CCIP 1.5 Migration

.github/workflows/certora.yml

@@ -20,13 +20,13 @@ jobs:
         with: { java-version: "11", java-package: jre }
 
       - name: Install certora cli
-        run: pip install certora-cli==7.6.3
+        run: pip install certora-cli==7.17.2
 
       - name: Install solc
         run: |
-          wget https://github.com/ethereum/solidity/releases/download/v0.8.10/solc-static-linux
+          wget https://github.com/ethereum/solidity/releases/download/v0.8.19/solc-static-linux
           chmod +x solc-static-linux
-          sudo mv solc-static-linux /usr/local/bin/solc8.10
+          sudo mv solc-static-linux /usr/local/bin/solc8.19
 
       - name: Verify rule ${{ matrix.rule }}
         run: |

certora/confs/ccip.conf

@@ -13,7 +13,7 @@
     "process": "emv",
     "prover_args": ["-depth 10","-mediumTimeout 700"],
     "smt_timeout": "600",
-    "solc": "solc8.10",
+    "solc": "solc8.19",
     "verify": "UpgradeableLockReleaseTokenPool:certora/specs/ccip.spec",
     "rule_sanity": "basic",
     "msg": "CCIP"

contracts/src/v0.8/ccip/pools/GHO/UpgradeableBurnMintTokenPool.sol

@@ -2,14 +2,12 @@
 pragma solidity ^0.8.0;
 
 import {Initializable} from "solidity-utils/contracts/transparent-proxy/Initializable.sol";
-
 import {ITypeAndVersion} from "../../../shared/interfaces/ITypeAndVersion.sol";
 import {IBurnMintERC20} from "../../../shared/token/ERC20/IBurnMintERC20.sol";
 
 import {UpgradeableTokenPool} from "./UpgradeableTokenPool.sol";
 import {UpgradeableBurnMintTokenPoolAbstract} from "./UpgradeableBurnMintTokenPoolAbstract.sol";
 import {RateLimiter} from "../../libraries/RateLimiter.sol";
-
 import {IRouter} from "../../interfaces/IRouter.sol";
 
 /// @title UpgradeableBurnMintTokenPool
@@ -19,6 +17,8 @@ import {IRouter} from "../../interfaces/IRouter.sol";
 /// - Implementation of Initializable to allow upgrades
 /// - Move of allowlist and router definition to initialization stage
 /// - Inclusion of rate limit admin who may configure rate limits in addition to owner
+/// - Modifications from inherited contract (see contract for more details):
+///   - UpgradeableTokenPool: Modify `onlyOnRamp` modifier to accept transactions from ProxyPool
 contract UpgradeableBurnMintTokenPool is Initializable, UpgradeableBurnMintTokenPoolAbstract, ITypeAndVersion {
   error Unauthorized(address caller);
 
@@ -36,7 +36,9 @@ contract UpgradeableBurnMintTokenPool is Initializable, UpgradeableBurnMintToken
     address token,
     address armProxy,
     bool allowlistEnabled
-  ) UpgradeableTokenPool(IBurnMintERC20(token), armProxy, allowlistEnabled) {}
+  ) UpgradeableTokenPool(IBurnMintERC20(token), armProxy, allowlistEnabled) {
+    _disableInitializers();
+  }
 
   /// @dev Initializer
   /// @dev The address passed as `owner` must accept ownership after initialization.
@@ -45,8 +47,7 @@ contract UpgradeableBurnMintTokenPool is Initializable, UpgradeableBurnMintToken
   /// @param allowlist A set of addresses allowed to trigger lockOrBurn as original senders
   /// @param router The address of the router
   function initialize(address owner, address[] memory allowlist, address router) public virtual initializer {
-    if (owner == address(0)) revert ZeroAddressNotAllowed();
-    if (router == address(0)) revert ZeroAddressNotAllowed();
+    if (owner == address(0) || router == address(0)) revert ZeroAddressNotAllowed();
     _transferOwnership(owner);
 
     s_router = IRouter(router);

contracts/src/v0.8/ccip/pools/GHO/UpgradeableLockReleaseTokenPool.sol

@@ -2,7 +2,6 @@
 pragma solidity ^0.8.0;
 
 import {Initializable} from "solidity-utils/contracts/transparent-proxy/Initializable.sol";
-
 import {ITypeAndVersion} from "../../../shared/interfaces/ITypeAndVersion.sol";
 import {ILiquidityContainer} from "../../../rebalancer/interfaces/ILiquidityContainer.sol";
 
