Merge pull request #2960 from keep-network/authorization-stuff-2

Introduced authorization decrease change period parameter to the beacon

See threshold-network/solidity-contracts#99

Introduced authorization decrease change period parameter to the beacon

This value protect against malicious operators who manipulate
their weight by overwriting authorization decrease request, and
lowering or increasing their eligible stake this way.

Authorization decrease change period is the time period before the authorization
decrease delay end, during which the authorization decrease request can be
overwritten.

When the request is overwritten, the authorization decrease delay is
reset.

For example, if `authorizationDecraseChangePeriod` is set to 4
days, `authorizationDecreaseDelay` is set to 14 days, and someone
requested authorization decrease, it means they can not
request another decrease for the first 10 days. After 10 days pass,
they can request again and overwrite the previous authorization
decrease request. The delay time will reset for them and they
will have to wait another 10 days to alter it and 14 days to
approve it.

If set to a value equal to `authorizationDecreaseDelay, it means
that authorization decrease request can be always overwritten.
If set to zero, it means authorization decrease request can not
be overwritten until the delay end, and one needs to wait for the entire
authorization decrease delay to approve their decrease or to alter it.

```
(1) authorization decrease requested timestamp
(2) from this moment authorization decrease request can be
    overwritten
(3) from this moment authorization decrease request can be
    approved, assuming it was NOT overwritten in (2)

  (1)                            (2)                        (3)
 --x------------------------------x--------------------------x---->
   |                               \________________________/
   |                             authorizationDecreaseChangePeriod
    \______________________________________________________/
                   authorizationDecreaseDelay
```

Author: nkuba

solidity/random-beacon/contracts/RandomBeacon.sol

@@ -164,7 +164,8 @@ contract RandomBeacon is IRandomBeacon, IApplication, Governable, Reimbursable {
 
     event AuthorizationParametersUpdated(
         uint96 minimumAuthorization,
-        uint64 authorizationDecreaseDelay
+        uint64 authorizationDecreaseDelay,
+        uint64 authorizationDecreaseChangePeriod
     );
 
     event RelayEntryParametersUpdated(
@@ -383,10 +384,12 @@ contract RandomBeacon is IRandomBeacon, IApplication, Governable, Reimbursable {
         _relayEntryTimeoutNotificationRewardMultiplier = 40;
         _unauthorizedSigningNotificationRewardMultiplier = 50;
         _dkgMaliciousResultNotificationRewardMultiplier = 100;
-        // Minimum authorization:         100k T
-        // Authorization decrease delay:  ~10 weeks assuming 15s block time
+        // Minimum authorization: 100k T
+        // Authorization decrease delay: ~10 weeks assuming 15s block time
+        // Authorization decrease change period: equal to the delay
         // slither-disable-next-line too-many-digits
-        authorization.setParameters(100000e18, 403200);
+        authorization.setParameters(100000e18, 403200, 403200);
+
         dkg.init(_sortitionPool, _dkgValidator);
         // DKG result challenge period length: ~48h assuming 15s block time
         // DKG result submission timeout: 64 members * 20 blocks = 1280 blocks
@@ -424,18 +427,23 @@ contract RandomBeacon is IRandomBeacon, IApplication, Governable, Reimbursable {
     /// @param _minimumAuthorization New minimum authorization amount
     /// @param _authorizationDecreaseDelay New authorization decrease delay in
     ///        seconds
+    /// @param _authorizationDecreaseChangePeriod New authorization decrease
+    ///        change period in seconds
     function updateAuthorizationParameters(
         uint96 _minimumAuthorization,
-        uint64 _authorizationDecreaseDelay
+        uint64 _authorizationDecreaseDelay,
+        uint64 _authorizationDecreaseChangePeriod
     ) external onlyGovernance {
         authorization.setParameters(
             _minimumAuthorization,
-            _authorizationDecreaseDelay
+            _authorizationDecreaseDelay,
+            _authorizationDecreaseChangePeriod
         );
 
         emit AuthorizationParametersUpdated(
             _minimumAuthorization,
-            _authorizationDecreaseDelay
+            _authorizationDecreaseDelay,
+            _authorizationDecreaseChangePeriod
         );
     }
 
