TL;DR
Temporarily transfer control of the Locking contract’s upgrade rights to a Mento Labs multisig to ensure a smooth transition during Celo’s L2 upgrade.
Summary
With the upcoming Celo L2 upgrade changing the block time from 5sec to 1sec, the existing Locking/veMENTO contract needs to be upgraded. The Locking contract uses block numbers for time calculations and currently expects new blocks every 5 seconds.
The Mento Labs team has developed and is auditing an upgrade to the locking implementation to support the new block time while maintaining backward compatibility (existing locks and voting power calculations will remain valid).
After executing this proposal, the Mento Labs team will manually upgrade the Locking implementation to support the 1sec Celo L2 block time.
Once the Celo L2 upgrade is done and the new locking contract implementation works as expected, the Proxy Admin of the locking Proxy will be switched back to the Proxy Admin owned by Mento governance.
Technical Context
The Locking contract uses a proxy pattern where:
- A proxy contract (
LockingProxy
) stores the state and delegates calls to an implementation contract - A proxy admin contract controls which implementation contract the proxy points to
- Currently, only Mento Governance can upgrade the implementation through the proxy admin
Current Challenge
Mento Governance has a circular dependency:
- Governance proposals require the Locking contract for vote counting
- The Locking contract can only be upgraded through Governance
- If the L2 upgrade affects the Locking contract, Governance could become deadlocked
To prevent this scenario, we propose temporarily transferring proxy admin rights to a Mento Labs multisig.
Transaction Details:
The Mento Governance Proposal consists of only one transaction:
TX#0: change Proxy Admin address changeProxyAdmin()
- Verify the current Proxy Admin address
- Verify the Locking Proxy address
- Verify the new Proxy Admin address
Contract Addresses
Contract | Address | Role |
---|---|---|
Current Proxy Admin | 0x70d8DC60f9701c46D4CE9AC141E154f6804e1dC3 |
Current admin, owned by Governance |
Locking Proxy | 0x001Bb66636dCd149A1A2bA8C50E408BdDd80279C |
veMENTO contract |
Mento Labs Multisig | 0x655133d8E90F8190ed5c1F0f3710F602800C0150 |
3/7 Multisig with Mento labs employees |
New Proxy Admin | 0x7DeA70fC905f5C4E8f98971761C6641D16A428c1 |
Will be owned by Multisig |
Verification Steps
- Verify the current ProxyAdmin contract is the admin of the Locking Proxy contract
- Confirm that the new ProxyAdmin contract is verified on Celoscan
- Verify that the new ProxyAdmin contract is owned by the Mento Labs multisig
- Confirm successful transfer of admin rights after the proposal is executed
Security Considerations
Risk Assessment
- Temporary centralization of locking contract upgrade rights to Mento Labs multisig
- Limited scope: Only upgrade rights for the Locking contract, no other Mento contracts
- Duration: Only until the L2 upgrade is successfully deployed and tested
Monitoring & Safety Measures
- Monitoring of Locking and Governance contracts during the L2 upgrade
- Pausing of locking contract during L2 upgrade preventing any governance proposals
- Emergency upgrade only triggered if:
- Vote counting malfunctions
- Lock duration calculations fail
- Governance actions become blocked
Transparency Commitments
- Public announcement before any upgrade execution under this post
- Technical details of changes published under this post
- Transaction hashes shared for community verification under this post
Future Steps
- Monitor Locking contract behavior post-L2 upgrade
- Verify all governance functions are working correctly
- Return proxy admin control to Mento Governance
- Provide a detailed post-upgrade report to the community