Fee controller migration contracts

pkg/governance-scripts/.solhintignore

@@ -0,0 +1 @@
+contracts/test/

pkg/governance-scripts/README.md

@@ -0,0 +1,17 @@
+# <img src="../../logo.svg" alt="Balancer" height="128px">
+
+# Balancer V3 Governance Scripts
+
+In order to manage the Balancer protocol, Balancer DAO must sometimes execute somewhat complex sets of actions which if executed incorrectly could result in governance losing control of key powers over the protocol, opening up vulnerabilities by granting powerful permissions improperly, etc.
+
+In order to prevent this, complex governance actions may be enacted through script contracts. These have a number of benefits over performing actions directly through the multisig wallet.
+
+- The contract can be easily tested prior to the execution on mainnet to ensure that it produces the correct result.
+- It's much simpler to verify the behavior of Solidity code matches the proposal specification relative to a series of raw function calls.
+- The contract may only be triggered once, ensuring that any powers granted to it can't be used in future for another purpose unilaterally.
+
+This package contains the source code for these script contracts to form a record of major technical actions Balancer DAO has taken.
+
+## Licensing
+
+[GNU General Public License Version 3 (GPL v3)](../../LICENSE).

pkg/governance-scripts/contracts/IBasicAuthorizer.sol

@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+pragma solidity ^0.8.24;
+
+import { IAuthorizer } from "@balancer-labs/v3-interfaces/contracts/vault/IAuthorizer.sol";
+
+interface IBasicAuthorizer is IAuthorizer {
+    // solhint-disable-next-line func-name-mixedcase
+    function DEFAULT_ADMIN_ROLE() external view returns (bytes32);
+
+    function grantRole(bytes32 role, address account) external;
+
+    function revokeRole(bytes32 role, address account) external;
+
+    function renounceRole(bytes32 role, address account) external;
+}

