Emergency 2023-06-16: Coinbase Custody DAO Resolution

[amusingaxl]

Description

Contribution Checklist

• PR title starts with (PE-<TICKET_NUMBER>)
• Code approved
• Tests approved
• CI Tests pass

Checklist

• Every contract variable/method declared as public/external private/internal
• Consider if this PR needs the officeHours modifier override
• Verify expiration (30 days unless otherwise specified)
• Verify hash in the description matches here
• Validate all addresses used are in changelog or known
• Notify any external teams affected by the spell so they have the opportunity to review
• Deploy spell ETH_GAS_LIMIT="XXX" ETH_GAS_PRICE="YYY" make deploy
• Verify mainnet contract on etherscan
• Change test to use mainnet spell address and deploy timestamp
• Run make archive-spell or make date="YYYY-MM-DD" archive-spell to make an archive directory and copy DssSpell.sol, DssSpell.t.sol, DssSpell.t.base.sol, and DssSpellCollateralOnboarding.sol
• squash and merge this PR

[The-Arbiter]

Leave this test private but change this comment back.

[amusingaxl]

The comment was changed here:
https://github.com/makerdao/spells-mainnet/pull/339/files#diff-cd597c47b9a6e2bae57aab767ee9e3d5bb3d8edeb3a2248b4519b9af791cb468R302

It's not a directive to prevent people from disabling it, it was just stating that the test needed to be enabled for that specific spell.

[The-Arbiter]

I think there is probably a better name for this, but either way we normally use lower case for string public constant per the archives.

[The-Arbiter]

There are almost 50 lines of unused interfaces from the old spell at the top of the spell file.

Please finish crafting the spell before marking it as ready for review.

[The-Arbiter]

Unused imports not removed
Unused interfaces not removed
Nit: An incorrect raw.githubusercontent.com URL is present in the exec hash comment instead of any TODO (though admittedly this may not be ready yet, we need to mark it TODO so we don't forget to change it)
Test comment for the test that has always been commented as "don't disable" has been changed to "amke private to disable" [sic] <-- Ignoring the typo, this is not the time or place to be changing how we treat tests that have been marked clearly as "don't disable".

Focus on cleaning up the spell and then the new content for the emergency spell once the cleanup is finished.

As it stands, this spell is half-baked and not ready for review. The reviewers job is not to finish half of the crafting process; this shouldn't have been marked as ready for review until it had been looked over by the crafter at least once, which would've made evident things like half of the spell file being unused interfaces from the last spell.

[The-Arbiter]

Will fully review according to the checklist after these issues have been fixed:

• Seven unused interfaces in tests file
  When removing a test, sometimes interfaces added for this test will no longer be used. These should be removed as part of cleanup.
  (Seven includes JugLike, which seems to have been missed in the past, this fix is optional)

• testNewChainlogValues changes to be reverted (see relevant comment)

• testNewIlkRegistryValues can be cleaned up in on of two ways, which I have suggested

• testCollateralIntegration can also be cleaned up or not, I am fine to leave it as it is not cleanup from the spell directly before the current one, but I have left notes for treatment of this test per the checklist.

[The-Arbiter]

    // ----- 2023-06-16 DAO resolutions -----
    // Forum: https://forum.makerdao.com/t/out-of-schedule-executive-to-fortify-elasticity-of-on-chain-1-1-liquidity-of-usdc/21168
    string public constant dao_resolution = "QmYPbYoPjrSzBu5gt9tip78siG1gFvY8K4HTkHEFJgMmM8";

Semantics here but this is how I would do it personally given that this is the point of the spell (as a direct action).

[amusingaxl]

Made some changes.

At some point, we might need more than 1 resolution in a single spell.
This hasn't been done before, so I'm setting the precedent right now.
Since we can't have string[] as constant, we can simply stick to a comma-separated list of IFPS hashes, as it is purely informational.

[The-Arbiter]

I somewhat like this structure, let's do this if and when we have multiple resolutions in a spell rather than confusing people reading this original code. My only rebuttal to the structure here would be that we may want clarity as to which resolution is which, but again, that's an issue for another time.