@@ -683,6 +691,10 @@ contract RandomBeacon is IRandomBeacon, IApplication, Governable, Reimbursable {
     ///         Reverts if the amount after deauthorization would be non-zero
     ///         and lower than the minimum authorization.
     ///
+    ///         Reverts if another authorization decrease request is pending for
+    ///         the staking provider and not enough time passed since the
+    ///         original request (see `authorizationDecreaseChangePeriod`).
+    ///
     ///         If the operator is not known (`registerOperator` was not called)
     ///         it lets to `approveAuthorizationDecrease` immediately. If the
     ///         operator is known (`registerOperator` was called), the operator
@@ -696,7 +708,8 @@ contract RandomBeacon is IRandomBeacon, IApplication, Governable, Reimbursable {
     ///         `approveAuthorizationDecrease` function.
     ///
     ///         If there is a pending authorization decrease request, it is
-    ///         overwritten.
+    ///         overwritten, but only if enough time passed since the original
+    ///         request. Otherwise, the function reverts.
     ///
     /// @dev Can only be called by T staking contract.
     function authorizationDecreaseRequested(
@@ -1236,14 +1249,6 @@ contract RandomBeacon is IRandomBeacon, IApplication, Governable, Reimbursable {
         return authorization.parameters.minimumAuthorization;
     }
 
-    /// @notice Delay in seconds that needs to pass between the time
-    ///         authorization decrease is requested and the time that request
-    ///         gets approved. Protects against free-riders earning rewards and
-    ///         not being active in the network.
-    function authorizationDecreaseDelay() external view returns (uint64) {
-        return authorization.parameters.authorizationDecreaseDelay;
-    }
-
     /// @return Flag indicating whether a relay entry request is currently
     ///         in progress.
     function isRelayRequestInProgress() external view returns (bool) {
@@ -1344,6 +1349,41 @@ contract RandomBeacon is IRandomBeacon, IApplication, Governable, Reimbursable {
         return sortitionPool.selectGroup(DKG.groupSize, bytes32(dkg.seed));
     }
 
+    /// @notice Returns authorization-related parameters of the beacon.
+    /// @dev The minimum authorization is also returned by `minimumAuthorization()`
+    ///      function, as a requirement of `IApplication` interface.
+    /// @return minimumAuthorization The minimum authorization amount required
+    ///         so that operator can participate in the random beacon. This
+    ///         amount is required to execute slashing for providing a malicious
+    ///         DKG result or when a relay entry times out.
+    /// @return authorizationDecreaseDelay Delay in seconds that needs to pass
+    ///         between the time authorization decrease is requested and the
+    ///         time that request gets approved. Protects against free-riders
+    ///         earning rewards and not being active in the network.
+    /// @return authorizationDecreaseChangePeriod Authorization decrease change
+    ///        period in seconds. It is the time, before authorization decrease
+    ///        delay end, during which the pending authorization decrease
+    ///        request can be overwritten.
+    ///        If set to 0, pending authorization decrease request can not be
+    ///        overwritten until the endire `authorizationDecreaseDelay` ends.
+    ///        If set to value equal `authorizationDecreaseDelay`, request can
+    ///        always be overwritten.
+    function authorizationParameters()
+        external
+        view
+        returns (
+            uint96 minimumAuthorization,
+            uint64 authorizationDecreaseDelay,
+            uint64 authorizationDecreaseChangePeriod
+        )
+    {
+        return (
+            authorization.parameters.minimumAuthorization,
+            authorization.parameters.authorizationDecreaseDelay,
+            authorization.parameters.authorizationDecreaseChangePeriod
+        );
+    }
+
     /// @notice Returns relay-entry-related parameters of the beacon.
     /// @return relayEntrySoftTimeout Soft timeout in blocks for a group to
     ///         submit the relay entry. If the soft timeout is reached for

solidity/random-beacon/contracts/RandomBeaconGovernance.sol

@@ -77,6 +77,9 @@ contract RandomBeaconGovernance is Ownable {
     uint64 public newAuthorizationDecreaseDelay;
     uint256 public authorizationDecreaseDelayChangeInitiated;
 
+    uint64 public newAuthorizationDecreaseChangePeriod;
+    uint256 public authorizationDecreaseChangePeriodChangeInitiated;
+
     uint256 public newDkgMaliciousResultNotificationRewardMultiplier;
     uint256
         public dkgMaliciousResultNotificationRewardMultiplierChangeInitiated;
@@ -218,6 +221,15 @@ contract RandomBeaconGovernance is Ownable {
     );
     event AuthorizationDecreaseDelayUpdated(uint64 authorizationDecreaseDelay);
 