@@ -11,7 +10,6 @@ import {RateLimiter} from "../../libraries/RateLimiter.sol";
 
 import {IERC20} from "../../../vendor/openzeppelin-solidity/v4.8.3/contracts/token/ERC20/IERC20.sol";
 import {SafeERC20} from "../../../vendor/openzeppelin-solidity/v4.8.3/contracts/token/ERC20/utils/SafeERC20.sol";
-
 import {IRouter} from "../../interfaces/IRouter.sol";
 
 /// @title UpgradeableLockReleaseTokenPool
@@ -21,6 +19,8 @@ import {IRouter} from "../../interfaces/IRouter.sol";
 /// - Implementation of Initializable to allow upgrades
 /// - Move of allowlist and router definition to initialization stage
 /// - Addition of a bridge limit to regulate the maximum amount of tokens that can be transferred out (burned/locked)
+/// - Modifications from inherited contract (see contract for more details):
+///   - UpgradeableTokenPool: Modify `onlyOnRamp` modifier to accept transactions from ProxyPool
 contract UpgradeableLockReleaseTokenPool is Initializable, UpgradeableTokenPool, ILiquidityContainer, ITypeAndVersion {
   using SafeERC20 for IERC20;
 
@@ -71,6 +71,7 @@ contract UpgradeableLockReleaseTokenPool is Initializable, UpgradeableTokenPool,
     bool acceptLiquidity
   ) UpgradeableTokenPool(IERC20(token), armProxy, allowlistEnabled) {
     i_acceptLiquidity = acceptLiquidity;
+    _disableInitializers();
   }
 
   /// @dev Initializer
@@ -86,8 +87,7 @@ contract UpgradeableLockReleaseTokenPool is Initializable, UpgradeableTokenPool,
     address router,
     uint256 bridgeLimit
   ) public virtual initializer {
-    if (owner == address(0)) revert ZeroAddressNotAllowed();
-    if (router == address(0)) revert ZeroAddressNotAllowed();
+    if (owner == address(0) || router == address(0)) revert ZeroAddressNotAllowed();
     _transferOwnership(owner);
 
     s_router = IRouter(router);

contracts/src/v0.8/ccip/pools/GHO/UpgradeableTokenPool.sol

@@ -12,9 +12,12 @@ import {IERC20} from "../../../vendor/openzeppelin-solidity/v4.8.3/contracts/tok
 import {IERC165} from "../../../vendor/openzeppelin-solidity/v4.8.3/contracts/utils/introspection/IERC165.sol";
 import {EnumerableSet} from "../../../vendor/openzeppelin-solidity/v4.8.3/contracts/utils/structs/EnumerableSet.sol";
 
-/// @notice Base abstract class with common functions for all token pools.
-/// A token pool serves as isolated place for holding tokens and token specific logic
-/// that may execute as tokens move across the bridge.
+/// @title UpgradeableTokenPool
+/// @author Aave Labs
+/// @notice Upgradeable version of Chainlink's CCIP TokenPool
+/// @dev Contract adaptations:
+///   - Setters & Getters for new ProxyPool (to support 1.5 CCIP migration on the existing 1.4 Pool)
+///   - Modify `onlyOnRamp` modifier to accept transactions from ProxyPool
 abstract contract UpgradeableTokenPool is IPool, OwnerIsCreator, IERC165 {
   using EnumerableSet for EnumerableSet.AddressSet;
   using EnumerableSet for EnumerableSet.UintSet;
@@ -55,6 +58,12 @@ abstract contract UpgradeableTokenPool is IPool, OwnerIsCreator, IERC165 {
     RateLimiter.Config inboundRateLimiterConfig; // Inbound rate limited config, meaning the rate limits for all of the offRamps for the given chain
   }
 
