TimelockController.sol 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423
  1. // SPDX-License-Identifier: MIT
  2. // OpenZeppelin Contracts (last updated v4.8.0) (governance/TimelockController.sol)
  3. pragma solidity ^0.8.0;
  4. import "../access/AccessControl.sol";
  5. import "../token/ERC721/IERC721Receiver.sol";
  6. import "../token/ERC1155/IERC1155Receiver.sol";
  7. import "../utils/Address.sol";
  8. /**
  9. * @dev Contract module which acts as a timelocked controller. When set as the
  10. * owner of an `Ownable` smart contract, it enforces a timelock on all
  11. * `onlyOwner` maintenance operations. This gives time for users of the
  12. * controlled contract to exit before a potentially dangerous maintenance
  13. * operation is applied.
  14. *
  15. * By default, this contract is self administered, meaning administration tasks
  16. * have to go through the timelock process. The proposer (resp executor) role
  17. * is in charge of proposing (resp executing) operations. A common use case is
  18. * to position this {TimelockController} as the owner of a smart contract, with
  19. * a multisig or a DAO as the sole proposer.
  20. *
  21. * _Available since v3.3._
  22. */
  23. contract TimelockController is AccessControl, IERC721Receiver, IERC1155Receiver {
  24. bytes32 public constant TIMELOCK_ADMIN_ROLE = keccak256("TIMELOCK_ADMIN_ROLE");
  25. bytes32 public constant PROPOSER_ROLE = keccak256("PROPOSER_ROLE");
  26. bytes32 public constant EXECUTOR_ROLE = keccak256("EXECUTOR_ROLE");
  27. bytes32 public constant CANCELLER_ROLE = keccak256("CANCELLER_ROLE");
  28. uint256 internal constant _DONE_TIMESTAMP = uint256(1);
  29. mapping(bytes32 => uint256) private _timestamps;
  30. uint256 private _minDelay;
  31. /**
  32. * @dev Emitted when a call is scheduled as part of operation `id`.
  33. */
  34. event CallScheduled(
  35. bytes32 indexed id,
  36. uint256 indexed index,
  37. address target,
  38. uint256 value,
  39. bytes data,
  40. bytes32 predecessor,
  41. uint256 delay
  42. );
  43. /**
  44. * @dev Emitted when a call is performed as part of operation `id`.
  45. */
  46. event CallExecuted(bytes32 indexed id, uint256 indexed index, address target, uint256 value, bytes data);
  47. /**
  48. * @dev Emitted when new proposal is scheduled with non-zero salt.
  49. */
  50. event CallSalt(bytes32 indexed id, bytes32 salt);
  51. /**
  52. * @dev Emitted when operation `id` is cancelled.
  53. */
  54. event Cancelled(bytes32 indexed id);
  55. /**
  56. * @dev Emitted when the minimum delay for future operations is modified.
  57. */
  58. event MinDelayChange(uint256 oldDuration, uint256 newDuration);
  59. /**
  60. * @dev Initializes the contract with the following parameters:
  61. *
  62. * - `minDelay`: initial minimum delay for operations
  63. * - `proposers`: accounts to be granted proposer and canceller roles
  64. * - `executors`: accounts to be granted executor role
  65. * - `admin`: optional account to be granted admin role; disable with zero address
  66. *
  67. * IMPORTANT: The optional admin can aid with initial configuration of roles after deployment
  68. * without being subject to delay, but this role should be subsequently renounced in favor of
  69. * administration through timelocked proposals. Previous versions of this contract would assign
  70. * this admin to the deployer automatically and should be renounced as well.
