chore: use deployer address in deployment scripts

[lumtis]

Closes: #411

Use deployer address for all contract with a deterministic address

Summary by CodeRabbit

• New Features

  • Enhanced deployment logic for ERC20Custody, GatewayEVM, and GatewayZEVM contracts.
  • Introduced a new transferAdmin function to manage admin role transitions securely.
  • Added checks to ensure valid admin addresses during contract deployment.

• Bug Fixes

  • Implemented environment variable checks to prevent deployment with zero admin addresses.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces enhancements to the deployment scripts for the DeployERC20Custody, DeployGatewayEVM, and DeployGatewayZEVM contracts. Key modifications include ensuring that the admin addresses are not zero, using msg.sender as the admin during initialization, and adding a transferAdmin function to manage admin role transitions. These changes improve the robustness of the contracts by enforcing checks and clarifying the role management process during deployment.

Changes

File Path	Change Summary
v2/scripts/deploy/deterministic/DeployERC20Custody.s.sol	- Added transferAdmin method for admin role management. - Ensured admin address is not zero. - Used msg.sender for proxy initialization.
v2/scripts/deploy/deterministic/DeployGatewayEVM.s.sol	- Added transferAdmin method for admin role management. - Ensured GATEWAY_ADMIN_ADDRESS_EVM is set. - Used msg.sender for proxy initialization.
v2/scripts/deploy/deterministic/DeployGatewayZEVM.s.sol	- Added transferAdmin method for admin role management. - Ensured GATEWAY_ADMIN_ADDRESS_ZEVM is set. - Used msg.sender for proxy initialization.

Assessment against linked issues

Objective	Addressed	Explanation
Use a deployer address that is transferred to an admin address in deployment script (#411)	✅

Possibly related PRs

• fix: missing tss update in erc20custody, zetaConnector and gatewayEVM #363: Modifies the ERC20Custody contract, introducing a TSS update function related to role management.
• fix: review fixes #383: Focuses on the updateTSSAddress function in the ERC20Custody contract, relevant to role management enhancements.
• fix: add pauser role to tss #386: Enhances role management in the ERC20Custody contract, specifically regarding the TSS address.
• fix: use nonReentrant only on functions interacting with arbitrary contracts #395: Modifies the GatewayEVM contract, sharing similar role management and security enhancements.
• chore: script to deploy GatewayZEVM #408: Introduces a deployment script for the GatewayZEVM, related to the deployment logic changes.
• docs: improve deployment instructions #413: Improves deployment instructions, relevant to the changes in deployment logic.
• docs: add scripts and section to help with ZRC20 deployment for ZRC20 upgrade #418: Adds deployment instructions for ZRC20, relevant to the overall deployment context.

Suggested reviewers

• fadeev
• CharlieMc0
• andresaiello
• brewmaster012
• skosito
• fbac

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.27%. Comparing base (18d5c12) to head (2c27ce8).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #419   +/-   ##
=======================================
  Coverage   84.27%   84.27%           
=======================================
  Files           8        8           
  Lines         388      388           
  Branches      123      123           
=======================================
  Hits          327      327           
  Misses         61       61           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (2)

v2/scripts/deploy/deterministic/DeployGatewayZEVM.s.sol (2)

56-62: Consider adding more post-deployment verifications

While the basic configuration check is good, consider adding more verifications such as:

• Proxy implementation address verification
• Initial deployer role verification before transfer

 // Verify initial configuration
 require(gateway.zetaToken() == zeta, "zeta token not set");
+require(gateway.implementation() == address(gatewayImpl), "implementation not set correctly");
+require(gateway.hasRole(gateway.DEFAULT_ADMIN_ROLE(), msg.sender), "deployer not set as initial admin");
 
 // Transfer admin role from deployer to admin
 transferAdmin(gateway, msg.sender, admin);

---

Line range hint 1-80: Consider implementing atomic deployment and role transfer

While the current implementation is solid, consider wrapping the deployment and role transfer in a try-catch block to ensure atomicity. This would prevent scenarios where deployment succeeds but role transfer fails, potentially leaving the contract in an inconsistent state.

This could be implemented by:

1. Adding a cleanup function to handle failed deployments
2. Using a two-step deployment process where roles are verified before finalizing the deployment
3. Implementing a recovery mechanism for failed role transfers

Would you like me to provide a detailed implementation for any of these approaches?

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 18d5c12 and 2c27ce8.

📒 Files selected for processing (3)

• v2/scripts/deploy/deterministic/DeployERC20Custody.s.sol (1 hunks)
• v2/scripts/deploy/deterministic/DeployGatewayEVM.s.sol (1 hunks)
• v2/scripts/deploy/deterministic/DeployGatewayZEVM.s.sol (1 hunks)

🔇 Additional comments (11)

v2/scripts/deploy/deterministic/DeployGatewayZEVM.s.sol (4)

19-21: LGTM: Good addition of admin address validation

This check aligns with the PR objectives by ensuring deterministic deployments can't proceed with an invalid admin address.

---

35-54: LGTM: Proxy deployment correctly implements deployer pattern

The proxy deployment correctly uses msg.sender as the initial admin, which aligns with the PR objective of using a deployer address that will later transfer roles to the actual admin.

---

24-34: LGTM: Robust implementation contract deployment with proper verification

The implementation uses CREATE2 correctly with appropriate checks for deployment success and address verification.

