Refactor PufferProtocol to keep <24KB

[eladiosch]

Before this PR, due to the changes for Pectra and the Validator Tokens => Validation Time rework, the size of the PufferProtocol contract had reached 28.5 KB, way over the limit.

In this PR I've implemented a contract that offloads a big part of the logic of the PufferProtocol contract. The way to call this contract is via delegatecall so the storage is the PufferProtocol's. A new base contract has been created so both PufferProtocol and PufferProtocolLogic share constants, immutables, storage, errors, and other common stuff.

The contract size achieved is 18.2 KB, so there's more than enough space to continue with the Pectra implementation and add some more features.

The PR includes some changes to the tests but they're not related to the PufferProtocolLogic contract. They were adapted so the previous tests could work with the changes made regarding the signatures. The changes to the protocol and protocol logic contract have not altered the tests and they still pass

[bxmmm1]

can remove _callPermit and just inline the code here, should save some gas. Or remove it completely and just do the .approve flow since VT is deprecated.

[eladiosch]

Removed the Permit flow completely

[bxmmm1]

Did we doument anywhere that scenario, where Source consolidates into a bad target and NoOp loses money?

[eladiosch]

No further work was done in relation to consolidation. We mentioned removing numBatches from Validator info, I still need to check if that's reasonable or breaks some other flow. We'll probably need to sync again on consolidation

[bxmmm1]

This would require us to deploy a new GuardianModule, we could have this message logic in the protocol, and use

GUARDIAN_MODULE.validateGuardiansEOASignatures

That way, we wouldn't need to re-audit/redeploy

GuardianModule

[eladiosch]

We need to re-deploy the GuardianModule anyways since the struct StoppedValidatorsInfo has changes. It was commented in the Pectra PR => #115 (comment)

[bxmmm1]

If we move that signature logic to the protocol, we might not need to, please check my big comment on the PR

[bxmmm1]

You can use the fallback of PufferProtocol to delegateCall to another logic as long as you have the same interface in the logic contract; everything will work.

E.G.

```
 fallback() external payable {
address implementation = _getPufferProtocolStorage().pufferProtocolLogic;

    assembly {
        // Copy msg.data. We take full control of memory in this inline assembly
        // block because it will not return to Solidity code. We overwrite the
        // Solidity scratch pad at memory position 0.
        calldatacopy(0, 0, calldatasize())

        // Call the implementation.
        // out and outsize are 0 because we don't know the size yet.
        let result := delegatecall(gas(), implementation, 0, calldatasize(), 0, 0)

        // Copy the returned data.
        returndatacopy(0, 0, returndatasize())

        switch result
        // delegatecall returns 0 on error.
        case 0 {
            revert(0, returndatasize())
        }
        default {
            return(0, returndatasize())
        }
    }
}

```

And then in the Logic contract, instead of _ method can just have a normal
`function depositValidationTime(EpochsValidatedSignature memory epochsValidatedSignature)` signature.

Then, from the PufferProtocol, you can remove every method that uses _delegateCall.

That way, the flow will be:

User -> Proxy -> PufferProtocol (if method signature is not found) trigger `fallback` -> it then tries to find the method on PufferProtocolLogic 

In the last in line (PufferProtocolLogic) you can have fallback revert so that it returns an error if the method is not found in thorugh the contract calls chain.

Maybe it wouldn’t be bad to compose PufferProtocol out of multiple interfaces.
E.G.
IPufferProtoclEvents
IPufferProtocolErrors
IPufferProtocolViewFunctions

Also, since this PufferProtocolLogic is being called by delegateCall, it doesn’t need to have the constants in it as well. You can have the constants from (PufferProtocolBase) only in the PufferProtocol.
But in our case, we don’t need to reduce bytecode even more.

Since this PR requires us to redeploy GuardianModule, we should remove unused functions from there. Or delete it and replace it with a function
_validateSignatures somewhere in the protocol, and then have the protocol call it with a message + signer’s address(backend), no need for array or fancy things, since we never used more than one signature..


