You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(keyper-set-manager): validate DKG contract pairing on addKeyperSet
Enforce the registration-time complement to DKGContract's runtime
_checkDKGContract guard: a KeyperSet may only be registered if it
designates a DKG Contract that itself references this KeyperSetManager.
Without this, a KeyperSet paired with a zero or wrong DKG Contract
registers cleanly but can never run DKG (every submission reverts
WrongDKGContract), with no early signal to the DAO.
Changes (src):
- KeyperSetManager: two new errors DKGContractNotSet (zero DKG address)
and DKGContractManagerMismatch (DKG's keyperSetManager != this). Both
checks run after the existing isFinalized check, reading the DKG
address via IKeyperSet.getDKGContract() and calling
IDKGContract.keyperSetManager(). Imports IDKGContract (the interface,
not the concrete DKGContract) so the KeyperSetManager <-> DKGContract
cycle stays broken.
Changes (tests):
- KeyperSetManager.t.sol: setUp now pairs members0/members1 with a
DKGContract bound to the test's manager; three new cases cover zero
DKG, mismatched-manager DKG, and the matching happy path.
- DKGContract/ECIESKeyRegistry/EonKeyPublish/KeyBroadcastContract tests:
their setUps registered bare KeyperSets, which now revert at
registration; each now sets a correctly-paired DKGContract before
finalization.
Key decisions:
- Errors declared at file scope on KeyperSetManager.sol (next to
AlreadyDeactivated), matching the issue's "KeyperSetManager declares"
wording; selectors are visible to tests via the existing import.
- DKGContract.t.sol's WrongDKGContract guard tests previously registered
a KeyperSet with a zero DKG address. That state is now unreachable
(addKeyperSet rejects it), so the helper points at a *second* valid
DKGContract bound to the same manager (registration passes; runtime
guard still fires). The now-impossible testSubmitDealingRevertsWhen
DKGContractIsZero case is removed; the != comparison it exercised is
fully covered by the remaining different-contract cases.
Verification: forge build clean (only pre-existing unsafe-typecast
lints in scripts/benchmarks; none from this change); forge test 133/133
pass (was 131: +3 KeyperSetManager cases, -1 obsolete zero-address case).
Blockers/notes: e2e suite (rolling-shutter/mise-test-setup/e2e-tests)
not run -- mise is absent and its mise.run bootstrap is blocked by the
sandbox classifier, as in every prior commit in this PRD area. This
change is Solidity-only, additive, with no addKeyperSet ABI signature
change and no runtime behavior change for correctly-configured keyper
sets, so the Go e2e happy-path/offline-recovery suites are unaffected.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0 commit comments