Contract pausing

[m-chrzan]

Description

Adds a mechanism for pausing the protocol to prevent/mitigate damages in case of an exploit.

The basic design is as follows:

• Pausable contracts extend Pausable.sol
  • This adds two new storage slots, using the ERC-1967 pattern, rather than storage variables, which would mangle storage.
  • pauser is the address that is permissioned to pause/unpause the contract.
  • paused is a boolean indicating whether or not the contract is paused.
  • Functions that should be paused specify the onlyWhenNotPaused modifier.
• Pauser.sol is a new contract, it should be set as the pauser address in Pausable contracts. It can only be called by the MultiSig.
• MultiSig has new functions, pauseContracts and unpauseContracts, which pause/unpause a list of contracts.
• pauseContracts can be called by any MultiSig signer to immediately pause the chosen contracts.
• unpauseContracts can be called by Governance (via referendum or hotfix) to immediately unpause chosen contracts.
• TODO: add pausing to other protocol contracts.
• TODO: add pausing-related events.
• TODO: Make Vote.sol pausable. This one has a different test setup than other contracts, making it more difficult to test. Will need to look into how to do this cleanly.

Tested

Unit tests.

Other changes

Set unlimited timeout for GroupHealth tests, as they started timing out in GitHub Actions.

Cleaned up some tests to use the named owner account and to explicitly specify the caller with .connect().

Vote needed some extra cleanup, as it used the production "core" fixture, differently than other contract unit tests. Updated to use a new test deployment.

Related issues

• Fixes #159

[openzeppelin-code[bot]]

[WIP] Contract pausing

Generated at commit: e345bfe5e7310d43315590d1ddd04e2378389c40

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	1 0 0 10 30 41
Dependencies	Critical High Medium Low Note Total	0 0 0 2 30 32

---

For more details view the full report in OpenZeppelin Code Inspector

[socket-security[bot]]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/body-parser@1.19.1	network	+8	345 kB	dougwilson
npm/express@4.17.2	environment, filesystem, network Transitive: eval	+19	925 kB	dougwilson
npm/foreach@2.0.5	None	0	8.66 kB	manuelstofer
npm/is-core-module@2.8.1	None	0	25.8 kB	ljharb
npm/merkle-patricia-tree@4.2.3	Transitive: environment, filesystem	+52	8.21 MB	holgerd77
npm/nan@2.18.0	None	0	429 kB	kkoopa
npm/rlp@2.2.7	None	0	62.9 kB	ralxz
npm/send@0.17.2	filesystem, network	+3	61 kB	dougwilson
npm/serve-static@1.14.2	Transitive: filesystem, network	+4	86 kB	dougwilson
npm/truffle@5.11.5	Transitive: environment, eval, filesystem, network, shell, unsafe	+446	172 MB

🚮 Removed packages: npm/@celo/base@2.3.0, npm/@ethereumjs/block@4.1.0, npm/@ethereumjs/blockchain@6.1.0, npm/@ethereumjs/tx@4.0.2, npm/accepts@1.3.8, npm/body-parser@1.20.1, npm/destroy@1.2.0, npm/express@4.18.2, npm/finalhandler@1.2.0, npm/foreach@2.0.6, npm/is-core-module@2.11.0, npm/merkle-patricia-tree@4.2.4, npm/minimist@1.2.7, npm/nan@2.16.0, npm/negotiator@0.6.3, npm/node-gyp-build@4.3.0, npm/on-finished@2.4.1, npm/send@0.18.0, npm/serve-static@1.15.0, npm/web3-core@1.8.1

View full report↗︎

[m-chrzan]

What is the purpose of having standalone smart contract as a pauser ?

You're right, now that I think about it, I don't think it's necessary and could be simplified to put all the functionality in the MultiSig. I think this architecture was necessary when I had some different ideas about how to disable the MultiSig executing proposals and unpausing before, but shouldn't be necessary anymore.

I guess the one argument for keeping the separate contract would be for better modularity (e.g. if in the future we'd want to swap out our custom MultiSig for something like a Gnosis Safe).