pkg/governance-scripts/contracts/ProtocolFeeControllerMigration.sol

@@ -0,0 +1,153 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+pragma solidity ^0.8.24;
+
+import { IAuthentication } from "@balancer-labs/v3-interfaces/contracts/solidity-utils/helpers/IAuthentication.sol";
+import { IProtocolFeeController } from "@balancer-labs/v3-interfaces/contracts/vault/IProtocolFeeController.sol";
+import { PoolRoleAccounts, PoolConfig } from "@balancer-labs/v3-interfaces/contracts/vault/VaultTypes.sol";
+import { IVaultAdmin } from "@balancer-labs/v3-interfaces/contracts/vault/IVaultAdmin.sol";
+import { IVault } from "@balancer-labs/v3-interfaces/contracts/vault/IVault.sol";
+
+import { ProtocolFeeController } from "@balancer-labs/v3-vault/contracts/ProtocolFeeController.sol";
+import {
+    ReentrancyGuardTransient
+} from "@balancer-labs/v3-solidity-utils/contracts/openzeppelin/ReentrancyGuardTransient.sol";
+
+import { IBasicAuthorizer } from "./IBasicAuthorizer.sol";
+
+/**
+ * @notice Migrate from the original ProtocolFeeController to one with extra events.
+ * @dev These events enable tracking pool protocol fees under all circumstances (in particular, when protocol fees are
+ * initially turned off). It also adds some infrastructure that makes future migrations easier, and removes redundant
+ * poolCreator storage.
+ *
+ * This simple migration assumes:
+ * 1) There are no pools with pool creators
+ * 2) There are no pools with protocol fee exemptions or overrides
+ * 3) Migrating the complete list of pools can be done in a single transaction.
+ *
+ * These simplifications enable simply calling `migrateFeeController` once with the complete list of pools.
+ *
+ * After the migration, the Vault will point to the new fee controller, and any collection thereafter will go there.
+ * If there are any residual fee amounts in the old fee controller (i.e., that were collected but not withdrawn),
+ * governance will still need to withdraw from the old fee controller. Otherwise, no further interaction with the old
+ * controller is necessary.
+ *
+ * Associated with `20250221-protocol-fee-controller-migration`.
+ */
+contract ProtocolFeeControllerMigration is ReentrancyGuardTransient {
+    IProtocolFeeController public immutable oldFeeController;
+    IProtocolFeeController public immutable newFeeController;
+
+    IVault public immutable vault;
+
+    // IAuthorizer with interface for granting/revoking roles.
+    IBasicAuthorizer internal immutable _authorizer;
+
+    // Set when the operation is complete and all permissions have been renounced.
+    bool internal _finalized;
+
+    /**
+     * @notice Attempt to deploy this contract with invalid parameters.
+     * @dev ProtocolFeeController contracts return the address of the Vault they were deployed with. Ensure that both
+     * the old and new controllers reference the same vault.
+     */
+    error InvalidFeeController();
+
+    /// @notice Migration can only be performed once.
+    error AlreadyMigrated();
+
+    constructor(IVault _vault, IProtocolFeeController _newFeeController) {
+        oldFeeController = _vault.getProtocolFeeController();
+
+        // Ensure valid fee controllers. Also ensure that we are not trying to operate on the current fee controller.
+        if (_newFeeController.vault() != _vault || _newFeeController == oldFeeController) {
+            revert InvalidFeeController();
+        }
+
+        vault = _vault;
+        newFeeController = _newFeeController;
+
+        _authorizer = IBasicAuthorizer(address(vault.getAuthorizer()));
+    }
+
+    /**
+     * @notice Permissionless migration function.
+     * @dev Call this with the full set of pools to perform the migration. After this runs, the Vault will point to the
+     * new fee controller, which will have a copy of all the relevant state from the old controller. Also, all
+     * permissions will be revoked, and the contract will be disabled.
+     *
+     * @param pools The complete set of pools to migrate
+     */
+    function migrateFeeController(address[] memory pools) external virtual nonReentrant {
+        if (_finalized) {
+            revert AlreadyMigrated();
+        }
+
+        _finalized = true;
+
+        _migrateGlobalPercentages();
+
+        // This simple migration assumes that:
+        // 1) There are no pool creators, so no state related to pool creator fees (and no fees to be withdrawn).
+        // 2) There are no protocol fee exempt pools or governance overrides
+        //    (i.e., all override flags are false, and all pool fees match current global values).
+        //
+        // At the end of this process, since there are no pool creators, token balances should all be zero, unless
+        // there are "left over" protocol fees that have been collected but not withdrawn. Governance would then
+        // still have to withdraw from the old fee controller.
+        //
+        // For future migrations, when we might have pool creator fees, the pool creators would still need to withdraw
+        // them from the old controller themselves.
+        for (uint256 i = 0; i < pools.length; ++i) {
+            address pool = pools[i];
+
+            // Set pool-specific values. This assumes there are no fee exempt pools or overrides.
+            newFeeController.updateProtocolSwapFeePercentage(pool);
+            newFeeController.updateProtocolYieldFeePercentage(pool);
+        }
+
+        // Update the fee controller in the Vault.
+        _migrateFeeController();
+
+        // Revoke all permissions.
+        _authorizer.renounceRole(_authorizer.DEFAULT_ADMIN_ROLE(), address(this));
+    }
+
+    function _migrateGlobalPercentages() internal {
+        // Grant global fee percentage permissions to set on new controller.
+        bytes32 swapFeeRole = IAuthentication(address(newFeeController)).getActionId(
+            IProtocolFeeController.setGlobalProtocolSwapFeePercentage.selector
+        );
+
+        bytes32 yieldFeeRole = IAuthentication(address(newFeeController)).getActionId(
+            IProtocolFeeController.setGlobalProtocolYieldFeePercentage.selector
+        );
+
+        _authorizer.grantRole(swapFeeRole, address(this));
+        _authorizer.grantRole(yieldFeeRole, address(this));
+
+        // Copy percentages to new controller.
+        uint256 globalSwapFeePercentage = oldFeeController.getGlobalProtocolSwapFeePercentage();
+        uint256 globalYieldFeePercentage = oldFeeController.getGlobalProtocolYieldFeePercentage();
+
+        newFeeController.setGlobalProtocolSwapFeePercentage(globalSwapFeePercentage);
+        newFeeController.setGlobalProtocolYieldFeePercentage(globalYieldFeePercentage);
+
+        // Revoke permissions.
+        _authorizer.renounceRole(swapFeeRole, address(this));
+        _authorizer.renounceRole(yieldFeeRole, address(this));
+    }
+
+    function _migrateFeeController() internal {
+        bytes32 setFeeControllerRole = IAuthentication(address(vault)).getActionId(
+            IVaultAdmin.setProtocolFeeController.selector
+        );
+
+        _authorizer.grantRole(setFeeControllerRole, address(this));
+
+        vault.setProtocolFeeController(newFeeController);
+
+        _authorizer.renounceRole(setFeeControllerRole, address(this));
+    }
+}

