solady/utils/LibSort.sol";
+import { Enum } from "@safe-global/safe-contracts/contracts/common/Enum.sol";
+import { ProxyAdmin } from "../../contracts/universal/ProxyAdmin.sol";
+import { Constants } from "../../contracts/libraries/Constants.sol";
+import { SystemConfig } from "../../contracts/L1/SystemConfig.sol";
+import { ResourceMetering } from "../../contracts/L1/ResourceMetering.sol";
+import { Semver } from "../../contracts/universal/Semver.sol";
+
+/**
+ * @title PostSherlock
+ * @notice Upgrade script for upgrading the L1 contracts after the sherlock audit.
+ *         Assumes that a gnosis safe is used as the privileged account and the same
+ *         gnosis safe is the owner of the system config and the proxy admin.
+ *         This could be optimized by checking for the number of approvals up front
+ *         and not submitting the final approval as `execTransaction` can be called when
+ *         there are `threshold - 1` approvals.
+ *         Uses the "approved hashes" method of interacting with the gnosis safe. Allows
+ *         for the most simple user experience when using automation and no indexer.
+ */
+contract PostSherlock is Script {
+    /**
+     * @notice Interface for multicall3.
+     */
+    IMulticall3 private constant multicall = IMulticall3(MULTICALL3_ADDRESS);
+
+    /**
+     * @notice Mainnet chain id.
+     */
+    uint256 constant MAINNET = 0;
+
+    /**
+     * @notice Goerli chain id.
+     */
+    uint256 constant GOERLI = 5;
+
+    /**
+     * @notice Represents a set of L1 contracts. Used to represent a set of
+     *         implementations and also a set of proxies.
+     */
+    struct ContractSet {
+        address L1CrossDomainMessenger;
+        address L1StandardBridge;
+        address L2OutputOracle;
+        address OptimismMintableERC20Factory;
+        address OptimismPortal;
+        address SystemConfig;
+        address L1ERC721Bridge;
+    }
+
+    /**
+     * @notice A mapping of chainid to a ContractSet of implementations.
+     */
+    mapping(uint256 => ContractSet) internal implementations;
+
+    /**
+     * @notice A mapping of chainid to ContractSet of proxy addresses.
+     */
+    mapping(uint256 => ContractSet) internal proxies;
+
+    /**
+     * @notice An array of approvals, used to generate the execution transaction.
+     */
+    address[] internal approvals;
+
+    /**
+     * @notice The expected versions for the contracts to be upgraded to.
+     */
+    string constant internal L1CrossDomainMessenger_Version = "1.1.0";
+    string constant internal L1StandardBridge_Version = "1.1.0";
+    string constant internal L2OutputOracle_Version = "1.2.0";
+    string constant internal OptimismMintableERC20Factory_Version = "1.1.0";
+    string constant internal OptimismPortal_Version = "1.3.0";
+    string constant internal SystemConfig_Version = "1.2.0";
+    string constant internal L1ERC721Bridge_Version = "1.1.0";
+
+    /**
+     * @notice Place the contract addresses in storage so they can be used when building calldata.
+     */
+    function setUp() external {
+        implementations[GOERLI] = ContractSet({
+            L1CrossDomainMessenger: 0xfa37a4b2D49E21De63fa2b13D6dB213081E020b3,
+            L1StandardBridge: 0x79179704077E3324CC745A24a5CcC2a80A9B6842,
+            L2OutputOracle: 0x47bBB9054823f27B9B6A71F5cb0eBc785692FF2E,
+            OptimismMintableERC20Factory: 0xF516Fa87f89E4AC7C299aE28263e9EB851dE4781,
+            OptimismPortal: 0xa24A444C6ceeb1d4Fc19D1B78913C22B9d03BbC9,
+            SystemConfig: 0x2FFfe603caA9FA2C20E7F349138475a43284a6b1,
+            L1ERC721Bridge: 0xb460323429B08B9d1d427e6b8A450532988d5fe8
+        });
+
+        proxies[GOERLI] = ContractSet({
+            L1CrossDomainMessenger: 0x5086d1eEF304eb5284A0f6720f79403b4e9bE294,
+            L1StandardBridge: 0x636Af16bf2f682dD3109e60102b8E1A089FedAa8,
+            L2OutputOracle: 0xE6Dfba0953616Bacab0c9A8ecb3a9BBa77FC15c0,
+            OptimismMintableERC20Factory: 0x883dcF8B05364083D849D8bD226bC8Cb4c42F9C5,
+            OptimismPortal: 0x5b47E1A08Ea6d985D6649300584e6722Ec4B1383,
+            SystemConfig: 0xAe851f927Ee40dE99aaBb7461C00f9622ab91d60,
+            L1ERC721Bridge: 0x8DD330DdE8D9898d43b4dc840Da27A07dF91b3c9
+        });
+    }
+
+    /**
+     * @notice The entrypoint to this script.