+  /// @dev The storage slot for Proxy Pool address, act as an on ramp "wrapper" post ccip 1.5 migration.
+  /// @dev This was added to continue support for 1.2 onRamp during 1.5 migration, and is stored
+  /// this way to avoid storage collision.
+  // bytes32(uint256(keccak256("ccip.pools.GHO.UpgradeableTokenPool.proxyPool")) - 1)
+  bytes32 internal constant PROXY_POOL_SLOT = 0x75bb68f1b335d4dab6963140ecff58281174ef4362bb85a8593ab9379f24fae2;
+
   /// @dev The bridgeable token that is managed by this pool.
   IERC20 internal immutable i_token;
   /// @dev The address of the arm proxy
@@ -250,7 +259,9 @@ abstract contract UpgradeableTokenPool is IPool, OwnerIsCreator, IERC165 {
   /// is a permissioned onRamp for the given chain on the Router.
   modifier onlyOnRamp(uint64 remoteChainSelector) {
     if (!isSupportedChain(remoteChainSelector)) revert ChainNotAllowed(remoteChainSelector);
-    if (!(msg.sender == s_router.getOnRamp(remoteChainSelector))) revert CallerIsNotARampOnRouter(msg.sender);
+    if (!(msg.sender == getProxyPool() || msg.sender == s_router.getOnRamp(remoteChainSelector))) {
+      revert CallerIsNotARampOnRouter(msg.sender);
+    }
     _;
   }
 
@@ -317,4 +328,23 @@ abstract contract UpgradeableTokenPool is IPool, OwnerIsCreator, IERC165 {
     if (IARM(i_armProxy).isCursed()) revert BadARMSignal();
     _;
   }
+
+  /// @notice Getter for proxy pool address.
+  /// @return proxyPool The proxy pool address for the given remoteChainSelector
+  function getProxyPool() public view returns (address proxyPool) {
+    assembly ("memory-safe") {
+      proxyPool := shr(96, shl(96, sload(PROXY_POOL_SLOT)))
+    }
+  }
+
+  /// @notice Setter for proxy pool address, only callable by the DAO.
+  /// @dev This router is currently set for the Eth/Arb lane, and this pool is not expected
+  /// to support any other lanes in the future - hence can be stored agnostic to chain selector.
+  /// @param proxyPool The address of the proxy pool.
+  function setProxyPool(address proxyPool) external onlyOwner {
+    if (proxyPool == address(0)) revert ZeroAddressNotAllowed();
+    assembly ("memory-safe") {
+      sstore(PROXY_POOL_SLOT, proxyPool)
+    }
+  }
 }

