fix: staking audit fixes (ethereum-optimism#19449)

* docs(staking): document pause bypass behavior in setAllowedStaker

* fix(staking): only reset lastUpdate on full unstake in _decreasePeData

Cantina audit finding #7: _decreasePeData unconditionally reset
lastUpdate on every decrease, penalizing partial unstakers by
resetting their staking weight. Now lastUpdate is only reset when
effectiveStake reaches zero.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(staking): implement two-step ownership transfer

Cantina audit finding #8: transferOwnership now nominates a pending
owner who must call acceptOwnership() to finalize the transfer,
preventing irrevocable ownership loss from incorrect addresses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs(staking): document lastUpdate reset trust assumption in setAllowedStaker

Cantina audit finding #10: when a beneficiary removes a staker from
their allowlist, the staker's lastUpdate is reset via _increasePeData,
losing accumulated staking weight. Document this as an inherent trust
assumption of the delegation model.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: undo version change

* chore: upgrade natspec

* chore: update event emission order

* fix: wrong event args

* chore: add interface comments

* fix: pre-pr

* refactor: make ownable private functions public

* fix: pre-pr

* feat(ownable): reset pending owner on zeroaddress ownership transfer

* refactor: inherit OZ's ownable and use helper contract for mapping storage slot

* fix: ci

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 0xChin

packages/contracts-bedrock/interfaces/periphery/staking/IPolicyEngineStaking.sol

@@ -34,8 +34,14 @@ interface IPolicyEngineStaking is ISemver {
     /// @notice Emitted when ownership is transferred.
     event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);
 
-    /// @notice Thrown when the caller is not the owner.
-    error PolicyEngineStaking_OnlyOwner();
+    /// @notice Emitted when a new owner is nominated via `transferOwnership`.
+    event OwnershipTransferStarted(address indexed previousOwner, address indexed newOwner);
+
+    /// @notice Thrown when the caller is not authorized (OZ Ownable).
+    error OwnableUnauthorizedAccount(address account);
+
+    /// @notice Thrown when an invalid owner is provided (OZ Ownable).
+    error OwnableInvalidOwner(address owner);
 
     /// @notice Thrown when the staking is paused.
     error PolicyEngineStaking_Paused();
@@ -69,10 +75,24 @@ interface IPolicyEngineStaking is ISemver {
     /// @notice Returns the contract owner.
     function owner() external view returns (address);
 
-    /// @notice Transfers ownership of the contract to a new account. Only callable by owner.
-    /// @param _newOwner The address of the new owner.
+    /// @notice Returns the pending owner nominated via `transferOwnership`.
+    function pendingOwner() external view returns (address);
+
+    /// @notice Starts the ownership transfer of the contract to a new account. Replaces the
+    ///         pending transfer if there is one. The nominated address must call
+    ///         `acceptOwnership` to finalize the transfer (two-step pattern). Only callable
+    ///         by owner.
+    ///
+    /// @param _newOwner The address of the nominated owner.
     function transferOwnership(address _newOwner) external;
 
+    /// @notice Accepts ownership after being nominated via `transferOwnership`.
+    ///         Only callable by the pending owner.
+    function acceptOwnership() external;
+
+    /// @notice Renounces ownership of the contract. Only callable by owner.
+    function renounceOwnership() external;
+
     /// @notice Returns whether the contract is paused.
     function paused() external view returns (bool);
 
@@ -114,6 +134,7 @@ interface IPolicyEngineStaking is ISemver {
     /// @notice Sets whether a staker can set the caller as beneficiary. When disallowing,
     ///         if the staker's current beneficiary is the caller, their stake attribution is
     ///         moved back to the staker (beneficiary reset to self).
+    ///         This function is callable even when the contract is paused.
     ///
     /// @param _staker  The staker address.
     /// @param _allowed Whether the staker is allowed to set the caller as beneficiary.

packages/contracts-bedrock/interfaces/universal/IOwnable.sol

@@ -6,6 +6,12 @@ pragma solidity ^0.8.0;
 interface IOwnable {
     event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);
 
