chore: zeus script for task replay fix (#1632)

0xrajath · web-flow · commit 8bdc90929fa2 · 2025-09-22T15:41:19.000-04:00
**Motivation:**

Zeus scripts for `v1.8.1` of the protocol that handles the task replay
fix in the TaskMailbox.

**Modifications:**

New release `v1.8.1` for `preprod`, `testnet-sepolia` and
`testnet-base-sepolia`

**Result:**

Testnet fix ready
diff --git a/script/releases/v1.8.1-hourglass-testnet-replay-fix/1-deployTaskMailboxImpl.s.sol b/script/releases/v1.8.1-hourglass-testnet-replay-fix/1-deployTaskMailboxImpl.s.sol
@@ -0,0 +1,118 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.12;
+
+import {EOADeployer} from "zeus-templates/templates/EOADeployer.sol";
+import "../Env.sol";
+
+/**
+ * @title DeployTaskMailboxImpl
+ * @notice Deploy new TaskMailbox implementation with task replay fix for destination chains.
+ *         This fixes a vulnerability where certificates could be replayed across different tasks
+ *         directed at the same operator set by including the taskHash in the messageHash.
+ */
+contract DeployTaskMailboxImpl is EOADeployer {
+    using Env for *;
+
+    /// forgefmt: disable-next-item
+    function _runAsEOA() internal override {
+        // If we're not on a destination chain and not on version 1.8.0, we don't need to deploy any contracts
+        if (!(Env.isDestinationChain() && Env._strEq(Env.envVersion(), "1.8.0"))) {
+            return;
+        }
+
+        vm.startBroadcast();
+
+        // Deploy TaskMailbox implementation with the replay fix
+        deployImpl({
+            name: type(TaskMailbox).name,
+            deployedTo: address(
+                new TaskMailbox({
+                    _bn254CertificateVerifier: address(Env.proxy.bn254CertificateVerifier()),
+                    _ecdsaCertificateVerifier: address(Env.proxy.ecdsaCertificateVerifier()),
+                    _maxTaskSLA: Env.MAX_TASK_SLA(),
+                    _version: Env.deployVersion()
+                })
+            )
+        });
+
+        vm.stopBroadcast();
+    }
+
+    function testScript() public virtual {
+        if (!(Env.isDestinationChain() && Env._strEq(Env.envVersion(), "1.8.0"))) {
+            return;
+        }
+
+        // Deploy the new TaskMailbox implementation
+        runAsEOA();
+
+        _validateNewImplAddress();
+        _validateProxyAdmin();
+        _validateImplConstructor();
+        _validateImplInitialized();
+        _validateVersion();
+    }
+
+    /// @dev Validate that the new TaskMailbox impl address is distinct from the current one
+    function _validateNewImplAddress() internal view {
+        address currentImpl = Env._getProxyImpl(address(Env.proxy.taskMailbox()));
+        address newImpl = address(Env.impl.taskMailbox());
+
+        assertFalse(currentImpl == newImpl, "TaskMailbox impl should be different from current implementation");
+    }
+
+    /// @dev Validate that the TaskMailbox proxy is still owned by the correct ProxyAdmin
+    function _validateProxyAdmin() internal view {
+        address pa = Env.proxyAdmin();
+
+        assertTrue(Env._getProxyAdmin(address(Env.proxy.taskMailbox())) == pa, "TaskMailbox proxyAdmin incorrect");
+    }
+
+    /// @dev Validate the immutables set in the new TaskMailbox implementation constructor
+    function _validateImplConstructor() internal view {
+        TaskMailbox taskMailboxImpl = Env.impl.taskMailbox();
+
+        // Validate version
+        assertEq(
+            keccak256(bytes(taskMailboxImpl.version())),
+            keccak256(bytes(Env.deployVersion())),
+            "TaskMailbox impl version mismatch"
+        );
+
+        // Validate certificate verifiers
+        assertTrue(
+            taskMailboxImpl.BN254_CERTIFICATE_VERIFIER() == address(Env.proxy.bn254CertificateVerifier()),
+            "TaskMailbox BN254_CERTIFICATE_VERIFIER mismatch"
+        );
+        assertTrue(