  71. */
  72. constructor(uint256 minDelay, address[] memory proposers, address[] memory executors, address admin) {
  73. _setRoleAdmin(TIMELOCK_ADMIN_ROLE, TIMELOCK_ADMIN_ROLE);
  74. _setRoleAdmin(PROPOSER_ROLE, TIMELOCK_ADMIN_ROLE);
  75. _setRoleAdmin(EXECUTOR_ROLE, TIMELOCK_ADMIN_ROLE);
  76. _setRoleAdmin(CANCELLER_ROLE, TIMELOCK_ADMIN_ROLE);
  77. // self administration
  78. _setupRole(TIMELOCK_ADMIN_ROLE, address(this));
  79. // optional admin
  80. if (admin != address(0)) {
  81. _setupRole(TIMELOCK_ADMIN_ROLE, admin);
  82. }
  83. // register proposers and cancellers
  84. for (uint256 i = 0; i < proposers.length; ++i) {
  85. _setupRole(PROPOSER_ROLE, proposers[i]);
  86. _setupRole(CANCELLER_ROLE, proposers[i]);
  87. }
  88. // register executors
  89. for (uint256 i = 0; i < executors.length; ++i) {
  90. _setupRole(EXECUTOR_ROLE, executors[i]);
  91. }
  92. _minDelay = minDelay;
  93. emit MinDelayChange(0, minDelay);
  94. }
  95. /**
  96. * @dev Modifier to make a function callable only by a certain role. In
  97. * addition to checking the sender's role, `address(0)` 's role is also
  98. * considered. Granting a role to `address(0)` is equivalent to enabling
  99. * this role for everyone.
  100. */
  101. modifier onlyRoleOrOpenRole(bytes32 role) {
  102. if (!hasRole(role, address(0))) {
  103. _checkRole(role, _msgSender());
  104. }
  105. _;
  106. }
  107. /**
  108. * @dev Contract might receive/hold ETH as part of the maintenance process.
  109. */
  110. receive() external payable {}
  111. /**
  112. * @dev See {IERC165-supportsInterface}.
  113. */
  114. function supportsInterface(bytes4 interfaceId) public view virtual override(IERC165, AccessControl) returns (bool) {
  115. return interfaceId == type(IERC1155Receiver).interfaceId || super.supportsInterface(interfaceId);
  116. }
  117. /**
  118. * @dev Returns whether an id correspond to a registered operation. This
  119. * includes both Pending, Ready and Done operations.
  120. */
  121. function isOperation(bytes32 id) public view virtual returns (bool registered) {
  122. return getTimestamp(id) > 0;
  123. }
  124. /**
  125. * @dev Returns whether an operation is pending or not.
  126. */
  127. function isOperationPending(bytes32 id) public view virtual returns (bool pending) {
  128. return getTimestamp(id) > _DONE_TIMESTAMP;
  129. }
  130. /**
  131. * @dev Returns whether an operation is ready or not.
  132. */
  133. function isOperationReady(bytes32 id) public view virtual returns (bool ready) {
  134. uint256 timestamp = getTimestamp(id);
  135. return timestamp > _DONE_TIMESTAMP && timestamp <= block.timestamp;
  136. }
  137. /**
  138. * @dev Returns whether an operation is done or not.
  139. */
  140. function isOperationDone(bytes32 id) public view virtual returns (bool done) {
  141. return getTimestamp(id) == _DONE_TIMESTAMP;
  142. }
  143. /**
  144. * @dev Returns the timestamp at which an operation becomes ready (0 for
  145. * unset operations, 1 for done operations).
  146. */
  147. function getTimestamp(bytes32 id) public view virtual returns (uint256 timestamp) {
  148. return _timestamps[id];
  149. }
  150. /**
  151. * @dev Returns the minimum delay for an operation to become valid.
  152. *
  153. * This value can be changed by executing an operation that calls `updateDelay`.
  154. */
  155. function getMinDelay() public view virtual returns (uint256 duration) {
  156. return _minDelay;
  157. }
  158. /**
  159. * @dev Returns the identifier of an operation containing a single
  160. * transaction.
  161. */
  162. function hashOperation(
  163. address target,
  164. uint256 value,
  165. bytes calldata data,
  166. bytes32 predecessor,
  167. bytes32 salt
  168. ) public pure virtual returns (bytes32 hash) {
  169. return keccak256(abi.encode(target, value, data, predecessor, salt));
  170. }
  171. /**
  172. * @dev Returns the identifier of an operation containing a batch of
  173. * transactions.