+     */
+    function run(address _safe, address _proxyAdmin) external returns (bool) {
+        vm.startBroadcast();
+        bool success = _run(_safe, _proxyAdmin);
+        if (success) _postCheck();
+        return success;
+    }
+
+    /**
+     * @notice The implementation of the upgrade. Split into its own function
+     *         to allow for testability. This is subject to a race condition if
+     *         the nonce changes by a different transaction finalizing while not
+     *         all of the signers have used this script.
+     */
+    function _run(address _safe, address _proxyAdmin) public returns (bool) {
+        // Ensure that the required contracts exist
+        require(address(multicall).code.length > 0, "multicall3 not deployed");
+        require(_safe.code.length > 0, "no code at safe address");
+        require(_proxyAdmin.code.length > 0, "no code at proxy admin address");
+
+        GnosisSafe safe = GnosisSafe(payable(_safe));
+        uint256 nonce = safe.nonce();
+
+        bytes memory data = buildCalldata(_proxyAdmin);
+
+        // Compute the safe transaction hash
+        bytes32 hash = safe.getTransactionHash({
+            to: address(multicall),
+            value: 0,
+            data: data,
+            operation: Enum.Operation.DelegateCall,
+            safeTxGas: 0,
+            baseGas: 0,
+            gasPrice: 0,
+            gasToken: address(0),
+            refundReceiver: address(0),
+            _nonce: nonce
+        });
+
+        // Send a transaction to approve the hash
+        safe.approveHash(hash);
+
+        uint256 threshold = safe.getThreshold();
+        address[] memory owners = safe.getOwners();
+
+        for (uint256 i; i < owners.length; i++) {
+            address owner = owners[i];
+            uint256 approved = safe.approvedHashes(owner, hash);
+            if (approved == 1) {
+                approvals.push(owner);
+            }
+        }
+
+        if (approvals.length >= threshold) {
+            bytes memory signatures = buildSignatures();
+
+            bool success = safe.execTransaction({
+                to: address(multicall),
+                value: 0,
+                data: data,
+                operation: Enum.Operation.DelegateCall,
+                safeTxGas: 0,
+                baseGas: 0,
+                gasPrice: 0,
+                gasToken: address(0),
+                refundReceiver: payable(address(0)),
+                signatures: signatures
+            });
+
+            require(success, "call not successful");
+            return true;
+        } else {
+            console.log("not enough approvals");
+        }
+
+        // Reset the approvals because they are only used transiently.
+        assembly {
+            sstore(approvals.slot, 0)
+        }
+
+        return false;
+    }
+
+    /**
+     * @notice Follow up assertions to ensure that the script ran to completion.