pkg/governance-scripts/contracts/ProtocolFeeControllerMigrationV2.sol

@@ -0,0 +1,111 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+pragma solidity ^0.8.24;
+
+import { IAuthentication } from "@balancer-labs/v3-interfaces/contracts/solidity-utils/helpers/IAuthentication.sol";
+import { IProtocolFeeController } from "@balancer-labs/v3-interfaces/contracts/vault/IProtocolFeeController.sol";
+import { PoolRoleAccounts, PoolConfig } from "@balancer-labs/v3-interfaces/contracts/vault/VaultTypes.sol";
+import { IVaultAdmin } from "@balancer-labs/v3-interfaces/contracts/vault/IVaultAdmin.sol";
+import { IVault } from "@balancer-labs/v3-interfaces/contracts/vault/IVault.sol";
+
+import { SingletonAuthentication } from "@balancer-labs/v3-vault/contracts/SingletonAuthentication.sol";
+import { ProtocolFeeController } from "@balancer-labs/v3-vault/contracts/ProtocolFeeController.sol";
+
+import { ProtocolFeeControllerMigration } from "./ProtocolFeeControllerMigration.sol";
+import { IBasicAuthorizer } from "./IBasicAuthorizer.sol";
+
+/**
+ * @notice Migrate from the original ProtocolFeeController to one with extra events.
+ * @dev These events enable tracking pool protocol fees under all circumstances (in particular, when protocol fees are
+ * initially turned off).
+ *
+ * After deployment, call `migratePools` as many times as necessary. The list must be generated externally, as pools
+ * are not iterable on-chain. The batch interface allows an unlimited number of pools to be migrated; it's possible
+ * there might be too many to migrate in a single call.
+ *
+ * The first time `migratePools` is called, the contract will first copy the global (pool-independent data). This could
+ * be done in a separate stage, but we're trying to keep the contract simple, vs. duplicating the staging coordinator
+ * system of v2 just yet.
+ *
+ * When all pools have been migrated, call `finalizeMigration` to disable further migration, update the address in the
+ * Vault, and renounce all permissions. While `migratePools` is permissionless, this call must be permissioned to
+ * prevent premature termination in case multiple transactions are required to migrate all the pools.
+ *
+ * Associated with `20250221-protocol-fee-controller-migration` (fork test only).
+ */
+contract ProtocolFeeControllerMigrationV2 is ProtocolFeeControllerMigration, SingletonAuthentication {
+    // Set after the global percentages have been transferred (on the first call to `migratePools`).
+    bool internal _globalPercentagesMigrated;
+
+    // ActionId for permission required in `migratePools`.
+    bytes32 internal _migrationRole;
+
+    /// @notice Cannot call the base contract migration; it is invalid for this migration.
+    error WrongMigrationVersion();
+
+    constructor(
+        IVault _vault,
+        IProtocolFeeController _newFeeController
+    ) ProtocolFeeControllerMigration(_vault, _newFeeController) SingletonAuthentication(_vault) {
+        _migrationRole = IAuthentication(address(newFeeController)).getActionId(
+            ProtocolFeeController.migratePool.selector
+        );
+
+        // Grant permission required in `migratePools`.
+        _authorizer.grantRole(_migrationRole, address(this));
+    }
+
+    /**
+     * @notice Migrate pools from the old fee controller to the new one.
+     * @dev THis can be called multiple times, if there are too many pools for a single transaction. Note that the
+     * first time this is called, it will migrate the global fee percentages, then proceed with the first set of pools.
+     *
+     * @param pools The set of pools to be migrated in this call
+     */
+    function migratePools(address[] memory pools) external nonReentrant {
+        if (_finalized) {
+            revert AlreadyMigrated();
+        }
+
+        // Migrate the global percentages only once, before the first set of pools.
+        if (_globalPercentagesMigrated == false) {
+            _globalPercentagesMigrated = true;
+
+            _migrateGlobalPercentages();
+        }
+
+        // This more complex migration allows for pool creators and overrides, and uses the new features in the second
+        // deployment of the `ProtocolFeeController`.
+        //
+        // At the end of this process, governance must still withdraw any leftover protocol fees from the old
+        // controller (i.e., that have been collected but not withdrawn). Pool creators likewise would still need to
+        // withdraw any leftover pool creator fees from the old controller.
+        for (uint256 i = 0; i < pools.length; ++i) {
+            // This function is not in the public interface.
+            ProtocolFeeController(address(newFeeController)).migratePool(pools[i]);
+        }
+    }
+
+    function finalizeMigration() external authenticate {
+        if (_finalized) {
+            revert AlreadyMigrated();
+        }
+
+        _finalized = true;
+
+        // Remove permission to migrate pools.
+        _authorizer.renounceRole(_migrationRole, address(this));
+
+        // Update the fee controller in the Vault.
+        _migrateFeeController();
+
+        // Revoke all permissions.
+        _authorizer.renounceRole(_authorizer.DEFAULT_ADMIN_ROLE(), address(this));
+    }
+
+    /// @inheritdoc ProtocolFeeControllerMigration
+    function migrateFeeController(address[] memory) external pure override {
+        // The one-step migration does not work in this version, with pool creators and overrides.
+        revert WrongMigrationVersion();
+    }
+}

