smartcontractkit · graham-chainlink · Dec 10, 2024 · Dec 6, 2024 · Dec 8, 2024 · Dec 8, 2024
@@ -33,14 +33,18 @@ func Test_NewAcceptOwnershipChangeset(t *testing.T) {
 		source: state.Chains[source].Timelock,
 		dest:   state.Chains[dest].Timelock,
 	}
+	callProxies := map[uint64]*gethwrappers.CallProxy{
+		source: state.Chains[source].CallProxy,
+		dest:   state.Chains[dest].CallProxy,
+	}
 
 	// at this point we have the initial deploys done, now we need to transfer ownership
 	// to the timelock contract
 	state, err = LoadOnchainState(e.Env)
 	require.NoError(t, err)
 
 	// compose the transfer ownership and accept ownership changesets
-	_, err = commonchangeset.ApplyChangesets(t, e.Env, timelocks, []commonchangeset.ChangesetApplication{
+	_, err = commonchangeset.ApplyChangesets(t, e.Env, timelocks, callProxies, []commonchangeset.ChangesetApplication{
 		// note this doesn't have proposals.
 		{
 			Changeset: commonchangeset.WrapChangeSet(commonchangeset.TransferToMCMSWithTimelock),

@@ -95,7 +95,11 @@ func TestActiveCandidate(t *testing.T) {
 	for _, chain := range allChains {
 		timelocks[chain] = state.Chains[chain].Timelock
 	}
-	_, err = commonchangeset.ApplyChangesets(t, e, timelocks, []commonchangeset.ChangesetApplication{
+	callProxies := make(map[uint64]*gethwrappers.CallProxy)
+	for _, chain := range allChains {
+		callProxies[chain] = state.Chains[chain].CallProxy
+	}
+	_, err = commonchangeset.ApplyChangesets(t, e, timelocks, callProxies, []commonchangeset.ChangesetApplication{
 		// note this doesn't have proposals.
 		{
 			Changeset: commonchangeset.WrapChangeSet(commonchangeset.TransferToMCMSWithTimelock),
@@ -177,7 +181,7 @@ func TestActiveCandidate(t *testing.T) {
 	}}, "set new candidates on commit plugin", 0)
 	require.NoError(t, err)
 	setCommitCandidateSigned := commonchangeset.SignProposal(t, e, setCommitCandidateProposal)
-	commonchangeset.ExecuteProposal(t, e, setCommitCandidateSigned, state.Chains[tenv.HomeChainSel].Timelock, tenv.HomeChainSel)
+	commonchangeset.ExecuteProposal(t, e, setCommitCandidateSigned, state.Chains[tenv.HomeChainSel].Timelock, state.Chains[tenv.HomeChainSel].CallProxy, tenv.HomeChainSel)
 
 	// create the op for the commit plugin as well
 	setExecCandidateOp, err := setCandidateOnExistingDon(
@@ -195,7 +199,7 @@ func TestActiveCandidate(t *testing.T) {
 	}}, "set new candidates on commit and exec plugins", 0)
 	require.NoError(t, err)
 	setExecCandidateSigned := commonchangeset.SignProposal(t, e, setExecCandidateProposal)
-	commonchangeset.ExecuteProposal(t, e, setExecCandidateSigned, state.Chains[tenv.HomeChainSel].Timelock, tenv.HomeChainSel)
+	commonchangeset.ExecuteProposal(t, e, setExecCandidateSigned, state.Chains[tenv.HomeChainSel].Timelock, state.Chains[tenv.HomeChainSel].CallProxy, tenv.HomeChainSel)
 
 	// check setup was successful by confirming number of nodes from cap reg
 	donInfo, err = state.Chains[tenv.HomeChainSel].CapabilityRegistry.GetDON(nil, donID)
@@ -222,7 +226,7 @@ func TestActiveCandidate(t *testing.T) {
 	}}, "promote candidates and revoke actives", 0)
 	require.NoError(t, err)
 	promoteSigned := commonchangeset.SignProposal(t, e, promoteProposal)
-	commonchangeset.ExecuteProposal(t, e, promoteSigned, state.Chains[tenv.HomeChainSel].Timelock, tenv.HomeChainSel)
+	commonchangeset.ExecuteProposal(t, e, promoteSigned, state.Chains[tenv.HomeChainSel].Timelock, state.Chains[tenv.HomeChainSel].CallProxy, tenv.HomeChainSel)
 	// [NEW ACTIVE, NO CANDIDATE] done promoting
 