I won't object to a more confusing naming structure if that's what you elect to use as it is functionally identical though I do think that having a plural for the first ever instance of things and deciding on a precedent in an emergency spell is probably not the best idea. Non-functional anyway so this isn't blocking.

[The-Arbiter]

Please follow precedent with regards to this function and revert all changes which alter the behavior of this test, as this is unrelated to the content of this (emergency) spell.

Precedent to follow:
2023-01-11
2023-05-10
2023-05-17

Please reference the procedure for dealing with this in the checklist if there are other concerns. It is my opinion that the objectively menacing sounding comment next to this test suggests that this treatment is necessary for this test, which is clearly an opinion shared by multiple crafters in the past given the precedent.

[amusingaxl]

Checklist says nothing specific about comments.

This change was first introduced here:
https://github.com/makerdao/spells-mainnet/pull/339/files#diff-cd597c47b9a6e2bae57aab767ee9e3d5bb3d8edeb3a2248b4519b9af791cb468R302

This is not a directive to further crafters to not disable this test, it's simply describing what it's doing.

Looking past that, the full history of the archive has the updated comment, which is in line with every other test that can be disabled.

See:

• 2023-01-11
• 2022-11-12
• 2022-11-02

Before that, the practice was to toggle between // make public to use and // make private to disable, but we abandoned that practice.

See:

• 2022-09-14

This comment has been misinterpreted and carried over for the past 5 spells.
The test is redundant in all those spells you mentioned. The chainlog version is already checked here.

In reality, the 5 last spells failed to do the proper clean up as per the checklist.

[The-Arbiter]

An emergency spell is not the context to be introducing test changes where they are not relevant to input or derived actions for that spell.

Test maintenance has historically been done during maintenance PRs or (in cases where the test is blocking certain spell content) test maintenance for a specific test can be done where the spell team unanimously agrees that the test update fits the following criteria.

In this case, this test is not pertinent to the content of the 2023-06-16 spell (which does not contain chainlog changes, new chainlog values or a version bump) and therefore it would generally be considered wise to follow the principle of "if it ain't broke, don't fix it".

The crafter checklist for mainnet spells (which you have not posted) contains pretty clear instructions:

Simply following this instruction would make the test pass and remove any requirement for making it private. Admittedly the checklist appears to treat all of these options as weighted equally, so this definitely needs clarification in the future. Obviously the 'disable by setting to private' option here clashes with the comment 'don't disable' and so the method to make the test pass (with sufficient coverage) that doesn't involve making it private is clearly what the checklist is instructing you to do.

My personal procedure for spell cleanup is to figure out what was added by the last spell and remove these elements, following archive patterns in order to leave barebones code / comments where necessary. Removing the chainlog checks for these chainlog keys and leaving the version check for 1.14.13 will make the test pass.

I prioritize security and if a test says don't disable I'm not going to approve a hastily made change to it within a 24 hour SLA emergency spell, regardless of whether this comment makes logical sense or not.

As the crafter for this spell, your role is to ship the instruction set provided by Governance Facilitators as spell code. Perhaps you are correct, but harking back to the first line, this is not the context for this change as it is not at all relevant to the current spell's content.

All that debating about this is doing is delaying the shipping of an emergency spell over an extraneous (functional) change which I am not comfortable with shipping given our current context. Note that my objection to this change does not block spell content nor does it affect any test coverage related to the spell content and is rooted in a strong prioritization of security.

[amusingaxl]

It's not a functional change, it's a comment. More important than that, it's a wrong comment.

This is literally an empty spell, I've shown you why the comment is wrong, I don't get why you need to make a fuss about it.

Don't be the boy who cried wolf, otherwise people will not take you seriously when something is actually wrong.

[The-Arbiter]

I have no objection to fixing the code in the future (in fact, your points as outlined above make sense and I would support making an update to our test setup for chainlog checks). In fact, quite a lot of our tests need updating, maintenance and hardening.

However, describing disabling a test marked don't disable as "not a functional change" is drastically incompetent at best and actively malicious at worst. You are disabling a function. At best, this is functionally equivalent due to coverage elsewhere, but at worst this leads to a lack of coverage from this spell onwards until someone catches it in the future.

