MGP-2: Temporary transfer of Locking Contract Proxy Admin rights

TL;DR

Temporarily transfer control of the Locking contract’s upgrade rights to a Mento Labs multisig to ensure a smooth transition during Celo’s L2 upgrade.

Summary

With the upcoming Celo L2 upgrade changing the block time from 5sec to 1sec, the existing Locking/veMENTO contract needs to be upgraded. The Locking contract uses block numbers for time calculations and currently expects new blocks every 5 seconds.

The Mento Labs team has developed and is auditing an upgrade to the locking implementation to support the new block time while maintaining backward compatibility (existing locks and voting power calculations will remain valid).

After executing this proposal, the Mento Labs team will manually upgrade the Locking implementation to support the 1sec Celo L2 block time.

Once the Celo L2 upgrade is done and the new locking contract implementation works as expected, the Proxy Admin of the locking Proxy will be switched back to the Proxy Admin owned by Mento governance.

Technical Context

The Locking contract uses a proxy pattern where:

  • A proxy contract (LockingProxy) stores the state and delegates calls to an implementation contract
  • A proxy admin contract controls which implementation contract the proxy points to
  • Currently, only Mento Governance can upgrade the implementation through the proxy admin

Current Challenge

Mento Governance has a circular dependency:

  1. Governance proposals require the Locking contract for vote counting
  2. The Locking contract can only be upgraded through Governance
  3. If the L2 upgrade affects the Locking contract, Governance could become deadlocked

To prevent this scenario, we propose temporarily transferring proxy admin rights to a Mento Labs multisig.

Transaction Details:

The Mento Governance Proposal consists of only one transaction:

TX#0: change Proxy Admin address changeProxyAdmin()

  • Verify the current Proxy Admin address
  • Verify the Locking Proxy address
  • Verify the new Proxy Admin address

Contract Addresses

Contract Address Role
Current Proxy Admin 0x70d8DC60f9701c46D4CE9AC141E154f6804e1dC3 Current admin, owned by Governance
Locking Proxy 0x001Bb66636dCd149A1A2bA8C50E408BdDd80279C veMENTO contract
Mento Labs Multisig 0x655133d8E90F8190ed5c1F0f3710F602800C0150 3/7 Multisig with Mento labs employees
New Proxy Admin 0x7DeA70fC905f5C4E8f98971761C6641D16A428c1 Will be owned by Multisig

Verification Steps

  1. Verify the current ProxyAdmin contract is the admin of the Locking Proxy contract
  2. Confirm that the new ProxyAdmin contract is verified on Celoscan
  3. Verify that the new ProxyAdmin contract is owned by the Mento Labs multisig
  4. Confirm successful transfer of admin rights after the proposal is executed

Security Considerations

Risk Assessment

  • Temporary centralization of locking contract upgrade rights to Mento Labs multisig
  • Limited scope: Only upgrade rights for the Locking contract, no other Mento contracts
  • Duration: Only until the L2 upgrade is successfully deployed and tested

Monitoring & Safety Measures

  1. Monitoring of Locking and Governance contracts during the L2 upgrade
  2. Pausing of locking contract during L2 upgrade preventing any governance proposals
  3. Emergency upgrade only triggered if:
    • Vote counting malfunctions
    • Lock duration calculations fail
    • Governance actions become blocked

Transparency Commitments

  1. Public announcement before any upgrade execution under this post
  2. Technical details of changes published under this post
  3. Transaction hashes shared for community verification under this post

Future Steps

  1. Monitor Locking contract behavior post-L2 upgrade
  2. Verify all governance functions are working correctly
  3. Return proxy admin control to Mento Governance
  4. Provide a detailed post-upgrade report to the community
2 Likes