feat(StakeManager): add capabilities to register vaults

[0x-r4bbit]

This commit introduces changes related to vault registrations in the stake manager.

The stake manager needs to keep track of the vaults a users creates so it can aggregate accumulated MP across vaults for any given user.

The StakeVault now comes with a register() function which needs to be called to register itself with the stake manager. StakeManager has a new onlyRegisteredVault modifier that ensures only registered vaults can actually stake and unstake.

Closes #70

Checklist

Ensure you completed all of the steps below before submitting your pull request:

• Added natspec comments?
• Ran pnpm adorno?
• Ran pnpm verify?

[0x-r4bbit]

First I wanted to make register() part of the StakeVault's constructor() but the problem is registerVault() has the trusted code hash modifier. We need to create a StakeVault "template" instance first to register its codehash with the Stake manager, but the instantiation then fails due to registerVault() reverting.

I then decided to move this out and add an onlyRegisteredVaults modifier to the sensitive functions.

This should ensure StakeVault will call register() before they'll interact with the StakeManager.

[0x-r4bbit]

Since we only allow for staking once per vault, we could also make this part of stake() instead and enforce registration implicitly there.

Let me know what you guys think.

[gravityblast]

Since we only allow for staking once per vault, we could also make this part of stake() instead and enforce registration implicitly there.

I like this idea!

Otherwise we can do it in the constructor anyway since we know the bytecode already, we don't need to deploy a real one before. But anyway I like it if we do it in the stake function

[0x-r4bbit]

Otherwise we can do it in the constructor anyway since we know the bytecode already, we don't need to deploy a real one before. But anyway I like it if we do it in the stake function

So I gave it a bit more thought.
When I started implementing it, it felt odd to me that stake() would create a side effect (registration).
Now I'm kind of hesitant..

re: the other point: we can't do it in the constructor because we don't know the deployed byte code at this point in time. This is because of the STAKING_TOKEN in stakevault being immutable, making it part of the deploycode.

We know the staking token is going to be SNT on mainnet/l2 but for local testing it's always a different one.

So I don't think we can make registration part of the constructor.

[gravityblast]

because we don't know the deployed byte code at this point in time

@0x-r4bbit we can add a script that compute it in local. It can use a mock manager without modifier so that the vault can be deployed in local and the bytecode can be printed out. after that we know it and we can use it in production. we don't need to deploy a contract in prod to know the bytecode, wdyt?

[0x-r4bbit]

we don't need to deploy a contract in prod to know the bytecode, wdyt?

I think that would be idea.
If we do a minimal proxy clone pattern for StakeVault that needs a template deployed anyways, I think we don't need to set up a script for that either.

Maybe another option worth exploring?

[0x-r4bbit]

In StakeManager.registerVault() we're reading StakeVault.owner() so I added owner() to the IStakeVault interface.

Needed to explicitly add owner() here to make this compile.

[0x-r4bbit]

@gravityblast I've updated the PR according to your comments, accept for #71 (comment)

[3esmit]

This should be in another contact.

[0x-r4bbit]

@3esmit moved vault registration into separate contract

db96cd7

[3esmit]

I don't think this belongs here.

StakeManager should not care about this.

[0x-r4bbit]

Yeap, this is a leftover!

[3esmit]

I don't think this belongs here, StakeVault should interact directly with Registry, and systems that want to read the registry should interact directly with Registry.

[0x-r4bbit]

Same here, left over! Will remove

[3esmit]

This should be in registry as well

[0x-r4bbit]

Hm.. not sure about that...
So far we said that the staking protocol ultimately is one of the "XP providers" for the XP token contract.
Therefore, the stakemanager has to expose these. StakeManager is also where rewards are distributed.

I think it makes sense to keep the registry solely as registry for "which account owns which vaults".

[3esmit]

The StakeManagerRegistry could be the source of XP, while the StakeManager is only the logic. If forwarding of calls are needed they can be done in StakeManagerRegistry, not in StakeManager.

At least this is what makes sense for me, from a logical flow of information.

[0x-r4bbit]

There's a tradeoff:

Do users/apps have to worry about that there's a registry under the hood or not.

With the current implementation, calls always go through the stake manager and it knows whether or not it has to talk to a registry that users don't have to know about.

It also ensures that StakeVaults that interact with the system are whitelisted.

The path you're suggesting means:

• Registry has to whitelist as well, because we need to be sure only legit stakevault interact with the system
• Apps have to talk to one more contract to figure things out

I'm personally in favor of the former, but if there's majority consensus I'm happy to make the changes.

@gravityblast maybe you can leave your opinion here as well?

[gravityblast]

I would keep the functions in the staking manager and keep the registry only as a registry of vaults

[3esmit]

Why is a requirement to have the vault registered? Is there any security benefits on that? For me it seems is just a tool. This type of verification can be done in UI, and there should be no problem in using StakeManger without register.

[0x-r4bbit]

I'd say, it's an enforced invariant that only registered vaults can stake.
If it's not enforced here, then any vault could stake and the vault might not be registered, meaning it would not be taken into consideration when querying the XP for an owner of vaults.

[3esmit]

Ok, but it does not pose any risk for the current system, this should be a requirement by the system which requires this.
Otherwise the dependency graph is weird.

[0x-r4bbit]

this should be a requirement by the system which requires this.

Can you elaborate what you're looking for? Having this modifier is essentially that requirement, no?

[0x-r4bbit]

and there should be no problem in using StakeManger without register.

So, to clarify here: the reason we've introduced registration of vaults by owners, is so that we can aggregate all MP/XP/stakedBalance for a given owner.

