Add pausing to staking contract

[Spablob]

Adds pausing capability to stake and stakeOnBehalf functions.
Adds access control roles which replaces the original Ownable2StepUpgradeable

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Ramarti]

Please address comments and also add the deploy script for new version.
That way we can ensure new admin is the timelock (get admin value from owner() using old implementation)

[Spablob]

Please address comments and also add the deploy script for new version. That way we can ensure new admin is the timelock (get admin value from owner() using old implementation)

• Hardcoded the owner address to make sure (given the owner is the same on mainnet and aeneid). Pauser differs with the chain so kept them as variable on initializeV2()
• Created the script to deploy the new implementation (it's very similar to the one used before with the change of version number)

I don't see the schedule/cancel/execute scripts and txs in this repo. Do they go here or elsewhere?

[Ramarti]

LGTM

• We can do the upgrade transactions in a different PR
• Default min fee might be lower if this is merged after the staking changes

[0xHansLee]

Could you provide some more contexts on adding pausing to only stake function? I wonder if we don't need to add it to other functions, e.g. create validator, redelegate, and unstake.

[0xHansLee]

We don't need to add the whenNotPaused modifier here?

[Spablob]

createValidator and redelegate we can consider - what do you think @Ramarti ?

[0xHansLee]

Can you provide why you consider to add the pausing only to create validator and redelegate?

[Ramarti]

I see your point @0xHansLee .
Our initial thought was to start with whatever stops a possible loss of funds from the users.
Revisiting this I think we could go with 2 options

• Every non admin methos is pausable but unstake
• Every non admin method is pausable

Always allow users to withdraw during an attack vs the attack may be exploiting the unstake logic so nothing should come out.

I think we can start with everything pausable and post in the Forum, see how community feels

[Spablob]

Adjusted so that "Every non admin method is pausable": 354e206

[0xHansLee]

It would depend on which kind of attack we intend to mitigate via a pause.

The first option, supporting immediate withdrawal, would likely be needed in a situation where there is a problem with the staking system itself. On the other hand, if we need to block withdrawals via unstake, it is more likely due to issues such as private key leakage or compromised permissions of a contract account involved in staking. In such cases, a pause would need to be triggered before the funds are transferred to another account with malicious or unintended authority.

In my humble opinion, it seems more reasonable to focus on the latter rather than the former. Since the staking system is based on the Cosmos SDK, I believe the likelihood of critical issues originating from the staking system itself is relatively low.

[Ramarti]

After talking with the security council, we are leaning to pause everything but admin methods as the safer method. We are waiting on legal input for confirmation.