+     */
+    function _postCheck() internal view {
+        ContractSet memory prox = getProxies();
+        require(_versionHash(prox.L1CrossDomainMessenger) == keccak256(bytes(L1CrossDomainMessenger_Version)));
+        require(_versionHash(prox.L1StandardBridge) == keccak256(bytes(L1StandardBridge_Version)));
+        require(_versionHash(prox.L2OutputOracle) == keccak256(bytes(L2OutputOracle_Version)));
+        require(_versionHash(prox.OptimismMintableERC20Factory) == keccak256(bytes(OptimismMintableERC20Factory_Version)));
+        require(_versionHash(prox.OptimismPortal) == keccak256(bytes(OptimismPortal_Version)));
+        require(_versionHash(prox.SystemConfig) == keccak256(bytes(SystemConfig_Version)));
+        require(_versionHash(prox.L1ERC721Bridge) == keccak256(bytes(L1ERC721Bridge_Version)));
+
+        ResourceMetering.ResourceConfig memory rcfg = SystemConfig(prox.SystemConfig).resourceConfig();
+        ResourceMetering.ResourceConfig memory dflt = Constants.DEFAULT_RESOURCE_CONFIG();
+        require(keccak256(abi.encode(rcfg)) == keccak256(abi.encode(dflt)));
+    }
+
+    /**
+     * @notice Helper function used to compute the hash of Semver's version string to be used in a
+     *         comparison.
+     */
+    function _versionHash(address _addr) internal view returns (bytes32) {
+        return keccak256(bytes(Semver(_addr).version()));
+    }
+
+    /**
+     * @notice Test coverage of the logic. Should only run on goerli but other chains
+     *         could be added. Each of the owners
+     */
+    function test_script_succeeds() skipWhenNotForking external {
+        address safe;
+        address proxyAdmin;
+
+        if (block.chainid == GOERLI) {
+            safe = 0xBc1233d0C3e6B5d53Ab455cF65A6623F6dCd7e4f;
+            proxyAdmin = 0x01d3670863c3F4b24D7b107900f0b75d4BbC6e0d;
+        }
+
+        require(safe != address(0) && proxyAdmin != address(0));
+
+        address[] memory owners = GnosisSafe(payable(safe)).getOwners();
+
+        for (uint256 i; i < owners.length; i++) {
+            address owner = owners[i];
+            vm.startBroadcast(owner);
+            bool success = _run(safe, proxyAdmin);
+            vm.stopBroadcast();
+
+            if (success) {
+                console.log("tx success");
+                break;
+            }
+        }
+
+        _postCheck();
+    }
+
+    /**
+     * @notice Builds the signatures by tightly packing them together.
+     *         Ensures that they are sorted.
+     */
+    function buildSignatures() internal view returns (bytes memory) {
+        address[] memory addrs = new address[](approvals.length);
+        for (uint256 i; i < approvals.length; i++) {
+            addrs[i] = approvals[i];
+        }
+
+        LibSort.sort(addrs);
+
+        bytes memory signatures;
+        uint8 v = 1;
+        bytes32 s = bytes32(0);
+        for (uint256 i; i < addrs.length; i++) {
+            bytes32 r = bytes32(uint256(uint160(addrs[i])));
+            signatures = bytes.concat(signatures, abi.encodePacked(r, s, v));
+        }
+        return signatures;
+    }
+
+    /**
+     * @notice Builds the calldata that the multisig needs to make for the upgrade to happen.
+     *         A total of 8 calls are made, 7 upgrade implementations and 1 sets the resource
+     *         config to the default value in the SystemConfig contract.