  174. */
  175. function hashOperationBatch(
  176. address[] calldata targets,
  177. uint256[] calldata values,
  178. bytes[] calldata payloads,
  179. bytes32 predecessor,
  180. bytes32 salt
  181. ) public pure virtual returns (bytes32 hash) {
  182. return keccak256(abi.encode(targets, values, payloads, predecessor, salt));
  183. }
  184. /**
  185. * @dev Schedule an operation containing a single transaction.
  186. *
  187. * Emits events {CallScheduled} and {CallSalt}.
  188. *
  189. * Requirements:
  190. *
  191. * - the caller must have the 'proposer' role.
  192. */
  193. function schedule(
  194. address target,
  195. uint256 value,
  196. bytes calldata data,
  197. bytes32 predecessor,
  198. bytes32 salt,
  199. uint256 delay
  200. ) public virtual onlyRole(PROPOSER_ROLE) {
  201. bytes32 id = hashOperation(target, value, data, predecessor, salt);
  202. _schedule(id, delay);
  203. emit CallScheduled(id, 0, target, value, data, predecessor, delay);
  204. if (salt != bytes32(0)) {
  205. emit CallSalt(id, salt);
  206. }
  207. }
  208. /**
  209. * @dev Schedule an operation containing a batch of transactions.
  210. *
  211. * Emits a {CallSalt} event and one {CallScheduled} event per transaction in the batch.
  212. *
  213. * Requirements:
  214. *
  215. * - the caller must have the 'proposer' role.
  216. */
  217. function scheduleBatch(
  218. address[] calldata targets,
  219. uint256[] calldata values,
  220. bytes[] calldata payloads,
  221. bytes32 predecessor,
  222. bytes32 salt,
  223. uint256 delay
  224. ) public virtual onlyRole(PROPOSER_ROLE) {
  225. require(targets.length == values.length, "TimelockController: length mismatch");
  226. require(targets.length == payloads.length, "TimelockController: length mismatch");
  227. bytes32 id = hashOperationBatch(targets, values, payloads, predecessor, salt);
  228. _schedule(id, delay);
  229. for (uint256 i = 0; i < targets.length; ++i) {
  230. emit CallScheduled(id, i, targets[i], values[i], payloads[i], predecessor, delay);
  231. }
  232. if (salt != bytes32(0)) {
  233. emit CallSalt(id, salt);
  234. }
  235. }
  236. /**
  237. * @dev Schedule an operation that is to become valid after a given delay.
  238. */
  239. function _schedule(bytes32 id, uint256 delay) private {
  240. require(!isOperation(id), "TimelockController: operation already scheduled");
  241. require(delay >= getMinDelay(), "TimelockController: insufficient delay");
  242. _timestamps[id] = block.timestamp + delay;
  243. }
  244. /**
  245. * @dev Cancel an operation.
  246. *
  247. * Requirements:
  248. *
  249. * - the caller must have the 'canceller' role.
  250. */
  251. function cancel(bytes32 id) public virtual onlyRole(CANCELLER_ROLE) {
  252. require(isOperationPending(id), "TimelockController: operation cannot be cancelled");
  253. delete _timestamps[id];
  254. emit Cancelled(id);
  255. }
  256. /**
  257. * @dev Execute an (ready) operation containing a single transaction.
  258. *
  259. * Emits a {CallExecuted} event.
  260. *
  261. * Requirements:
  262. *
  263. * - the caller must have the 'executor' role.
  264. */
  265. // This function can reenter, but it doesn't pose a risk because _afterCall checks that the proposal is pending,
  266. // thus any modifications to the operation during reentrancy should be caught.
  267. // slither-disable-next-line reentrancy-eth
  268. function execute(
  269. address target,
  270. uint256 value,
  271. bytes calldata payload,
  272. bytes32 predecessor,
  273. bytes32 salt
  274. ) public payable virtual onlyRoleOrOpenRole(EXECUTOR_ROLE) {
  275. bytes32 id = hashOperation(target, value, payload, predecessor, salt);
  276. _beforeCall(id, predecessor);
  277. _execute(target, value, payload);
  278. emit CallExecuted(id, 0, target, value, payload);
  279. _afterCall(id);
  280. }
  281. /**
  282. * @dev Execute an (ready) operation containing a batch of transactions.