If a StakeVault is not registered, it won't be known in the aggregation of XP.

Sure, we could say: Well, if a user ignores the rules and still stakes without registering, then it's their problem.

I think though, we shouldn't even allow that.

[gravityblast]

I agree with keeping the registration of the vaults, it feels more consistent like this

[gravityblast]

very small thing, shall we call this _getAccountAccruedMP so that it's clear it's for the account? just in case we extract the global MP logic to something with the same name

[0x-r4bbit]

I agree with renaming this.

I think we should do this across the board for all other things as well #87

[3esmit]

The registry contract should have all the logic related to registry and reading balances, otherwise it does not make sense to have a separate contract.

Personally I prefer systems to have a strong single responsibility logic, whenever possible, because it leads to code that is easier to maintain in the long run.

I'll explore more into the both designs below.

A) StakeManager with Embedded Registry Logic

flowchart TD
    subgraph User
        StakeVault
    end
    StakeVault --> StakeManager
    XPToken --> StakeManager

Loading

Benefits:

1. Simplicity in Interactions:
   • Fewer Contracts: With the registry embedded, there's one less contract to deploy and interact with.
   • Simplified Calls: External contracts like XP Token interact with a single contract to get all necessary data.
2. Efficiency:
   • Reduced Cross-Contract Calls: Fewer interactions between contracts can lead to lower gas costs.
   • Data Access: Aggregated data is readily available within StakeManager, avoiding multiple external calls.
3. Centralized Data Management:
   • Single Source of Truth: All relevant data is maintained in one place, reducing the risk of data inconsistencies.
   • Easier Synchronization: Updates to MPs and vault registrations occur within the same contract.
4. Performance:
   • Optimized Operations: Internal function calls are cheaper than external calls, potentially improving performance

Drawbacks:

1. Violation of Single Responsibility Principle (SRP):
   • Mixed Concerns: StakeManager handles both staking logic and registry management, which are distinct responsibilities.
   • Increased Complexity: Combining multiple roles can make the contract larger and harder to understand.
2. Maintainability Issues:
   • Tight Coupling: Changes to registry logic could inadvertently affect staking logic and vice versa.
   • Difficult to Test: More extensive testing is required as changes can have wider implications.
3. Security Risks:
   • Larger Attack Surface: A bigger contract with more functions increases the potential for vulnerabilities.
   • Risk of Exploits: Bugs in the registry functionality could compromise staking operations.
4. Reduced Flexibility:
   • Harder to Extend: Adding new features specific to the registry or staking logic becomes more complex.
   • Less Modular: Cannot reuse the registry functionality independently in other contexts.

B) Strong Single Responsibility Principle (SRP) with Separate Registry

In this approach, the Registry is a separate contract responsible solely for mapping users to their StakeVaults. The StakeManager focuses exclusively on staking logic and MPs.

flowchart TD
    subgraph User
        StakeVault
    end
    StakeVault --> StakeManager
    StakeVault -->|register| Registry
    XPToken -->|balanceOfAccount| Registry
    Registry -->|balanceOfVault| StakeManager

Loading

Benefits:

1. Adherence to SRP:
   • Clear Separation of Concerns: Each contract has a single, well-defined responsibility.
   • Improved Readability: Code is easier to understand when each contract handles a specific aspect.
2. Enhanced Maintainability:
   • Independent Changes: Modifications in the Registry do not affect the StakeManager and vice versa.
   • Simplified Testing: Easier to write focused tests for each contract.
3. Better Security Posture:
   • Smaller Contracts: Less code per contract reduces the chance of vulnerabilities.
   • Isolation of Functions: A flaw in one contract is less likely to impact others.
4. Flexibility and Reusability:
   • Modular Design: The Registry can be reused or replaced without altering the staking logic.
   • Easier to Extend: New features can be added to one component without affecting others.
5. Scalability:
   • Distributed Load: Workload can be distributed across contracts, which can be beneficial if certain functions become more complex.

Drawbacks:

1. Increased Complexity in Interactions:

   • Multiple Contracts: More contracts to deploy, manage, and interact with.
   • Complex Call Chains: External contracts like XP Token need to interact with both Registry and StakeManager.

2. Higher Gas Costs:

   • Cross-Contract Calls: Interactions between contracts are more expensive than internal calls.
   • Aggregation Overhead: XP Token may need to fetch data from multiple sources.

3. Data Synchronization Challenges:

   • Consistency Issues: Ensuring all contracts have up-to-date data requires careful management.
   • Atomicity: Transactions involving multiple contracts may be harder to make atomic.

4. Deployment and Management Overhead:

   • More Contracts to Deploy: Additional steps in deployment and potential points of failure.
   • Version Compatibility: Ensuring all contracts remain compatible during upgrades.

Key Takeaways:

• Embedded Registry Approach:
  • Simpler external interactions.
  • Harder to maintain.
  • Potentially lower gas costs.
  • Violates SRP by combining concerns.
• Separate Registry Approach:
  • Adheres to SRP with modular design.
  • Easier to maintain.
  • More complex interactions.
  • Potentially higher gas costs due to cross-contract calls.

[0x-r4bbit]

As discussed offline, we're moving ahead with not having a separate registry contract.
I've removed the commits from the PR that introduced it.

The reasoning is that, at least now, it introduces unnecessarily complexity.
We'll revisit this in the future if we think this poses a problem.

Once CI is green this will be merged.

[0x-r4bbit]

All checks successful. @3esmit I'm dismissing your review so this can be merged (as it's currently blocking otherwise).
Please don't take it personally :D

We've ultimately agreed on not implementing a separate registry contract.