pkg/governance-scripts/foundry.toml

@@ -0,0 +1,48 @@
+[profile.default]
+src = 'contracts'
+out = 'forge-artifacts'
+libs = ['node_modules']
+test = 'test/foundry'
+cache_path  = 'forge-cache'
+allow_paths = ['../', '../../node_modules/']
+ffi = true
+fs_permissions = [{ access = "read-write", path = ".forge-snapshots/"}]
+remappings = [
+    'vault/=../vault/',
+    'pool-weighted/=../pool-weighted/',
+    'solidity-utils/=../solidity-utils/',
+    'ds-test/=../../node_modules/forge-std/lib/ds-test/src/',
+    'forge-std/=../../node_modules/forge-std/src/',
+    '@openzeppelin/=../../node_modules/@openzeppelin/',
+    'permit2/=../../node_modules/permit2/',
+    '@balancer-labs/=../../node_modules/@balancer-labs/',
+    'forge-gas-snapshot/=../../node_modules/forge-gas-snapshot/src/'
+]
+optimizer = true
+optimizer_runs = 999
+solc_version = '0.8.26'
+auto_detect_solc = false
+evm_version = 'cancun'
+ignored_error_codes = [2394, 5574, 3860] # Transient storage, code size
+allow_internal_expect_revert = true
+
+[fuzz]
+runs = 10000
+max_test_rejects = 60000
+
+[profile.forkfuzz.fuzz]
+runs = 1000
+max_test_rejects = 60000
+
+[profile.coverage.fuzz]
+runs = 100
+max_test_rejects = 60000
+
+[profile.intense.fuzz]
+verbosity = 3
+runs = 100000
+max_test_rejects = 600000
+
+[rpc_endpoints]
+  mainnet = "${MAINNET_RPC_URL}"
+  sepolia = "${SEPOLIA_RPC_URL}"

pkg/governance-scripts/hardhat.config.ts

@@ -0,0 +1,20 @@
+import { HardhatUserConfig } from 'hardhat/config';
+import { hardhatBaseConfig } from '@balancer-labs/v3-common';
+
+import '@nomicfoundation/hardhat-toolbox';
+import '@nomicfoundation/hardhat-ethers';
+import '@typechain/hardhat';
+
+import 'hardhat-ignore-warnings';
+import 'hardhat-gas-reporter';
+import 'hardhat-contract-sizer';
+import { warnings } from '@balancer-labs/v3-common/hardhat-base-config';
+
+const config: HardhatUserConfig = {
+  solidity: {
+    compilers: hardhatBaseConfig.compilers,
+  },
+  warnings,
+};
+
+export default config;