contracts/src/v0.8/ccip/pools/GHO/diffs/UpgradeableBurnMintTokenPool_diff.md

@@ -1,26 +1,24 @@
 ```diff
 diff --git a/src/v0.8/ccip/pools/BurnMintTokenPool.sol b/src/v0.8/ccip/pools/GHO/UpgradeableBurnMintTokenPool.sol
-index 9af0f22f4c..a46ff915e5 100644
+index 9af0f22f4c..57a3226ef4 100644
 --- a/src/v0.8/ccip/pools/BurnMintTokenPool.sol
 +++ b/src/v0.8/ccip/pools/GHO/UpgradeableBurnMintTokenPool.sol
-@@ -1,28 +1,90 @@
+@@ -1,28 +1,92 @@
  // SPDX-License-Identifier: BUSL-1.1
 -pragma solidity 0.8.19;
 +pragma solidity ^0.8.0;
- 
+
 -import {ITypeAndVersion} from "../../shared/interfaces/ITypeAndVersion.sol";
 -import {IBurnMintERC20} from "../../shared/token/ERC20/IBurnMintERC20.sol";
 +import {Initializable} from "solidity-utils/contracts/transparent-proxy/Initializable.sol";
-
--import {TokenPool} from "./TokenPool.sol";
--import {BurnMintTokenPoolAbstract} from "./BurnMintTokenPoolAbstract.sol";
 +import {ITypeAndVersion} from "../../../shared/interfaces/ITypeAndVersion.sol";
 +import {IBurnMintERC20} from "../../../shared/token/ERC20/IBurnMintERC20.sol";
-+
+
+-import {TokenPool} from "./TokenPool.sol";
+-import {BurnMintTokenPoolAbstract} from "./BurnMintTokenPoolAbstract.sol";
 +import {UpgradeableTokenPool} from "./UpgradeableTokenPool.sol";
 +import {UpgradeableBurnMintTokenPoolAbstract} from "./UpgradeableBurnMintTokenPoolAbstract.sol";
 +import {RateLimiter} from "../../libraries/RateLimiter.sol";
-+
 +import {IRouter} from "../../interfaces/IRouter.sol";
 +
 +/// @title UpgradeableBurnMintTokenPool
@@ -29,17 +27,20 @@ index 9af0f22f4c..a46ff915e5 100644
 +/// @dev Contract adaptations:
 +/// - Implementation of Initializable to allow upgrades
 +/// - Move of allowlist and router definition to initialization stage
++/// - Inclusion of rate limit admin who may configure rate limits in addition to owner
++/// - Modifications from inherited contract (see contract for more details):
++///   - UpgradeableTokenPool: Modify `onlyOnRamp` modifier to accept transactions from ProxyPool
 +contract UpgradeableBurnMintTokenPool is Initializable, UpgradeableBurnMintTokenPoolAbstract, ITypeAndVersion {
 +  error Unauthorized(address caller);
- 
+
 -/// @notice This pool mints and burns a 3rd-party token.
 -/// @dev Pool whitelisting mode is set in the constructor and cannot be modified later.
 -/// It either accepts any address as originalSender, or only accepts whitelisted originalSender.
 -/// The only way to change whitelisting mode is to deploy a new pool.
 -/// If that is expected, please make sure the token's burner/minter roles are adjustable.
 -contract BurnMintTokenPool is BurnMintTokenPoolAbstract, ITypeAndVersion {
    string public constant override typeAndVersion = "BurnMintTokenPool 1.4.0";
- 
+
 +  /// @notice The address of the rate limiter admin.
 +  /// @dev Can be address(0) if none is configured.
 +  address internal s_rateLimitAdmin;
@@ -56,18 +57,18 @@ index 9af0f22f4c..a46ff915e5 100644
 -    address router
 -  ) TokenPool(token, allowlist, armProxy, router) {}
 +    bool allowlistEnabled
-+  ) UpgradeableTokenPool(IBurnMintERC20(token), armProxy, allowlistEnabled) {}
-
--  /// @inheritdoc BurnMintTokenPoolAbstract
++  ) UpgradeableTokenPool(IBurnMintERC20(token), armProxy, allowlistEnabled) {
++    _disableInitializers();
++  }
++
 +  /// @dev Initializer
 +  /// @dev The address passed as `owner` must accept ownership after initialization.
 +  /// @dev The `allowlist` is only effective if pool is set to access-controlled mode
 +  /// @param owner The address of the owner
 +  /// @param allowlist A set of addresses allowed to trigger lockOrBurn as original senders
 +  /// @param router The address of the router
 +  function initialize(address owner, address[] memory allowlist, address router) public virtual initializer {
-+    if (owner == address(0)) revert ZeroAddressNotAllowed();
-+    if (router == address(0)) revert ZeroAddressNotAllowed();
++    if (owner == address(0) || router == address(0)) revert ZeroAddressNotAllowed();
 +    _transferOwnership(owner);
 +
 +    s_router = IRouter(router);
@@ -90,7 +91,7 @@ index 9af0f22f4c..a46ff915e5 100644
 +    return s_rateLimitAdmin;
 +  }
 +
-+  /// @notice Sets the rate limiter admin address.
++  /// @notice Sets the chain rate limiter config.
 +  /// @dev Only callable by the owner or the rate limiter admin. NOTE: overwrites the normal
 +  /// onlyAdmin check in the base implementation to also allow the rate limiter admin.
 +  /// @param remoteChainSelector The remote chain selector for which the rate limits apply.
@@ -105,7 +106,8 @@ index 9af0f22f4c..a46ff915e5 100644
 +
 +    _setRateLimitConfig(remoteChainSelector, outboundConfig, inboundConfig);
 +  }
-+
+
+-  /// @inheritdoc BurnMintTokenPoolAbstract
 +  /// @inheritdoc UpgradeableBurnMintTokenPoolAbstract
    function _burn(uint256 amount) internal virtual override {
      IBurnMintERC20(address(i_token)).burn(amount);