+            taskMailboxImpl.ECDSA_CERTIFICATE_VERIFIER() == address(Env.proxy.ecdsaCertificateVerifier()),
+            "TaskMailbox ECDSA_CERTIFICATE_VERIFIER mismatch"
+        );
+
+        // Validate MAX_TASK_SLA
+        assertEq(taskMailboxImpl.MAX_TASK_SLA(), Env.MAX_TASK_SLA(), "TaskMailbox MAX_TASK_SLA mismatch");
+    }
+
+    /// @dev Validate that the new implementation cannot be initialized (should revert)
+    function _validateImplInitialized() internal {
+        bytes memory errInit = "Initializable: contract is already initialized";
+
+        TaskMailbox taskMailboxImpl = Env.impl.taskMailbox();
+
+        vm.expectRevert(errInit);
+        taskMailboxImpl.initialize(
+            address(0), // owner
+            0, // feeSplit
+            address(0) // feeSplitCollector
+        );
+    }
+
+    /// @dev Validate the version is correctly set
+    function _validateVersion() internal view {
+        assertEq(
+            keccak256(bytes(Env.impl.taskMailbox().version())),
+            keccak256(bytes(Env.deployVersion())),
+            "TaskMailbox version should match deploy version"
+        );
+    }
+}
diff --git a/script/releases/v1.8.1-hourglass-testnet-replay-fix/2-queueTaskMailboxUpgrade.s.sol b/script/releases/v1.8.1-hourglass-testnet-replay-fix/2-queueTaskMailboxUpgrade.s.sol
@@ -0,0 +1,92 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.12;
+
+import {DeployTaskMailboxImpl} from "./1-deployTaskMailboxImpl.s.sol";
+import "../Env.sol";
+
+import {MultisigBuilder} from "zeus-templates/templates/MultisigBuilder.sol";
+import {MultisigCall, Encode} from "zeus-templates/utils/Encode.sol";
+
+import {TimelockController} from "@openzeppelin/contracts/governance/TimelockController.sol";
+
+/**
+ * @title QueueTaskMailboxUpgrade
+ * @notice Queue the TaskMailbox upgrade transaction in the Timelock via the Operations Multisig.
+ *         This queues the upgrade to fix the task replay vulnerability.
+ */
+contract QueueTaskMailboxUpgrade is MultisigBuilder, DeployTaskMailboxImpl {
+    using Env for *;
+    using Encode for *;
+
+    function _runAsMultisig() internal virtual override prank(Env.opsMultisig()) {
+        if (!(Env.isDestinationChain() && Env._strEq(Env.envVersion(), "1.8.0"))) {
+            return;
+        }
+
+        bytes memory calldata_to_executor = _getCalldataToExecutor();
+
+        TimelockController timelock = Env.timelockController();
+        timelock.schedule({
+            target: Env.executorMultisig(),
+            value: 0,
+            data: calldata_to_executor,
+            predecessor: 0,
+            salt: 0,
+            delay: timelock.getMinDelay()
+        });
+    }
+
+    /// @dev Get the calldata to be sent from the timelock to the executor
+    function _getCalldataToExecutor() internal returns (bytes memory) {
+        /// forgefmt: disable-next-item
+        MultisigCall[] storage executorCalls = Encode.newMultisigCalls().append({
+            to: Env.proxyAdmin(),
+            data: Encode.proxyAdmin.upgrade({
+                proxy: address(Env.proxy.taskMailbox()),
+                impl: address(Env.impl.taskMailbox())
+            })
+        });
+
+        return Encode.gnosisSafe.execTransaction({
+            from: address(Env.timelockController()),
+            to: Env.multiSendCallOnly(),
+            op: Encode.Operation.DelegateCall,
+            data: Encode.multiSend(executorCalls)
+        });
+    }
+
+    function testScript() public virtual override {
+        if (!(Env.isDestinationChain() && Env._strEq(Env.envVersion(), "1.8.0"))) {
+            return;
+        }
+
+        // Deploy the new TaskMailbox implementation first
+        runAsEOA();
+
+        TimelockController timelock = Env.timelockController();
+        bytes memory calldata_to_executor = _getCalldataToExecutor();
+        bytes32 txHash = timelock.hashOperation({
+            target: Env.executorMultisig(),
+            value: 0,