Let's verify the implementation salt usage across other deployment scripts for consistency:

✅ Verification successful

Salt usage is consistent and well-structured across deployment scripts

The verification shows that salt generation follows a consistent pattern across all deterministic deployments:

• Implementation contracts use keccak256("<ContractName>") format
• Proxy contracts use keccak256("<ContractName>Proxy") format
• Version suffixes (-2) are properly added where applicable

Each deployment script correctly uses these salts with CREATE2 and includes proper address verification checks.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for consistent salt usage across deployment scripts
rg -A 1 'bytes32.*Salt.*=.*keccak256.*Gateway' --type sol

Length of output: 87

---

Script:

#!/bin/bash
# Search for salt definitions in deployment scripts
rg -t sol "bytes32.*Salt.*=" v2/scripts/deploy/

Length of output: 77

---

Script:

#!/bin/bash
# Search for CREATE2 deployments in deployment scripts
rg -t sol "new.*\{salt:" v2/scripts/deploy/

Length of output: 73

---

Script:

#!/bin/bash
# List all deployment script files for context
fd -e sol . v2/scripts/deploy/

Length of output: 413

---

Script:

#!/bin/bash
# Search for salt definitions and CREATE2 deployments without file type flag
rg "bytes32.*Salt.*=" v2/scripts/deploy/
rg "new.*\{salt:" v2/scripts/deploy/

Length of output: 2328

---

Script:

#!/bin/bash
# Get content of the deployment scripts to analyze salt usage
cat v2/scripts/deploy/deterministic/DeployGatewayEVM.s.sol
cat v2/scripts/deploy/deterministic/DeployGatewayZEVM.s.sol

Length of output: 7410

---

66-80: LGTM: Well-structured role transfer with comprehensive verification

The function implements a secure role transfer pattern with proper verification. The order of operations (grant before renounce) prevents any potential access gaps.

Let's verify consistent role transfer implementation across other deployment scripts:

✅ Verification successful

Role transfer implementation is consistent and secure across deployment scripts

The verification confirms that the transferAdmin function follows the same secure pattern across all deployment scripts:

• DeployGatewayZEVM.s.sol: Handles PAUSER_ROLE and DEFAULT_ADMIN_ROLE
• DeployGatewayEVM.s.sol: Identical implementation for the same roles
• DeployERC20Custody.s.sol: Same pattern plus WHITELISTER_ROLE specific to ERC20Custody

All implementations maintain the secure order (grant before renounce) and include comprehensive role verification checks.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for consistent role transfer implementation
ast-grep --pattern 'function transferAdmin($_, $_, $_) {
  $$$
  grantRole($_, $_);
  $$$
  renounceRole($_, $_);
  $$$
}'

Length of output: 124

---

Script:

#!/bin/bash
# Search for transferAdmin function implementations
rg -U "function transferAdmin.*?\{.*?\}" -g "*.sol" -A 20

Length of output: 59

---

Script:

#!/bin/bash
# Let's try a simpler search for transferAdmin function
rg "function transferAdmin" --type sol

# Also search for similar role transfer patterns
rg "grantRole.*DEFAULT_ADMIN_ROLE|PAUSER_ROLE" --type sol

Length of output: 156

---

Script:

#!/bin/bash
# Search for transferAdmin function without file type filter
rg "function transferAdmin"

# Search for role transfer patterns
rg "grantRole.*(DEFAULT_ADMIN_ROLE|PAUSER_ROLE)"

Length of output: 2911

---

Script:

#!/bin/bash
# Let's examine the implementation of transferAdmin in other deployment scripts
cat v2/scripts/deploy/deterministic/DeployERC20Custody.s.sol v2/scripts/deploy/deterministic/DeployGatewayEVM.s.sol

Length of output: 8138

v2/scripts/deploy/deterministic/DeployGatewayEVM.s.sol (3)

21-23: LGTM: Good addition of admin address validation!

This check aligns well with the PR objectives and prevents accidental deployments with an unset admin address.

---

26-34: LGTM: Robust implementation address computation and verification!

The code correctly implements deterministic deployment using CREATE2 with proper verification of both successful deployment and address matching.

---

37-54: 🛠️ Refactor suggestion

Verify proxy deployment error handling

While the deployment logic is correct, consider enhancing the error handling for proxy deployment failure. The current check only verifies the address but doesn't explicitly verify successful initialization.

Consider adding a try-catch block around the proxy deployment to handle potential initialization failures:

-        ERC1967Proxy gatewayProxy = new ERC1967Proxy{salt: proxySalt}(
-            address(gatewayImpl),
-            abi.encodeWithSelector(GatewayEVM.initialize.selector, tss, address(zeta), msg.sender)
-        );
+        ERC1967Proxy gatewayProxy;
+        try new ERC1967Proxy{salt: proxySalt}(
+            address(gatewayImpl),
+            abi.encodeWithSelector(GatewayEVM.initialize.selector, tss, address(zeta), msg.sender)
+        ) returns (ERC1967Proxy proxy) {
+            gatewayProxy = proxy;
+        } catch Error(string memory reason) {
+            revert(string.concat("Proxy initialization failed: ", reason));
+        }

v2/scripts/deploy/deterministic/DeployERC20Custody.s.sol (4)

20-22: Good practice: Ensure admin address is set

The added check require(admin != address(0)) ensures that the contract is not deployed with an unset admin address, preventing potential misconfigurations.

---

43-43: Appropriate use of msg.sender as initial admin

Using msg.sender as the initial admin in the initialize call means the deployer will hold the admin roles initially, aligning with the deployment strategy to transfer roles after deployment.

Also applies to: 51-51

---

58-60: Verification of initial configuration is added

The added checks confirm that tss and gateway are correctly set after deployment, ensuring the contract is initialized with the correct parameters.

---

62-64: Transferring admin roles from deployer to admin

Calling transferAdmin(erc20Custody, msg.sender, admin) properly transfers the admin roles from the deployer to the specified admin address, following the intended deployment process.

[skosito]

@lumtis will this be backported to v20?

[lumtis]

@lumtis will this be backported to v20?

Yes, I originally made the branch there but there is no conflict between both version so changes are the same