 	// [NEW ACTIVE, NO CANDIDATE] check onchain state

@@ -52,13 +52,12 @@ func TestAddChainInbound(t *testing.T) {
 	require.NoError(t, e.Env.ExistingAddresses.Merge(newAddresses))
 
 	cfg := commontypes.MCMSWithTimelockConfig{
-		Canceller:         commonchangeset.SingleGroupMCMS(t),
-		Bypasser:          commonchangeset.SingleGroupMCMS(t),
-		Proposer:          commonchangeset.SingleGroupMCMS(t),
-		TimelockExecutors: e.Env.AllDeployerKeys(),
-		TimelockMinDelay:  big.NewInt(0),
+		Canceller:        commonchangeset.SingleGroupMCMS(t),
+		Bypasser:         commonchangeset.SingleGroupMCMS(t),
+		Proposer:         commonchangeset.SingleGroupMCMS(t),
+		TimelockMinDelay: big.NewInt(0),
 	}
-	e.Env, err = commonchangeset.ApplyChangesets(t, e.Env, nil, []commonchangeset.ChangesetApplication{
+	e.Env, err = commonchangeset.ApplyChangesets(t, e.Env, nil, nil, []commonchangeset.ChangesetApplication{
 		{
 			Changeset: commonchangeset.WrapChangeSet(commonchangeset.DeployLinkToken),
 			Config:    initialDeploy,
@@ -107,7 +106,7 @@ func TestAddChainInbound(t *testing.T) {
 	require.NoError(t, err)
 
 	//  Deploy contracts to new chain
-	e.Env, err = commonchangeset.ApplyChangesets(t, e.Env, nil, []commonchangeset.ChangesetApplication{
+	e.Env, err = commonchangeset.ApplyChangesets(t, e.Env, nil, nil, []commonchangeset.ChangesetApplication{
 		{
 			Changeset: commonchangeset.WrapChangeSet(commonchangeset.DeployLinkToken),
 			Config:    []uint64{newChain},
@@ -150,6 +149,10 @@ func TestAddChainInbound(t *testing.T) {
 		initialDeploy[0]: state.Chains[initialDeploy[0]].Timelock,
 		initialDeploy[1]: state.Chains[initialDeploy[1]].Timelock,
 		initialDeploy[2]: state.Chains[initialDeploy[2]].Timelock,
+	}, map[uint64]*gethwrappers.CallProxy{
+		initialDeploy[0]: state.Chains[initialDeploy[0]].CallProxy,
+		initialDeploy[1]: state.Chains[initialDeploy[1]].CallProxy,
+		initialDeploy[2]: state.Chains[initialDeploy[2]].CallProxy,
 	}, []commonchangeset.ChangesetApplication{
 		{
 			Changeset: commonchangeset.WrapChangeSet(commonchangeset.TransferToMCMSWithTimelock),
@@ -182,6 +185,9 @@ func TestAddChainInbound(t *testing.T) {
 	_, err = commonchangeset.ApplyChangesets(t, e.Env, map[uint64]*gethwrappers.RBACTimelock{
 		e.HomeChainSel: state.Chains[e.HomeChainSel].Timelock,
 		newChain:       state.Chains[newChain].Timelock,
+	}, map[uint64]*gethwrappers.CallProxy{
+		e.HomeChainSel: state.Chains[e.HomeChainSel].CallProxy,
+		newChain:       state.Chains[newChain].CallProxy,
 	}, []commonchangeset.ChangesetApplication{
 		{
 			Changeset: commonchangeset.WrapChangeSet(AddDonAndSetCandidateChangeset),