[codecov]

Codecov Report

❌ Patch coverage is 75.19685% with 63 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
mainnet-contracts/src/PufferProtocolLogic.sol	75.13%	38 Missing and 8 partials ⚠️
mainnet-contracts/src/PufferProtocol.sol	73.21%	12 Missing and 3 partials ⚠️
mainnet-contracts/src/PufferProtocolBase.sol	84.61%	0 Missing and 2 partials ⚠️

Files with missing lines	Coverage Δ
mainnet-contracts/src/ProtocolSignatureNonces.sol	100.00% <ø> (ø)
mainnet-contracts/src/PufferProtocolBase.sol	84.61% <84.61%> (ø)
mainnet-contracts/src/PufferProtocol.sol	88.02% <73.21%> (+8.39%)	⬆️
mainnet-contracts/src/PufferProtocolLogic.sol	75.13% <75.13%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bxmmm1]

You can use IPufferProtocolLogic.depositValidationTime.selector directly.

[eladiosch]

Done

[bxmmm1]

You can get rid of all these internal constants and just inline IPufferProtocolLogic.whatever.selector

[eladiosch]

I had to create the constants because of the stack too deep. Maybe it isn't necessary anymore. I'll try

[eladiosch]

Done

[bxmmm1]

Maybe add a simple explainer.
If a function selector is not found in this contract ...

[eladiosch]

Done

[bxmmm1]

I'd use _GUARDIAN_MODULE.validateGuardiansEOASignatures. Prepare the message here, in this contract. That way, we won't need to redeploy GuardianModule contract at all

[eladiosch]

Done

[bxmmm1]

You can do it here as well validateGuardiansEOASignatures

[eladiosch]

Done

[ksatyarth2]

natspec for this contract plz

[eladiosch]

Done (yesterday)

[ksatyarth2]

the natspec says that fn can be called by delegatecall, but since this is a separate contract, can't be this fn directly called by someone? we are not checking anywhere that the caller should be PufferProtocol, or msg.sender == address(this) since this is delegate call. Am I missing something here?

[eladiosch]

Think of a Proxy pattern. If you interact with the implementation contract you're not accessing the proxy storage, right? This is the same. If you call the PufferLogicContract you'll be reading/writing the PufferLogicContract storage, not the PufferProtocol one, which is the important one. So no checks are needed.

However I just noticed due to your comment that since we're not checking the restricted in the original PufferProtocol anymore due to the last refactor (using just the fallback instead of the old functions), we need to add the check somehow. Probably will add it in the fallback function directly

[ksatyarth2]

add amount>0 and recipient!=o validation check to avoid informational issue from auditors :D

[eladiosch]

Done (yesterday)

[ksatyarth2]

why are we modifying the memory param here?

[eladiosch]

We have that struct (EpochsValidatedSignature) that contains all info regarding the epochsvalidated. One of that items is the function selector, which we need to get the proper nonce (see ProtocolSignatureNonces contract), that are now separated by function selector, in order to avoid DOS by blocking a nonce used by another function. This is, we previously used just nonce by address, but that way a user could send a tx that would block a nonce so it couldn't be used for another flow.

Well this function receives that struct, but the function selector doesn't need to be set by the user (they could tamper it), so it's set in the function body. It's also set in other places where the struct is created (like registerValidatorKey or batchHandleWithdrawals)

[ksatyarth2]

few places we are using require and other places revert - inconsistent

[eladiosch]

True, but that was also the case before this PR. IIRC we're not enforcing consistency with require/revert. I think this came up in a different PR

[bxmmm1]

Yeah, we got no consensus on this. I think that this uses slightly less gas. Just use whatever you feel is more readable to human.
On another note, this is 3 LOC when auditing the contract, while require would likely be 1 :D
I don't like inline `if(something) revert error() without the {}. I need to re-wire my brain to read it properly.

[eladiosch]

When I was optimizing I looked it up and it's equivalent. I usually prefer the require approach. And the LOC thing is valid, I'll see where it makes sense to change it

[eladiosch]

Done

[bxmmm1]

Maybe we could replace some of these if revert with require for less LOC and readability, wyt?

[eladiosch]

Agreed. I just wrote that in the other comment :D

[eladiosch]

Done

[bxmmm1]

This can probably be a modifier, it shouldn't add too much bytecode, it will be a little more readable. I've seen it 3 times in this contract

[eladiosch]

Done