Either way, this is not something I am comfortable shipping with such short notice given that it has nothing to do with the current spell's content, so I cannot resolve this issue while a functional change that I disagree with is present, even if it's just checking the chainlog version. I am not approving this in the same way that I would not approve disabling testPSMs (which is another test with a note on it to be left as enabled / public) in a emergency spell. It's not a matter of whether you're right or wrong and more a matter of this being the wrong place and time for this kind of change.

[amusingaxl]

However, describing disabling a test marked don't disable as "not a functional change" is drastically incompetent at best and actively malicious at worst.

You are joking, right? This must be a joke. Where are the cameras?

You are disabling a function. At best, this is functionally equivalent due to coverage elsewhere, but at worst this leads to a lack of coverage from this spell onwards until someone catches it in the future.

And removing the content of the test is what besides disabling it?

The only thing present in the test now is checking the chainlog version, which is already done in other test.

If you spent half of the energy you spent writing these comments simply going through what I highlighted, we wouldn't be having this discussion.

[The-Arbiter]

And removing the content of the test is what besides disabling it?

Precedent leaves version check, see archives, it isn't empty.

which is already done in other test.

Yes, this is probably true. That's why this gets fixed when spell tests are being maintained or upgraded and not in an emergency spell, since this has nothing to do with declaring a DAO Resolution.

[amusingaxl]

Precedent leaves version check, see archives, it isn't empty.

This is false. There are only 2 instances in which this was done like that:

2023-05-10
2023-05-17

Every single other spell in the archive which contains this test is either active (meaning there are new chainlog entries to test) or marked private.

[The-Arbiter]

Apologies if I'm missing something here but doesn't this point to one IPFS document (a file named WithdrawalCoinbaseCustody.docx)?

If this is the case then this line should be removed but perhaps the comment could be adapted, as it serves to add context to people reading the code.

The 2023-03-11 spell used this comment:

// Emergency Proposal: Risk and Governance Parameter Changes (11 March 2023)

So (up to you) perhaps we could use // Emergency Proposal: James Asset Trust 3 Withdrawal Process Of USDC From Coinbase Custody (16 June 2023) in order to match this kind of comment and add some context to what this document is?

[amusingaxl]

Added the specific comment about Emergency Proposal, but kept everything else for context.

[The-Arbiter]

Please take note that emergency spells are not the place to innovate or set precedents. Emergency spells are (as the name would suggest) about shipping content in an emergency. Setting precedent here (given short timeframes and special crafter / reviewer setups often used for these kinds of things) doesn't sit right with me personally, but it's non-functional and at worst it's just going to confuse whoever reads the comment (which is what it clearly did to me) so I am resolving this issue even though I don't agree with this change.

[The-Arbiter]

Mainnet Executive Spell Review Checklist

Mainnet 2023-06-16 (EMERGENCY SPELL)

Spell Actions:

• Publish James Asset Trust (3) DAO Resolution onchain

Implied action: Cleanup previous spell

NOTE: It may be necessary to backpropagate spell cleanup to Goerli in order to prevent future work caused by spells-goerli and spells-mainnet being unsynchronized. This can be determined after the Emergency Spell SLA period.