+            data: calldata_to_executor,
+            predecessor: 0,
+            salt: 0
+        });
+
+        // Check that the upgrade does not exist in the timelock
+        assertFalse(timelock.isOperationPending(txHash), "Transaction should NOT be queued yet");
+
+        // Queue the upgrade
+        execute();
+
+        // Check that the upgrade has been added to the timelock
+        assertTrue(timelock.isOperationPending(txHash), "Transaction should be queued");
+        assertFalse(timelock.isOperationReady(txHash), "Transaction should NOT be ready immediately");
+        assertFalse(timelock.isOperationDone(txHash), "Transaction should NOT be done");
+
+        // Validate that the TaskMailbox proxy still points to the old implementation
+        address currentImpl = Env._getProxyImpl(address(Env.proxy.taskMailbox()));
+        address newImpl = address(Env.impl.taskMailbox());
+        assertFalse(currentImpl == newImpl, "TaskMailbox proxy should still point to old implementation");
+    }
+}
diff --git a/script/releases/v1.8.1-hourglass-testnet-replay-fix/3-executeTaskMailboxUpgrade.s.sol b/script/releases/v1.8.1-hourglass-testnet-replay-fix/3-executeTaskMailboxUpgrade.s.sol
@@ -0,0 +1,150 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.12;
+
+import "../Env.sol";
+import {QueueTaskMailboxUpgrade} from "./2-queueTaskMailboxUpgrade.s.sol";
+import {Encode} from "zeus-templates/utils/Encode.sol";
+
+/**
+ * @title ExecuteTaskMailboxUpgrade
+ * @notice Execute the queued TaskMailbox upgrade after the timelock delay.
+ *         This completes the upgrade to fix the task replay vulnerability where certificates
+ *         could be replayed across different tasks directed at the same operator set.
+ */
+contract ExecuteTaskMailboxUpgrade is QueueTaskMailboxUpgrade {
+    using Env for *;
+    using Encode for *;
+
+    function _runAsMultisig() internal override prank(Env.protocolCouncilMultisig()) {
+        if (!(Env.isDestinationChain() && Env._strEq(Env.envVersion(), "1.8.0"))) {
+            return;
+        }
+
+        bytes memory calldata_to_executor = _getCalldataToExecutor();
+        TimelockController timelock = Env.timelockController();
+
+        timelock.execute({
+            target: Env.executorMultisig(),
+            value: 0,
+            payload: calldata_to_executor,
+            predecessor: 0,
+            salt: 0
+        });
+    }
+
+    function testScript() public virtual override {
+        if (!(Env.isDestinationChain() && Env._strEq(Env.envVersion(), "1.8.0"))) {
+            return;
+        }
+
+        // 1 - Deploy. The new TaskMailbox implementation has been deployed
+        runAsEOA();
+
+        TimelockController timelock = Env.timelockController();
+        bytes memory calldata_to_executor = _getCalldataToExecutor();
+        bytes32 txHash = timelock.hashOperation({
+            target: Env.executorMultisig(),
+            value: 0,
+            data: calldata_to_executor,
+            predecessor: 0,
+            salt: 0
+        });
+
+        // 2 - Queue. Check that the operation IS ready
+        QueueTaskMailboxUpgrade._runAsMultisig();
+        _unsafeResetHasPranked(); // reset hasPranked so we can use it again
+
+        assertTrue(timelock.isOperationPending(txHash), "Transaction should be queued");
+        assertFalse(timelock.isOperationReady(txHash), "Transaction should NOT be ready immediately");
+        assertFalse(timelock.isOperationDone(txHash), "Transaction should NOT be complete");
+
+        // 3 - Warp past the timelock delay
+        vm.warp(block.timestamp + timelock.getMinDelay());
+        assertTrue(timelock.isOperationReady(txHash), "Transaction should be ready for execution");
+
+        // 4 - Execute the upgrade
+        execute();
+        assertTrue(timelock.isOperationDone(txHash), "v1.8.1 TaskMailbox upgrade should be complete");
+
+        // 5 - Validate the upgrade was successful