@@ -31,14 +31,13 @@ func TestDeployChainContractsChangeset(t *testing.T) {
 	cfg := make(map[uint64]commontypes.MCMSWithTimelockConfig)
 	for _, chain := range e.AllChainSelectors() {
 		cfg[chain] = commontypes.MCMSWithTimelockConfig{
-			Canceller:         commonchangeset.SingleGroupMCMS(t),
-			Bypasser:          commonchangeset.SingleGroupMCMS(t),
-			Proposer:          commonchangeset.SingleGroupMCMS(t),
-			TimelockExecutors: e.AllDeployerKeys(),
-			TimelockMinDelay:  big.NewInt(0),
+			Canceller:        commonchangeset.SingleGroupMCMS(t),
+			Bypasser:         commonchangeset.SingleGroupMCMS(t),
+			Proposer:         commonchangeset.SingleGroupMCMS(t),
+			TimelockMinDelay: big.NewInt(0),
 		}
 	}
-	e, err = commonchangeset.ApplyChangesets(t, e, nil, []commonchangeset.ChangesetApplication{
+	e, err = commonchangeset.ApplyChangesets(t, e, nil, nil, []commonchangeset.ChangesetApplication{
 		{
 			Changeset: commonchangeset.WrapChangeSet(DeployHomeChain),
 			Config: DeployHomeChainConfig{

@@ -311,6 +311,7 @@ func LoadChainState(chain deployment.Chain, addresses map[string]deployment.Type
 	for address, tvStr := range addresses {
 		switch tvStr.String() {
 		case deployment.NewTypeAndVersion(commontypes.RBACTimelock, deployment.Version1_0_0).String(),
+			deployment.NewTypeAndVersion(commontypes.CallProxy, deployment.Version1_0_0).String(),
 			deployment.NewTypeAndVersion(commontypes.ProposerManyChainMultisig, deployment.Version1_0_0).String(),
 			deployment.NewTypeAndVersion(commontypes.CancellerManyChainMultisig, deployment.Version1_0_0).String(),
 			deployment.NewTypeAndVersion(commontypes.BypasserManyChainMultisig, deployment.Version1_0_0).String(),

@@ -279,11 +279,10 @@ func NewMemoryEnvironmentWithJobsAndContracts(t *testing.T, lggr logger.Logger,
 	mcmsCfg := make(map[uint64]commontypes.MCMSWithTimelockConfig)
 	for _, c := range e.Env.AllChainSelectors() {
 		mcmsCfg[c] = commontypes.MCMSWithTimelockConfig{
-			Canceller:         commonchangeset.SingleGroupMCMS(t),
-			Bypasser:          commonchangeset.SingleGroupMCMS(t),
-			Proposer:          commonchangeset.SingleGroupMCMS(t),
-			TimelockExecutors: e.Env.AllDeployerKeys(),
-			TimelockMinDelay:  big.NewInt(0),
+			Canceller:        commonchangeset.SingleGroupMCMS(t),
+			Bypasser:         commonchangeset.SingleGroupMCMS(t),
+			Proposer:         commonchangeset.SingleGroupMCMS(t),
+			TimelockMinDelay: big.NewInt(0),
 		}
 	}
 	var (
@@ -298,7 +297,7 @@ func NewMemoryEnvironmentWithJobsAndContracts(t *testing.T, lggr logger.Logger,
 	}
 	// Need to deploy prerequisites first so that we can form the USDC config
 	// no proposals to be made, timelock can be passed as nil here
-	e.Env, err = commonchangeset.ApplyChangesets(t, e.Env, nil, []commonchangeset.ChangesetApplication{
+	e.Env, err = commonchangeset.ApplyChangesets(t, e.Env, nil, nil, []commonchangeset.ChangesetApplication{
 		{
 			Changeset: commonchangeset.WrapChangeSet(commonchangeset.DeployLinkToken),
 			Config:    allChains,
@@ -367,13 +366,15 @@ func NewMemoryEnvironmentWithJobsAndContracts(t *testing.T, lggr logger.Logger,
 	// Build the per chain config.
 	chainConfigs := make(map[uint64]CCIPOCRParams)
 	timelocksPerChain := make(map[uint64]*gethwrappers.RBACTimelock)
+	callProxiesPerChain := make(map[uint64]*gethwrappers.CallProxy)
 	for _, chain := range allChains {
 		timelocksPerChain[chain] = state.Chains[chain].Timelock
+		callProxiesPerChain[chain] = state.Chains[chain].CallProxy
 		tokenInfo := tokenConfig.GetTokenInfo(e.Env.Logger, state.Chains[chain].LinkToken, state.Chains[chain].Weth9)
 		chainConfigs[chain] = DefaultOCRParams(e.FeedChainSel, tokenInfo, tokenDataProviders)
 	}
 	// Deploy second set of changesets to deploy and configure the CCIP contracts.
-	e.Env, err = commonchangeset.ApplyChangesets(t, e.Env, timelocksPerChain, []commonchangeset.ChangesetApplication{
+	e.Env, err = commonchangeset.ApplyChangesets(t, e.Env, timelocksPerChain, callProxiesPerChain, []commonchangeset.ChangesetApplication{
 		{
 			Changeset: commonchangeset.WrapChangeSet(ConfigureNewChains),
 			Config: NewChainsConfig{
@@ -823,7 +824,7 @@ func ProcessChangeset(t *testing.T, e deployment.Environment, c deployment.Chang
 