Coding Stage

• Office Hours
  OH is off
  • matches exec doc
• Exec Hash
  0xecdc5a5a1be69f23d299235ad966c82c7e03365e45aaed69ed1eb2f03daff4a6 OK
  • Run make exec-hash for current date, or date=YYYY-MM-DD
    Doing manually
    • Executive vote file name and date is correct
      June 16, 2023 OK, matches 2023-06-16 OK
    • community repo commit hash corresponds to latest change
      It doesn't match the pattern for how we generate this hash => Raised
      EDIT: This issue is minor compared to others and so I am resolving this, but the commit hash does not match the way we do it, so I will not check this checklist item.
    • Raw GitHub URL is correct
      Commit hash is different.
      EDIT: GitHub URL is equivalent but does not match precedent based on archive patterns. Equivalency means that things are functionally the same (i.e. same hash) so I won't push this but I'm also not going to check this item for the same reason as the one above.
    • Exec hash is correct (use cast keccak -- "$(curl '$URL' -o - 2>/dev/null)" where wget doesn't work)
      0xecdc5a5a1be69f23d299235ad966c82c7e03365e45aaed69ed1eb2f03daff4a6 OK (Matches code OK)
  • description date in DssSpell.sol matches exec copy date
    2023-06-16 OK
• 30 Days Expiry
  OK
• lib (git submodule update --init --recursive to install/update)
  Reinstalled libraries OK
  • dss-exec-lib
69b658f35d8618272cd139dfc18c5713caf6b96b
    • DssExecLib.address is unchanged by the spell PR (if changed, the new address must match the Latest Release Tag and be approved as a legitimate new release by GovAlpha)
      No change
    • if submodule upgrades are present make sure dss-exec-lib is synced as well
      No change to execlib submodule
    • git submodule hash (run git submodule status) matches the latest release version or newer (NOTE: dss-exec-lib as installed locally will use GitHub code more recent than the 0.0.9 release)
      69b658f35d8618272cd139dfc18c5713caf6b96b matches 0.0.9 OK
  • dss-test
4ad127cf53eeaddfb7b8ad56dd4b13e57d6a0067
    • dss-interfaces
9bfd7afadd1f8c217ef05850b2555691786286cb
      • git submodule hash matches version used by dss-test (Non-critical)
        Emergency spell, skipping check here as it has been marked non-critical
    • forge-std
      • git submodule hash matches version used by dss-test (Non-critical)
        Emergency spell, skipping check here as it has been marked non-critical
• dss-interfaces
  • cleanup previous ones
    This was done after a few tries
    TODO Add a note here for the tests repo too perhaps?
• RWA Updates
  Resolution is being updated using string public constant
string public constant dao_resolutions = "QmYPbYoPjrSzBu5gt9tip78siG1gFvY8K4HTkHEFJgMmM8";
  IPFS hash OK
  IPFS doc check (extra due diligence from me) looks OK and I have noted at the end of my review.
  I disagree with the naming structure here (referring to plural 'resolutions' when it is one IPFS hash) and the above comment // Comma-separated list of DAO resolutions IPFS hashes. when there are no commas because there is only one value.
  I have raised this and the crafter has ignored these recommendations. I do not agree but it does not affect my confidence in approving the code (in terms of security) as it is non-functional (aside from changing the name of the getter function) and so in the interest of time I have not vetoed the spell based on this issue.
  Note for future reviews that urgent and emergency spell naming decisions such as this when not subject to the typical 1 crafter 2 reviewer structure and operating on short SLAs do not represent strong precedent and should be considered as guides at best, as they do not follow typical spellcrafting operational patterns.
• addresses_mainnet.sol matches spell code
  N/A (No addresses used)
• Ensure every spell variable is declared as public/internal
  OK --> description and dao_resolutions are public
• Ensure immutable visibility is only used when fetching addresses from the ChainLog via DssExecLib.getChangelogAddress and constant is used instead for static addresses
  N/A
• Spell actions match GovAlpha Spell Content Sheet and hashed exec doc (Exec Doc is the source of truth)
  MIP in the exec isn't there, small nit => Raised
• Local Tests PASS
  • Ensure Good Coverage
    Lots of back and forth here over an extraneous-to-spell-content change which was being pushed. Change was dropped.
    Previous spell (2023-06-14) tests have been removed and associated interfaces (including a previously missed unused JugLike) were also removed.
    Config.sol changes set spell address and other values to 0 OK.
    Prev Spells uses 2023-06-14 spell 0x9E16c8B4C998604471EA0e63ECBb6d6d30F07fA0 which matches 2023-06-14 spell handover address OK.
    Spark interface and struct ReserveData removed as part of interfaces OK.
    Only remaining item per checklist is testCollateralIntegrations cleanup but this was for GNO-A and so is extraneous to current spell actions / previous spell actions --> no need to clean up now.
    Confirmed that test changes from 2023-06-14 all reverted OK (base tests file for PSM test was updated here but this was a permanent update to a base test to fix coverage and allow PSM test coverage where a PSM is being offboarded).
  • Ensure every test function is declared as public if enabled or private if disabled
    OK except for testNewChainlogValues --> Blocking as functional security change
    EDIT: testNewChainlogValues is back to what it was OK
    The rest looks OK

Arby's Additional IPFS Doc Checks

I have done these voluntarily and they do not represent a guarantee of information being correct.