+    /// @dev The caller account is not authorized to perform an operation.
+    error OwnableUnauthorizedAccount(address account);
+
+    /// @dev The owner is not a valid owner account. (eg. `address(0)`)
+    error OwnableInvalidOwner(address owner);
+
     function owner() external view returns (address);
     function renounceOwnership() external;
     function transferOwnership(address newOwner) external; // nosemgrep

packages/contracts-bedrock/scripts/checks/interfaces/main.go

@@ -33,6 +33,9 @@ var excludeContracts = []string{
 	// Constructor inheritance differences
 	"IL2ProxyAdmin",
 
+	// OZ v4/v5 Ownable mismatch: IOwnable has v5 errors, AddressManager uses v4 Ownable
+	"IAddressManager",
+
 	// TODO: Interfaces that need to be fixed
 	"IInitializable", "IOptimismMintableERC20", "ILegacyMintableERC20",
 	"KontrolCheatsBase", "IResolvedDelegateProxy",
@@ -41,7 +44,7 @@ var excludeContracts = []string{
 // excludeSourceContracts is a list of contracts that are allowed to not have interfaces
 var excludeSourceContracts = []string{
 	// Base contracts with no external functions
-	"CrossDomainOwnable", "CrossDomainOwnable2", "CrossDomainOwnable3", "CrossDomainMessengerLegacySpacer0", "CrossDomainMessengerLegacySpacer1",
+	"CrossDomainOwnable", "CrossDomainOwnable2", "CrossDomainOwnable3", "CrossDomainMessengerLegacySpacer0", "CrossDomainMessengerLegacySpacer1", "PolicyEngineStakingMapping",
 
 	// Helper contracts
 	"SafeSend", "EventLogger", "StorageSetter", "DisputeMonitorHelper", "GameHelper",

packages/contracts-bedrock/snapshots/abi/PolicyEngineStaking.json

@@ -28,6 +28,13 @@
     "stateMutability": "view",
     "type": "function"
   },
+  {
+    "inputs": [],
+    "name": "acceptOwnership",
+    "outputs": [],
+    "stateMutability": "nonpayable",
+    "type": "function"
+  },
   {
     "inputs": [
       {
@@ -122,6 +129,26 @@
     "stateMutability": "view",
     "type": "function"
   },
+  {
+    "inputs": [],
+    "name": "pendingOwner",
+    "outputs": [
+      {
+        "internalType": "address",
+        "name": "",
+        "type": "address"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [],
+    "name": "renounceOwnership",
+    "outputs": [],
+    "stateMutability": "nonpayable",
+    "type": "function"
+  },
   {
     "inputs": [
       {
@@ -217,7 +244,7 @@
     "inputs": [
       {
         "internalType": "address",
-        "name": "_newOwner",
+        "name": "newOwner",
         "type": "address"
       }
     ],
@@ -341,6 +368,25 @@
     "name": "EffectiveStakeChanged",
     "type": "event"
   },
+  {
+    "anonymous": false,
+    "inputs": [
+      {
+        "indexed": true,
+        "internalType": "address",
+        "name": "previousOwner",
+        "type": "address"
+      },
+      {
+        "indexed": true,
+        "internalType": "address",
+        "name": "newOwner",
+        "type": "address"
+      }
+    ],
+    "name": "OwnershipTransferStarted",
+    "type": "event"
+  },
   {
     "anonymous": false,
     "inputs": [
@@ -411,23 +457,40 @@
     "type": "event"
   },
   {
-    "inputs": [],
-    "name": "PolicyEngineStaking_InsufficientStake",
+    "inputs": [
+      {
+        "internalType": "address",
+        "name": "owner",
+        "type": "address"
+      }
+    ],
+    "name": "OwnableInvalidOwner",
+    "type": "error"
+  },
+  {
+    "inputs": [
+      {
+        "internalType": "address",
+        "name": "account",
+        "type": "address"
+      }
+    ],
+    "name": "OwnableUnauthorizedAccount",
     "type": "error"
   },
   {
     "inputs": [],
-    "name": "PolicyEngineStaking_NoStake",
+    "name": "PolicyEngineStaking_InsufficientStake",
     "type": "error"
   },
   {
     "inputs": [],
-    "name": "PolicyEngineStaking_NotAllowedToSetBeneficiary",
+    "name": "PolicyEngineStaking_NoStake",
     "type": "error"
   },
   {
     "inputs": [],
-    "name": "PolicyEngineStaking_OnlyOwner",
+    "name": "PolicyEngineStaking_NotAllowedToSetBeneficiary",
     "type": "error"
   },
   {