  283. *
  284. * Emits one {CallExecuted} event per transaction in the batch.
  285. *
  286. * Requirements:
  287. *
  288. * - the caller must have the 'executor' role.
  289. */
  290. // This function can reenter, but it doesn't pose a risk because _afterCall checks that the proposal is pending,
  291. // thus any modifications to the operation during reentrancy should be caught.
  292. // slither-disable-next-line reentrancy-eth
  293. function executeBatch(
  294. address[] calldata targets,
  295. uint256[] calldata values,
  296. bytes[] calldata payloads,
  297. bytes32 predecessor,
  298. bytes32 salt
  299. ) public payable virtual onlyRoleOrOpenRole(EXECUTOR_ROLE) {
  300. require(targets.length == values.length, "TimelockController: length mismatch");
  301. require(targets.length == payloads.length, "TimelockController: length mismatch");
  302. bytes32 id = hashOperationBatch(targets, values, payloads, predecessor, salt);
  303. _beforeCall(id, predecessor);
  304. for (uint256 i = 0; i < targets.length; ++i) {
  305. address target = targets[i];
  306. uint256 value = values[i];
  307. bytes calldata payload = payloads[i];
  308. _execute(target, value, payload);
  309. emit CallExecuted(id, i, target, value, payload);
  310. }
  311. _afterCall(id);
  312. }
  313. /**
  314. * @dev Execute an operation's call.
  315. */
  316. function _execute(address target, uint256 value, bytes calldata data) internal virtual {
  317. (bool success, ) = target.call{value: value}(data);
  318. require(success, "TimelockController: underlying transaction reverted");
  319. }
  320. /**
  321. * @dev Checks before execution of an operation's calls.
  322. */
  323. function _beforeCall(bytes32 id, bytes32 predecessor) private view {
  324. require(isOperationReady(id), "TimelockController: operation is not ready");
  325. require(predecessor == bytes32(0) || isOperationDone(predecessor), "TimelockController: missing dependency");
  326. }
  327. /**
  328. * @dev Checks after execution of an operation's calls.
  329. */
  330. function _afterCall(bytes32 id) private {
  331. require(isOperationReady(id), "TimelockController: operation is not ready");
  332. _timestamps[id] = _DONE_TIMESTAMP;
  333. }
  334. /**
  335. * @dev Changes the minimum timelock duration for future operations.
  336. *
  337. * Emits a {MinDelayChange} event.
  338. *
  339. * Requirements:
  340. *
  341. * - the caller must be the timelock itself. This can only be achieved by scheduling and later executing
  342. * an operation where the timelock is the target and the data is the ABI-encoded call to this function.
  343. */
  344. function updateDelay(uint256 newDelay) external virtual {
  345. require(msg.sender == address(this), "TimelockController: caller must be timelock");
  346. emit MinDelayChange(_minDelay, newDelay);
  347. _minDelay = newDelay;
  348. }
  349. /**
  350. * @dev See {IERC721Receiver-onERC721Received}.
  351. */
  352. function onERC721Received(address, address, uint256, bytes memory) public virtual override returns (bytes4) {
  353. return this.onERC721Received.selector;
  354. }
  355. /**
  356. * @dev See {IERC1155Receiver-onERC1155Received}.
  357. */
  358. function onERC1155Received(
  359. address,
  360. address,
  361. uint256,
  362. uint256,
  363. bytes memory
  364. ) public virtual override returns (bytes4) {
  365. return this.onERC1155Received.selector;
  366. }
  367. /**
  368. * @dev See {IERC1155Receiver-onERC1155BatchReceived}.
  369. */
  370. function onERC1155BatchReceived(
  371. address,
  372. address,
  373. uint256[] memory,
  374. uint256[] memory,
  375. bytes memory
  376. ) public virtual override returns (bytes4) {
  377. return this.onERC1155BatchReceived.selector;
  378. }
  379. }