• Exec doc wording for JAT3 deal matches IPFS uploaded document OK
• Document value for RWA014_A_INPUT_CONDUIT_URN matches ChainLog value OK (0x6B86bA08Bd7796464cEa758061Ac173D0268cf49)
• Document value for RWA014_A_INPUT_CONDUIT_JAR matches ChainLog value OK (0x391470cD3D8307AdC051d878A95Fa9459F800Dbc)

./scripts/test-dssspell-forge.sh match="" block=""
Using DssExecLib at: 0x8De6DDbCd5053d32292AAA0D2105A32d108484a6
[⠃] Compiling...
[⠔] Compiling 5 files with 0.8.16
[⠔] Solc 0.8.16 finished in 2.62s
Compiler run successful!

Running 2 tests for src/test/starknet.t.sol:StarknetTests
[PASS] testStarknet() (gas: 532141)
[PASS] testStarknetSpell() (gas: 2346)
Test result: ok. 2 passed; 0 failed; finished in 153.25s

Running 18 tests for src/DssSpell.t.sol:DssSpellTest
[PASS] testAuth() (gas: 9223371487104983364)
[PASS] testAuthInSources() (gas: 9223371487099443644)
[PASS] testBytecodeMatches() (gas: 1368596)
[PASS] testCastCost() (gas: 385625)
[PASS] testChainlogValues() (gas: 9035817)
[PASS] testChainlogVersionBump() (gas: 3927458)
[PASS] testContractSize() (gas: 8984)
[PASS] testDeployCost() (gas: 1357000)
[PASS] testFailNotScheduled() (gas: 14397)
[PASS] testFailTooEarly() (gas: 13607)
[PASS] testFailTooLate() (gas: 13606)
[PASS] testFailWrongDay() (gas: 13585)
[PASS] testGeneral() (gas: 34989734)
[PASS] testNewChainlogValues() (gas: 385238)
[PASS] testNextCastTime() (gas: 353636)
[PASS] testOnTime() (gas: 373217)
[PASS] testPSMs() (gas: 1863214)
[PASS] testUseEta() (gas: 352368)
Test result: ok. 18 passed; 0 failed; finished in 2484.84s

Good to deploy

[The-Arbiter]

Noting here that the deployed version of the spell does not match the latest commit.

Typically this would be a blocking change and require a redeploy however this appears to only be a missing line of provenance comment (the MIP). I will check more in-depth to make sure that the diff is only limited to this line, in which case this will be non-blocking (as the comment is non-functional and serves as supporting rather than primary provenance).

[The-Arbiter]

Spell is not archived yet.

Please archive while my tests run.

[The-Arbiter]