packages/contracts-bedrock/snapshots/abi/PolicyEngineStakingMapping.json

@@ -0,0 +1,39 @@
+[
+  {
+    "inputs": [],
+    "name": "PE_DATA_SLOT",
+    "outputs": [
+      {
+        "internalType": "bytes32",
+        "name": "",
+        "type": "bytes32"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
+  {
+    "inputs": [
+      {
+        "internalType": "address",
+        "name": "account",
+        "type": "address"
+      }
+    ],
+    "name": "peData",
+    "outputs": [
+      {
+        "internalType": "uint128",
+        "name": "effectiveStake",
+        "type": "uint128"
+      },
+      {
+        "internalType": "uint128",
+        "name": "lastUpdate",
+        "type": "uint128"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  }
+]

packages/contracts-bedrock/snapshots/semver-lock.json

@@ -240,8 +240,8 @@
     "sourceCodeHash": "0x955bd0c9b47e43219865e4e92abf28d916c96de20cbdf2f94c8ab14d02083759"
   },
   "src/periphery/staking/PolicyEngineStaking.sol:PolicyEngineStaking": {
-    "initCodeHash": "0xc0c04b0dddbf7831bf5abfccc6a569d92f9b7ab0ec53278f6d1cf7113041d59d",
-    "sourceCodeHash": "0x998ddc9f24e3c85b1d588c263838261442edaad1dde5424fd55c2d4e1243592a"
+    "initCodeHash": "0x0dd679c6e955a4bf4af7d98da8c42ac7fd48c5c28af4c61eaeddb782690d6223",
+    "sourceCodeHash": "0x24fe77ae2b0dacad1f61f6dd65026ce3a34df7c4d0331eadc661b2e062d6bb54"
   },
   "src/safe/DeputyPauseModule.sol:DeputyPauseModule": {
     "initCodeHash": "0x18422b48c4901ed6fd9338d76d3c5aecfff9a7add34b05c6e21c23d0011ed6bf",

packages/contracts-bedrock/snapshots/storageLayout/PolicyEngineStaking.json

@@ -4,34 +4,41 @@
     "label": "peData",
     "offset": 0,
     "slot": "0",
-    "type": "mapping(address => struct PolicyEngineStaking.PEData)"
+    "type": "mapping(address => struct PolicyEngineStakingMapping.PEData)"
+  },
+  {
+    "bytes": "20",
+    "label": "_owner",
+    "offset": 0,
+    "slot": "1",
+    "type": "address"
+  },
+  {
+    "bytes": "20",
+    "label": "_pendingOwner",
+    "offset": 0,
+    "slot": "2",
+    "type": "address"
   },
   {
     "bytes": "32",
     "label": "allowlist",
     "offset": 0,
-    "slot": "1",
+    "slot": "3",
     "type": "mapping(address => mapping(address => bool))"
   },
   {
     "bytes": "32",
     "label": "stakingData",
     "offset": 0,
-    "slot": "2",
+    "slot": "4",
     "type": "mapping(address => struct PolicyEngineStaking.StakedData)"
   },
   {
     "bytes": "1",
     "label": "paused",
     "offset": 0,
-    "slot": "3",
+    "slot": "5",
     "type": "bool"
-  },
-  {
-    "bytes": "20",
-    "label": "_owner",
-    "offset": 1,
-    "slot": "3",
-    "type": "address"
   }
 ]

packages/contracts-bedrock/snapshots/storageLayout/PolicyEngineStakingMapping.json

@@ -0,0 +1,9 @@
+[
+  {
+    "bytes": "32",
+    "label": "peData",
+    "offset": 0,
+    "slot": "0",
+    "type": "mapping(address => struct PolicyEngineStakingMapping.PEData)"
+  }
+]