+     */
+    function buildCalldata(address _proxyAdmin) internal view returns (bytes memory) {
+        IMulticall3.Call3[] memory calls = new IMulticall3.Call3[](8);
+
+        ContractSet memory impl = getImplementations();
+        ContractSet memory prox = getProxies();
+
+        // Upgrade the L1CrossDomainMessenger
+        calls[0] = IMulticall3.Call3({
+            target: _proxyAdmin,
+            allowFailure: false,
+            callData: abi.encodeCall(
+                ProxyAdmin.upgrade,
+                (payable(prox.L1CrossDomainMessenger), impl.L1CrossDomainMessenger)
+            )
+        });
+
+        // Upgrade the L1StandardBridge
+        calls[1] = IMulticall3.Call3({
+            target: _proxyAdmin,
+            allowFailure: false,
+            callData: abi.encodeCall(
+                ProxyAdmin.upgrade,
+                (payable(prox.L1StandardBridge), impl.L1StandardBridge)
+            )
+        });
+
+        // Upgrade the L2OutputOracle
+        calls[2] = IMulticall3.Call3({
+            target: _proxyAdmin,
+            allowFailure: false,
+            callData: abi.encodeCall(
+                ProxyAdmin.upgrade,
+                (payable(prox.L2OutputOracle), impl.L2OutputOracle)
+            )
+        });
+
+        // Upgrade the OptimismMintableERC20Factory
+        calls[3] = IMulticall3.Call3({
+            target: _proxyAdmin,
+            allowFailure: false,
+            callData: abi.encodeCall(
+                ProxyAdmin.upgrade,
+                (payable(prox.OptimismMintableERC20Factory), impl.OptimismMintableERC20Factory)
+            )
+        });
+
+        // Upgrade the OptimismPortal
+        calls[4] = IMulticall3.Call3({
+            target: _proxyAdmin,
+            allowFailure: false,
+            callData: abi.encodeCall(
+                ProxyAdmin.upgrade,
+                (payable(prox.OptimismPortal), impl.OptimismPortal)
+            )
+        });
+
+        // Upgrade the SystemConfig
+        calls[5] = IMulticall3.Call3({
+            target: _proxyAdmin,
+            allowFailure: false,
+            callData: abi.encodeCall(
+                ProxyAdmin.upgrade,
+                (payable(prox.SystemConfig), impl.SystemConfig)
+            )
+        });
+
+        // Upgrade the L1ERC721Bridge
+        calls[6] = IMulticall3.Call3({
+            target: _proxyAdmin,
+            allowFailure: false,
+            callData: abi.encodeCall(
+                ProxyAdmin.upgrade,
+                (payable(prox.L1ERC721Bridge), impl.L1ERC721Bridge)
+            )
+        });
+
+        // Set the default resource config
+        ResourceMetering.ResourceConfig memory rcfg = Constants.DEFAULT_RESOURCE_CONFIG();
+        calls[7] = IMulticall3.Call3({
+            target: prox.SystemConfig,
+            allowFailure: false,
+            callData: abi.encodeCall(SystemConfig.setResourceConfig, (rcfg))
+        });
+
+        return abi.encodeCall(IMulticall3.aggregate3, (calls));
+    }
+
+    /**
+     * @notice Returns the ContractSet that represents the implementations for a given network.
+     */
+    function getImplementations() internal view returns (ContractSet memory) {
+        ContractSet memory set = implementations[block.chainid];
+        require(set.L1CrossDomainMessenger != address(0), "no implementations for this network");
+        return set;
+    }
+
+    /**
+     * @notice Returns the ContractSet that represents the proxies for a given network.
+     */
+    function getProxies() internal view returns (ContractSet memory) {
+        ContractSet memory set = proxies[block.chainid];
+        require(set.L1CrossDomainMessenger != address(0), "no proxies for this network");
+        return set;
+    }
+}

yarn.lock

@@ -3760,6 +3760,10 @@
     "@safe-global/safe-gateway-typescript-sdk" "^3.5.3"
     ethers "^5.7.2"
 
+"@safe-global/safe-contracts@https://github.com/safe-global/safe-contracts.git#v1.3.0-libs.0":
+  version "1.3.0"
+  resolved "https://github.com/safe-global/safe-contracts.git#767ef36bba88bdbc0c9fe3708a4290cabef4c376"
+
 "@safe-global/safe-gateway-typescript-sdk@^3.5.3":
   version "3.7.0"
   resolved "https://registry.yarnpkg.com/@safe-global/safe-gateway-typescript-sdk/-/safe-gateway-typescript-sdk-3.7.0.tgz#2af52f1bc73759b1b6a549fed598781c8c5fce72"
@@ -19354,6 +19358,10 @@ socks@^2.3.3, socks@^2.6.1:
     ip "^1.1.5"
     smart-buffer "^4.1.0"
 
+"solady@https://github.com/Vectorized/solady.git#v0.0.85":
+  version "0.0.85"
+  resolved "https://github.com/Vectorized/solady.git#507e0d84872f435d497e6d2ce10e7f484392db4f"
+
 solc@0.7.3:
   version "0.7.3"
   resolved "https://registry.yarnpkg.com/solc/-/solc-0.7.3.tgz#04646961bd867a744f63d2b4e3c0701ffdc7d78a"