Skip to content

Migrate to Foundry#252

Merged
h4x3rotab merged 1 commit into
masterfrom
foundry
May 31, 2026
Merged

Migrate to Foundry#252
h4x3rotab merged 1 commit into
masterfrom
foundry

Conversation

@h4x3rotab
Copy link
Copy Markdown
Contributor

@h4x3rotab h4x3rotab commented Jul 23, 2025
edited
Loading

What

Migrates kms/auth-eth/ from Hardhat to Foundry. Contract logic is unchanged from master; the only contract-source changes are:

  • pragma bump ^0.8.22 → ^0.8.24 (OpenZeppelin 5.x) + forge fmt
  • OwnableUpgradeable → Ownable2StepUpgradeable on both DstackKms and DstackApp — a real authorization change (ownership transfer becomes two-step: transferOwnership stages a pending owner who must call acceptOwnership). This eliminates the typo-bricks-contract risk of single-step transfer.

ABI, events, and sequential storage layout are byte-identical to master (verified with forge inspect … storageLayout). Ownable2Step adds its _pendingOwner in a separate ERC-7201 namespaced slot, so it does not shift any sequential slot — an existing single-step proxy can be upgraded in place.

Compatibility — verified against live Base deployment

The live KMS proxy (0x2f83…Ba9C) and DstackApp proxy (0xc951…c2a2) on Base were checked directly:

  • KMS deployed storage layout matches current source (slot 9 = appImplementation); a mainnet-fork upgrade rehearsal to this PR's implementation preserved owner/gatewayAppId/appImplementation/all sequential slots, and the new two-step ownership flow works end-to-end.
  • The DstackApp proxy is pre-TCB and has _upgradesDisabled = true — it is permanently frozen and out of scope for any upgrade.
  • ⚠️ This validates Base only. Re-run the same fork rehearsal per-chain before any other live upgrade.

Beyond the migration

  • Operator scripts. Added UpgradeKms / UpgradeApp (production source) to script/Upgrade.s.sol; the …ToV2 variants target test-only mocks and are labeled do-not-run-against-prod. script/Manage.s.sol::DeployApp reads REQUIRE_TCB_UP_TO_DATE and uses the 6-arg deployAndRegisterApp.
  • bootAuth server. src/ethereum.ts swaps typechain for a hand-written ABI; the AppBootInfo tuple matches the Solidity struct field-for-field.

Related PR

Formal verification (Slither + Halmos + spec) is isolated to #689, based on this branch.

Test plan

  • forge fmt --check, forge build, forge test --ffi → 46/46
  • npx jest (server) → 4/4
  • Mainnet-fork upgrade rehearsal of the live Base KMS proxy → storage preserved, two-step ownership verified
  • Rebased on current master (no spurious revert of SDK version bumps / CI changes)

Note for reviewers / operators

  • Whoever calls transferOwnership on the upgraded KMS must follow with acceptOwnership (two-step now).
  • Do not run the UpgradeKmsToV2 / UpgradeAppToV2 mock scripts against production proxies.

🤖 Generated with Claude Code

@h4x3rotab h4x3rotab marked this pull request as draft July 23, 2025 10:34
@Leechael Leechael mentioned this pull request Jul 28, 2025
Closed
@h4x3rotab h4x3rotab mentioned this pull request Aug 4, 2025
Open
h4x3rotab
h4x3rotab commented Aug 4, 2025
View reviewed changes
Comment thread kms/auth-eth/contracts/DstackApp.sol Outdated
Comment thread kms/auth-eth/contracts/DstackKms.sol Outdated
Comment thread kms/auth-eth/contracts/test-utils/DstackKmsV1.sol Outdated
Comment thread kms/auth-eth/contracts/test-utils/DstackAppV1.sol Outdated
@h4x3rotab h4x3rotab marked this pull request as ready for review November 20, 2025 11:12
github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 20, 2025
View reviewed changes
Comment thread .github/workflows/foundry-test.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Jan 14, 2026
View reviewed changes
Comment thread kms/auth-eth/coverage/lcov-report/sorter.js Fixed
@h4x3rotab h4x3rotab force-pushed the foundry branch 6 times, most recently from 5f944b5 to 175836d Compare May 19, 2026 09:00
@h4x3rotab h4x3rotab mentioned this pull request May 19, 2026
Merged
@h4x3rotab
feat(kms/auth-eth): migrate from Hardhat to Foundry
296be78 
Migrates the KMS authorization smart contracts and bootAuth server from
Hardhat to Foundry. The Solidity sources are functionally identical to
master (pragma bumped ^0.8.22 → ^0.8.24 for OpenZeppelin 5.x, forge fmt
applied); the ABI, events, and storage layout are byte-compatible with
the live UUPS proxies on Phala mainnet.

Stack changes:
- Hardhat dependencies and config removed (hardhat.config.ts, typechain
  types, jest.integration config, all hardhat-bound .test.ts files,
  scripts/{deploy,upgrade,verify}.ts).
- Foundry stack added: foundry.toml, three lib/ submodules pinned at
  forge-std v1.9.7, openzeppelin-contracts-upgradeable v5.4.0, and
  openzeppelin-foundry-upgrades v0.4.0; a Foundry .t.sol test suite
  (46 unit tests covering TCB toggle, factory deploy, upgrade paths,
  and storage compatibility from legacy 5-arg initializers); production
  deployment / management / query / upgrade scripts under script/.
- BootAuth Fastify server retained byte-identical except src/ethereum.ts,
  which swaps typechain for a 4-method hand-written ABI (same struct,
  same selectors, functionally identical).
- .openzeppelin/unknown-2035.json (proxy registry for the four live
  Phala-mainnet proxies) restored for historical reference.

Operator-script fixes surfaced during a post-rebase audit:
- script/Upgrade.s.sol previously only had UpgradeKmsToV2 /
  UpgradeAppToV2 pointing at test-only mock contracts. Added UpgradeKms
  / UpgradeApp scripts that upgrade live proxies to the current
  production source.
- script/Manage.s.sol::DeployApp was calling the legacy 5-arg
  deployAndRegisterApp, silently forcing requireTcbUpToDate=false. Now
  reads REQUIRE_TCB_UP_TO_DATE env var and uses the 6-arg overload to
  match master's hardhat-task semantics.

Security hardening:
- Both contracts switched from OwnableUpgradeable to
  Ownable2StepUpgradeable. ERC-7201 namespaced storage means no slot
  collision on upgrade; transferOwnership now stages a pending owner
  who must acceptOwnership, eliminating the typo-bricks-contract risk.
- registerApp's permissionless-by-design intent documented inline in
  natspec (any non-zero address can be registered by anyone; the
  downstream allowedOsImages whitelist + delegated isAppAllowed gate
  authorization).
- Slither static analysis configured in slither.config.json with
  per-line suppression comments + justifications on the four
  noise-detector hits (factory reentrancy-benign, unused-return on the
  named-return forward pattern, two unindexed-event-address for
  backward-compatible log indexers). Baseline: 0 findings.
- Inherited Prek hooks (trailing-whitespace, end-of-file-fixer,
  shellcheck) cleaned up across the anvil helper scripts that came in
  with the original migration.

Verification: forge fmt --check, forge build, forge test --ffi (46/46),
slither (0 findings), npx jest (4/4 server tests), npx tsc --noEmit
all clean.
@h4x3rotab h4x3rotab merged commit d671cce into master May 31, 2026
17 checks passed
@h4x3rotab h4x3rotab deleted the foundry branch May 31, 2026 04:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@h4x3rotab @github-advanced-security