When the blockchain node upgrade and require a contract upgrade because of breaking interface the following problem can happen:
The upgrade is scheduled for a height
Once height is reached, every gateways need be upgraded. The upgrade is a sensitive action using a setup with maximum number of signers. The upgrade can be a lengthy process but would have to happen as soon as upgrade height is reached.
Proposed solution
Upgrade is sensitive because contract can be replaced by a malicious one, not because of the upgrade itself. The process could be made more flexible to prepare for the upgrade.
A new role is introduced: UPGRADE_EXECUTOR, requires less signatures than upgrade admin
Upgrade admin propose new implementation contract to be schedule
The upgrade executor can execute the upgrade to this implementation at any time
When the blockchain node upgrade and require a contract upgrade because of breaking interface the following problem can happen:
Proposed solution
Upgrade is sensitive because contract can be replaced by a malicious one, not because of the upgrade itself. The process could be made more flexible to prepare for the upgrade.
UPGRADE_EXECUTOR, requires less signatures than upgrade admin