+        _validateUpgradeComplete();
+        _validateProxyAdmin();
+        _validateProxyConstructor();
+        _validateProxyInitialized();
+        _validateGetMessageHash();
+    }
+
+    /// @dev Validate that the TaskMailbox proxy now points to the new implementation
+    function _validateUpgradeComplete() internal view {
+        address currentImpl = Env._getProxyImpl(address(Env.proxy.taskMailbox()));
+        address expectedImpl = address(Env.impl.taskMailbox());
+
+        assertTrue(currentImpl == expectedImpl, "TaskMailbox proxy should point to new implementation");
+    }
+
+    /// @dev Validate the proxy's constructor values through the proxy
+    function _validateProxyConstructor() internal view {
+        TaskMailbox taskMailbox = Env.proxy.taskMailbox();
+
+        // Validate version
+        assertEq(
+            keccak256(bytes(taskMailbox.version())),
+            keccak256(bytes(Env.deployVersion())),
+            "TaskMailbox version mismatch"
+        );
+
+        // Validate certificate verifiers
+        assertTrue(
+            taskMailbox.BN254_CERTIFICATE_VERIFIER() == address(Env.proxy.bn254CertificateVerifier()),
+            "TaskMailbox BN254_CERTIFICATE_VERIFIER mismatch"
+        );
+        assertTrue(
+            taskMailbox.ECDSA_CERTIFICATE_VERIFIER() == address(Env.proxy.ecdsaCertificateVerifier()),
+            "TaskMailbox ECDSA_CERTIFICATE_VERIFIER mismatch"
+        );
+
+        // Validate MAX_TASK_SLA
+        assertEq(taskMailbox.MAX_TASK_SLA(), Env.MAX_TASK_SLA(), "TaskMailbox MAX_TASK_SLA mismatch");
+    }
+
+    /// @dev Validate that the proxy cannot be re-initialized
+    function _validateProxyInitialized() internal {
+        bytes memory errInit = "Initializable: contract is already initialized";
+
+        TaskMailbox taskMailbox = Env.proxy.taskMailbox();
+
+        vm.expectRevert(errInit);
+        taskMailbox.initialize(
+            address(0), // owner
+            0, // feeSplit
+            address(0) // feeSplitCollector
+        );
+    }
+
+    /// @dev Validate that the new getMessageHash function works correctly
+    function _validateGetMessageHash() internal view {
+        TaskMailbox taskMailbox = Env.proxy.taskMailbox();
+
+        // Test the new getMessageHash function with sample data
+        bytes32 taskHash = keccak256("test_task");
+        bytes memory result = abi.encode("test_result");
+
+        // The new implementation should compute messageHash as keccak256(abi.encode(taskHash, result))
+        bytes32 expectedMessageHash = keccak256(abi.encode(taskHash, result));
+        bytes32 actualMessageHash = taskMailbox.getMessageHash(taskHash, result);
+
+        assertTrue(
+            expectedMessageHash == actualMessageHash,
+            "getMessageHash should compute correct message hash with taskHash included"
+        );
+
+        // Verify that different tasks with same result produce different message hashes
+        bytes32 differentTaskHash = keccak256("different_task");
+        bytes32 differentMessageHash = taskMailbox.getMessageHash(differentTaskHash, result);
+
+        assertFalse(
+            actualMessageHash == differentMessageHash,
+            "Different tasks with same result should produce different message hashes"
+        );
+    }
+}
diff --git a/script/releases/v1.8.1-hourglass-testnet-replay-fix/upgrade.json b/script/releases/v1.8.1-hourglass-testnet-replay-fix/upgrade.json
@@ -0,0 +1,19 @@
+{
+    "name": "hourglass-testnet-replay-fix-v1.8.1",
+    "from": "1.8.0",
+    "to": "1.8.1",
+    "phases": [
+        {
+            "type": "eoa",
+            "filename": "1-deployTaskMailboxImpl.s.sol"
+        },
+        {
+            "type": "multisig",
+            "filename": "2-queueTaskMailboxUpgrade.s.sol"
+        },
+        {
+            "type": "multisig",
+            "filename": "3-executeTaskMailboxUpgrade.s.sol"
+        }
+    ]
+}