 			signed := commonchangeset.SignProposal(t, e, &prop)
 			for _, sel := range chains.ToSlice() {
-				commonchangeset.ExecuteProposal(t, e, signed, state.Chains[sel].Timelock, sel)
+				commonchangeset.ExecuteProposal(t, e, signed, state.Chains[sel].Timelock, state.Chains[sel].CallProxy, sel)
 			}
 		}
 	}

diff --git a/deployment/common/changeset/deploy_link_token_test.go b/deployment/common/changeset/deploy_link_token_test.go
@@ -18,7 +18,7 @@ func TestDeployLinkToken(t *testing.T) {
 		Chains: 1,
 	})
 	chain1 := e.AllChainSelectors()[0]
-	e, err := changeset.ApplyChangesets(t, e, nil, []changeset.ChangesetApplication{
+	e, err := changeset.ApplyChangesets(t, e, nil, nil, []changeset.ChangesetApplication{
 		{
 			Changeset: changeset.WrapChangeSet(changeset.DeployLinkToken),
 			Config:    []uint64{chain1},

@@ -55,6 +55,7 @@ type MCMSWithTimelockDeploy struct {
 	Bypasser  *deployment.ContractDeploy[*owner_helpers.ManyChainMultiSig]
 	Proposer  *deployment.ContractDeploy[*owner_helpers.ManyChainMultiSig]
 	Timelock  *deployment.ContractDeploy[*owner_helpers.RBACTimelock]
+	CallProxy *deployment.ContractDeploy[*owner_helpers.CallProxy]
 }
 
