[AIP-20] Proactively upgrade BoosterOwner to seal in Stash changes and reduce upgradability

Authors: 0xMaha, Phil Fry

Summary

This proposal seals or removes certain protected functions in the system executable by the protocol multisig that are not necessary and could lead to security issues in the future if used in the wrong way. Following in Balancer’s recent footsteps regarding specifying execution payload as part of the proposal, the specification here contains the json for a list of actions to be executed by the protocol multisig.

Background

Strong protocol security is made up of a variety of tools, practices and procedures and continues for the lifecycle of the system. Recently reports have been made to ImmuneFi regarding the use of certain governance protected functions to grief the protocol, the resolution of which resulted in the LP Migration in December. Similarly, it has been highlighted through ImmuneFi again that there are a number of other governance related functions that could be proactively patched too. This proposal seeks to both resolve this, and also set the foundation for a more standardised approach to protocol transactions through the use of transaction builder data.

The timing of this proposal is made to line up the upcoming pool Migration being performed by Balancer to migrate liquidity on certain pools with fee bearing assets. Given that this patch only applies to Aura pools added after its addition, it is proposed to be executed before this upcoming Migration to improve UX.

Specification

It is proposed that the implementation of ExtraRewardsStashV3 and PoolManagerV3 be upgraded, and a wrapper around the BoosterOwner be set in place to seal the stash and PoolManager in place.

This PR contains the full scope, information, audit reports and fork tests.

Multisig actions

Simulation of action: https://dashboard.tenderly.co/public/safe/safe-apps/simulator/54ffeaac-06f8-403a-bea8-0188e52d9718

The following actions will be executed using the transaction builder app on the Safe.

{
  "version": "1.0",
  "chainId": "1",
  "createdAt": 1675779860202,
  "meta": {
    "name": "Transactions Batch",
    "description": "",
    "txBuilderVersion": "1.13.2",
    "createdFromSafeAddress": "0x5feA4413E3Cc5Cf3A29a49dB41ac0c24850417a0",
    "createdFromOwnerAddress": "",
    "checksum": "0x4f4fbda24d7cd2160e1016e69b1deef68f715e4a1be24e49cf438730936e237d"
  },
  "transactions": [
    {
      "to": "0x228a142081b456a9fF803d004504955032989f04",
      "value": "0",
      "data": null,
      "contractMethod": {
        "inputs": [
          {
            "internalType": "address",
            "name": "_v1",
            "type": "address"
          },
          {
            "internalType": "address",
            "name": "_v2",
            "type": "address"
          },
          {
            "internalType": "address",
            "name": "_v3",
            "type": "address"
          }
        ],
        "name": "setStashFactoryImplementation",
        "payable": false
      },
      "contractInputsValues": {
        "_v1": "0x0000000000000000000000000000000000000000",
        "_v2": "0x0000000000000000000000000000000000000000",
        "_v3": "0x4A53301Fe213ECA70f904cD3766C07DB3A621bF8"
      }
    },
    {
      "to": "0x228a142081b456a9fF803d004504955032989f04",
      "value": "0",
      "data": null,
      "contractMethod": {
        "inputs": [
          {
            "internalType": "address",
            "name": "_owner",
            "type": "address"
          }
        ],
        "name": "transferOwnership",
        "payable": false
      },
      "contractInputsValues": {
        "_owner": "0xCe96e48A2893C599fe2601Cc1918882e1D001EaD"
      }
    },
    {
      "to": "0xCe96e48A2893C599fe2601Cc1918882e1D001EaD",
      "value": "0",
      "data": null,
      "contractMethod": {
        "inputs": [],
        "name": "acceptOwnershipBoosterOwner",
        "payable": false
      },
      "contractInputsValues": null
    },
    {
      "to": "0xa72932Aea1392b0Da9eDc34178dA2B29EcE2de54",
      "value": "0",
      "data": null,
      "contractMethod": {
        "inputs": [
          {
            "internalType": "address",
            "name": "_operator",
            "type": "address"
          }
        ],
        "name": "setOperator",
        "payable": false
      },
      "contractInputsValues": {
        "_operator": "0x8Dd8cDb1f3d419CCDCbf4388bC05F4a7C8aEBD64"
      }
    },
    {
      "to": "0xa72932Aea1392b0Da9eDc34178dA2B29EcE2de54",
      "value": "0",
      "data": null,
      "contractMethod": {
        "inputs": [
          {
            "internalType": "address",
            "name": "_owner",
            "type": "address"
          }
        ],
        "name": "setOwner",
        "payable": false
      },
      "contractInputsValues": {
        "_owner": "0x8Dd8cDb1f3d419CCDCbf4388bC05F4a7C8aEBD64"
      }
    }
  ]
}

Voting

This forum post will be live for approximately two days before the Snapshot proposal goes live.

This vote will be a single-choice vote. You may vote “For” or “Against” this proposal, or choose to abstain from the vote.

By voting “For” this proposal, you are voting in favor of the transaction builder data being executed.

7 Likes

Aura’s continued dedication to sustainable protocol security is admirable. We greatly appreciate the efforts of our developers in proactively defending our interests. This is a measured and reasonable approach. I fully support this proposal.

2 Likes

The addresses and parameters look correct.

2 Likes

This proposal is live. Snapshot

1 Like