Deployed Stage

• Deployed Spell is Verified
  0x34c9Be51d7a1ff4Db77Abf48A73601e4B50A4645 is the address
  • Optimization Enabled: No
    No and 200 OK
  • Other Settings: default evmVersion, GNU AGPLv3 license
    OK
• Deployed Spell Code matches GitHub
  It does not, it's missing the following MIP provenance comment:
  // MIP: https://mips.makerdao.com/mips/details/MIP24
  • diffcheck etherscan source against spell PR (via make diff-deployed-spell)
    There is a difference. Checking in-depth manually to ensure that the difference is only one line...
    DssExec.sol addition to deployed spell code matches lib version OK
    DssAction.sol addition to deployed spell code matches lib version OK
    CollateralOpts.sol addition to deployed spell code matches lib version OK
    DssExecLib.sol is a subset of the main ExecLib code (which I think is normal)
    After comparing sections by hand using diffs, I don't see anything harmful here.
• Deployed Spell Etherscan Checks
  • automated checks via make check-deployed-spell
    NOTE: I did these manually
    • verified
    • license type matches
      AGPLv3 OK
    • solc version matches
      v0.8.16+commit.07a7930e OK
    • optimizations are disabled
      No with 200 runs OK
    • dss-exec-lib library address used (under 'Libraries Used') matches the hardcoded local DssExecLib.address file
      0x8de6ddbcd5053d32292aaa0d2105a32d108484a6 OK
      • Check again that the PR did not modify the DssExecLib.sol file (e.g. look under the 'Files Changed' PR tab, etc.)
        No change to this file or scripts, OK
    • deployed_spell_created matches deployment timestamp
      1686948227 OK (Second pass check OK)
    • deployed_spell_block matches deployment block number
      17494849 OK (Second pass check OK)
  • manual checks
    • Ensure make deploy-info tx=<tx> matches config
      • deployed_spell_created timestamp
        1686948227 OK & matches config.sol
      • deployed_spell_block block number
        17494849 OK & matches config.sol
    • Ensure Etherscan Libraries Used matches DssExecLib Latest Release
      0x8de6ddbcd5053d32292aaa0d2105a32d108484a6
      OK and matches 0.0.9 release
    • (For your tests to be accurate) git submodule hash matches dss-exec-lib latest release's tag commit and inspect diffs if doesn't match to ensure expected behaviour (Currently Non-Critical pending the next DssExecLib release, double check that exec lib used by the contract matches the latest release)
      69b658f35d8618272cd139dfc18c5713caf6b96b lib/dss-exec-lib (v0.0.9-7-g69b658f)
      OK and matches this which is currently latest commit
• Archive matches src
diff: ./archive/2023-06-16-DssSpell: No such file or directory
  There is no archive present. Archiving gets done before requesting a review of the deployed spell per the checklist.
  • make diff-archive-spell for current date or or date="YYYY-MM-DD" make diff-archive-spell (date as per target exec date)
    EDIT: Spell, tests and base match the archive directory 2023-06-16-DssSpell
    Matches the main src folder code OK but as mentioned in another comment, the source does not match the delopyed spell because of the MIP comment line.
  • ensure date corresponds to target exec date
    2023-06-16 MakerDAO Executive Spell OK
• CI tests are passing
  Passing for commit 15c91e95032559793610fa813a90ef03d3a2b6ea OK
• Local Tests PASS

Emergency spell total response time 18-24 hours from initial request.

./scripts/test-dssspell-forge.sh match="" block=""
Using DssExecLib at: 0x8De6DDbCd5053d32292AAA0D2105A32d108484a6
[⠊] Compiling...
No files changed, compilation skipped

Running 2 tests for src/test/starknet.t.sol:StarknetTests
[PASS] testStarknet() (gas: 532141)
[PASS] testStarknetSpell() (gas: 2346)
Test result: ok. 2 passed; 0 failed; finished in 218.86s

Running 18 tests for src/DssSpell.t.sol:DssSpellTest
[PASS] testAuth() (gas: 9223371487104983364)
[PASS] testAuthInSources() (gas: 9223371487099443644)
[PASS] testBytecodeMatches() (gas: 1368596)
[PASS] testCastCost() (gas: 385625)
[PASS] testChainlogValues() (gas: 9035817)
[PASS] testChainlogVersionBump() (gas: 3927458)
[PASS] testContractSize() (gas: 8984)
[PASS] testDeployCost() (gas: 1357000)
[PASS] testFailNotScheduled() (gas: 14397)
[PASS] testFailTooEarly() (gas: 13607)
[PASS] testFailTooLate() (gas: 13606)
[PASS] testFailWrongDay() (gas: 13585)
[PASS] testGeneral() (gas: 34991831)
[PASS] testNewChainlogValues() (gas: 385238)
[PASS] testNextCastTime() (gas: 353636)
[PASS] testOnTime() (gas: 373217)
[PASS] testPSMs() (gas: 1863214)
[PASS] testUseEta() (gas: 352368)
Test result: ok. 18 passed; 0 failed; finished in 1710.31s

Second approval will be required for merge to main branch of spells-mainnet.
Backport can be done according to PE1204 precedent as necessary to sync Goerli and Mainnet states and repo code.

Good for handover.