 func DeployMCMSWithTimelockContractsBatch(
@@ -106,10 +107,10 @@ func DeployMCMSWithTimelockContracts(
 				// TODO: Could expose this as config?
 				// Or keep this enforced to follow the same pattern?
 				chain.DeployerKey.From,
-				[]common.Address{proposer.Address},  // proposers
-				config.TimelockExecutors,            //executors
-				[]common.Address{canceller.Address}, // cancellers
-				[]common.Address{bypasser.Address},  // bypassers
+				[]common.Address{proposer.Address}, // proposers
+				[]common.Address{},                 // executors
+				[]common.Address{canceller.Address, proposer.Address, bypasser.Address}, // cancellers
+				[]common.Address{bypasser.Address},                                      // bypassers
 			)
 			return deployment.ContractDeploy[*owner_helpers.RBACTimelock]{
 				timelock, cc, tx2, deployment.NewTypeAndVersion(types.RBACTimelock, deployment.Version1_0_0), err2,
@@ -119,6 +120,37 @@ func DeployMCMSWithTimelockContracts(
 		lggr.Errorw("Failed to deploy timelock", "chain", chain.String(), "err", err)
 		return nil, err
 	}
+
+	callProxy, err := deployment.DeployContract(lggr, chain, ab,
+		func(chain deployment.Chain) deployment.ContractDeploy[*owner_helpers.CallProxy] {
+			callProxy, tx2, cc, err2 := owner_helpers.DeployCallProxy(
+				chain.DeployerKey,
+				chain.Client,
+				timelock.Address,
+			)
+			return deployment.ContractDeploy[*owner_helpers.CallProxy]{
+				callProxy, cc, tx2, deployment.NewTypeAndVersion(types.CallProxy, deployment.Version1_0_0), err2,
+			}
+		})
+	if err != nil {
+		lggr.Errorw("Failed to deploy call proxy", "chain", chain.String(), "err", err)
+		return nil, err
+	}
+
+	grantRoleTx, err := timelock.Contract.GrantRole(
+		chain.DeployerKey,
+		v1_0.EXECUTOR_ROLE.ID,
+		callProxy.Address,
+	)
+	if err != nil {
+		lggr.Errorw("Failed to grant timelock executor role", "chain", chain.String(), "err", err)
+		return nil, err
+	}
+
+	if _, err := deployment.ConfirmIfNoError(chain, grantRoleTx, err); err != nil {
+		lggr.Errorw("Failed to grant timelock executor role", "chain", chain.String(), "err", err)
+		return nil, err
+	}
 	// We grant the timelock the admin role on the MCMS contracts.
 	tx, err := timelock.Contract.GrantRole(chain.DeployerKey,
 		v1_0.ADMIN_ROLE.ID, timelock.Address)
@@ -133,5 +165,6 @@ func DeployMCMSWithTimelockContracts(
 		Bypasser:  bypasser,
 		Proposer:  proposer,
 		Timelock:  timelock,
+		CallProxy: callProxy,
 	}, nil
 }
@@ -5,7 +5,6 @@ import (
 	"math/big"
 	"testing"
 
-	"github.com/ethereum/go-ethereum/common"
 	chainsel "github.com/smartcontractkit/chain-selectors"
 	"github.com/stretchr/testify/require"
 
@@ -37,18 +36,15 @@ func TestDeployMCMSWithTimelockContracts(t *testing.T) {
 	_, err := internal.DeployMCMSWithTimelockContracts(lggr,
 		chains[chainsel.TEST_90000001.Selector],
 		ab, types.MCMSWithTimelockConfig{
-			Canceller: changeset.SingleGroupMCMS(t),
-			Bypasser:  changeset.SingleGroupMCMS(t),
-			Proposer:  changeset.SingleGroupMCMS(t),
-			TimelockExecutors: []common.Address{
-				chains[chainsel.TEST_90000001.Selector].DeployerKey.From,
-			},
+			Canceller:        changeset.SingleGroupMCMS(t),
+			Bypasser:         changeset.SingleGroupMCMS(t),
+			Proposer:         changeset.SingleGroupMCMS(t),
 			TimelockMinDelay: big.NewInt(0),
 		})
 	require.NoError(t, err)
 	addresses, err := ab.AddressesForChain(chainsel.TEST_90000001.Selector)
 	require.NoError(t, err)
-	require.Len(t, addresses, 4)
+	require.Len(t, addresses, 5)
 	mcmsState, err := changeset.MaybeLoadMCMSWithTimelockState(chains[chainsel.TEST_90000001.Selector], addresses)
 	require.NoError(t, err)
 	v, err := mcmsState.GenerateMCMSWithTimelockView()

@@ -65,7 +65,7 @@ func SignProposal(t *testing.T, env deployment.Environment, proposal *timelock.M
 }
 
 func ExecuteProposal(t *testing.T, env deployment.Environment, executor *mcms.Executor,
-	timelock *owner_helpers.RBACTimelock, sel uint64) {
+	timelock *owner_helpers.RBACTimelock, callProxy *owner_helpers.CallProxy, sel uint64) {
 	t.Log("Executing proposal on chain", sel)
 	// Set the root.
 	tx, err2 := executor.SetRootOnChain(env.Chains[sel].Client, env.Chains[sel].DeployerKey, mcms.ChainIdentifier(sel))
@@ -104,7 +104,8 @@ func ExecuteProposal(t *testing.T, env deployment.Environment, executor *mcms.Ex
 						Value:  it.Event.Value,
 					})
 				}
-				tx, err := timelock.ExecuteBatch(
+				timelockExecutorProxy, err := owner_helpers.NewRBACTimelock(callProxy.Address(), env.Chains[sel].Client)
+				tx, err := timelockExecutorProxy.ExecuteBatch(
 					env.Chains[sel].DeployerKey, calls, pred, salt)
 				require.NoError(t, err)
 				_, err = env.Chains[sel].Confirm(tx)

@@ -23,6 +23,7 @@ type MCMSWithTimelockState struct {
 	BypasserMcm  *owner_helpers.ManyChainMultiSig
 	ProposerMcm  *owner_helpers.ManyChainMultiSig
 	Timelock     *owner_helpers.RBACTimelock
+	CallProxy    *owner_helpers.CallProxy
 }
 
 // Validate checks that all fields are non-nil, ensuring it's ready
@@ -40,6 +41,9 @@ func (state MCMSWithTimelockState) Validate() error {
 	if state.BypasserMcm == nil {
 		return errors.New("bypasser not found")
 	}
+	if state.CallProxy == nil {
+		return errors.New("call proxy not found")
+	}
 	return nil
 }
 
@@ -51,6 +55,10 @@ func (state MCMSWithTimelockState) GenerateMCMSWithTimelockView() (v1_0.MCMSWith
 	if err != nil {
 		return v1_0.MCMSWithTimelockView{}, nil
 	}
+	callProxyView, err := v1_0.GenerateCallProxyView(*state.CallProxy)
+	if err != nil {
+		return v1_0.MCMSWithTimelockView{}, nil
+	}
 	bypasserView, err := v1_0.GenerateMCMSView(*state.BypasserMcm)
 	if err != nil {
 		return v1_0.MCMSWithTimelockView{}, nil
@@ -68,6 +76,7 @@ func (state MCMSWithTimelockState) GenerateMCMSWithTimelockView() (v1_0.MCMSWith
 		Bypasser:  bypasserView,
 		Proposer:  proposerView,
 		Canceller: cancellerView,
+		CallProxy: callProxyView,
 	}, nil
 }
 
@@ -82,14 +91,15 @@ func MaybeLoadMCMSWithTimelockState(chain deployment.Chain, addresses map[string
 	state := MCMSWithTimelockState{}
 	// We expect one of each contract on the chain.
 	timelock := deployment.NewTypeAndVersion(types.RBACTimelock, deployment.Version1_0_0)
+	callProxy := deployment.NewTypeAndVersion(types.CallProxy, deployment.Version1_0_0)
 	proposer := deployment.NewTypeAndVersion(types.ProposerManyChainMultisig, deployment.Version1_0_0)
 	canceller := deployment.NewTypeAndVersion(types.CancellerManyChainMultisig, deployment.Version1_0_0)
 	bypasser := deployment.NewTypeAndVersion(types.BypasserManyChainMultisig, deployment.Version1_0_0)
 
 	// Ensure we either have the bundle or not.
 	_, err := deployment.AddressesContainBundle(addresses,
 		map[deployment.TypeAndVersion]struct{}{
-			timelock: {}, proposer: {}, canceller: {}, bypasser: {},
+			timelock: {}, proposer: {}, canceller: {}, bypasser: {}, callProxy: {},
 		})
 	if err != nil {
 		return nil, fmt.Errorf("unable to check MCMS contracts on chain %s error: %w", chain.Name(), err)
@@ -103,6 +113,12 @@ func MaybeLoadMCMSWithTimelockState(chain deployment.Chain, addresses map[string
 				return nil, err
 			}
 			state.Timelock = tl
+		case callProxy:
+			cp, err := owner_helpers.NewCallProxy(common.HexToAddress(address), chain.Client)
+			if err != nil {
+				return nil, err
+			}
+			state.CallProxy = cp
 		case proposer:
 			mcms, err := owner_helpers.NewManyChainMultiSig(common.HexToAddress(address), chain.Client)
 			if err != nil {