+    event AuthorizationDecreaseChangePeriodUpdateStarted(
+        uint64 authorizationDecreaseChangePeriod,
+        uint256 timestamp
+    );
+
+    event AuthorizationDecreaseChangePeriodUpdated(
+        uint64 authorizationDecreaseChangePeriod
+    );
+
     event DkgMaliciousResultNotificationRewardMultiplierUpdateStarted(
         uint256 dkgMaliciousResultNotificationRewardMultiplier,
         uint256 timestamp
@@ -1270,10 +1282,16 @@ contract RandomBeaconGovernance is Ownable {
         onlyAfterGovernanceDelay(minimumAuthorizationChangeInitiated)
     {
         emit MinimumAuthorizationUpdated(newMinimumAuthorization);
+        (
+            ,
+            uint64 authorizationDecreaseDelay,
+            uint64 authorizationDecreaseChangePeriod
+        ) = randomBeacon.authorizationParameters();
         // slither-disable-next-line reentrancy-no-eth
         randomBeacon.updateAuthorizationParameters(
             newMinimumAuthorization,
-            randomBeacon.authorizationDecreaseDelay()
+            authorizationDecreaseDelay,
+            authorizationDecreaseChangePeriod
         );
         minimumAuthorizationChangeInitiated = 0;
         newMinimumAuthorization = 0;
@@ -1304,15 +1322,65 @@ contract RandomBeaconGovernance is Ownable {
         onlyAfterGovernanceDelay(authorizationDecreaseDelayChangeInitiated)
     {
         emit AuthorizationDecreaseDelayUpdated(newAuthorizationDecreaseDelay);
+        (
+            uint96 minimumAuthorization,
+            uint64 authorizationDecreaseChangePeriod,
+
+        ) = randomBeacon.authorizationParameters();
         // slither-disable-next-line reentrancy-no-eth
         randomBeacon.updateAuthorizationParameters(
-            randomBeacon.minimumAuthorization(),
-            newAuthorizationDecreaseDelay
+            minimumAuthorization,
+            newAuthorizationDecreaseDelay,
+            authorizationDecreaseChangePeriod
         );
         authorizationDecreaseDelayChangeInitiated = 0;
         newAuthorizationDecreaseDelay = 0;
     }
 
+    /// @notice Begins the authorization decrease change period update process.
+    /// @dev Can be called only by the contract owner.
+    /// @param _newAuthorizationDecreaseChangePeriod New authorization decrease change period
+    function beginAuthorizationDecreaseChangePeriodUpdate(
+        uint64 _newAuthorizationDecreaseChangePeriod
+    ) external onlyOwner {
+        /* solhint-disable not-rely-on-time */
+        newAuthorizationDecreaseChangePeriod = _newAuthorizationDecreaseChangePeriod;
+        authorizationDecreaseChangePeriodChangeInitiated = block.timestamp;
+        emit AuthorizationDecreaseChangePeriodUpdateStarted(
+            _newAuthorizationDecreaseChangePeriod,
+            block.timestamp
+        );
+        /* solhint-enable not-rely-on-time */
+    }
+
+    /// @notice Finalizes the authorization decrease change period update process.
+    /// @dev Can be called only by the contract owner, after the governance
+    ///      delay elapses.
+    function finalizeAuthorizationDecreaseChangePeriodUpdate()
+        external
+        onlyOwner
+        onlyAfterGovernanceDelay(
+            authorizationDecreaseChangePeriodChangeInitiated
+        )
+    {
+        emit AuthorizationDecreaseChangePeriodUpdated(
+            newAuthorizationDecreaseChangePeriod
+        );
+        (
+            uint96 minimumAuthorization,
+            uint64 authorizationDecreaseDelay,
+
+        ) = randomBeacon.authorizationParameters();
+        // slither-disable-next-line reentrancy-no-eth
+        randomBeacon.updateAuthorizationParameters(
+            minimumAuthorization,
+            authorizationDecreaseDelay,
+            newAuthorizationDecreaseChangePeriod
+        );
+        authorizationDecreaseChangePeriodChangeInitiated = 0;
+        newAuthorizationDecreaseChangePeriod = 0;
+    }
+
     /// @notice Set authorization for requesters that can request a relay
     ///         entry. It can be done by the governance only.
     /// @param requester Requester, can be a contract or EOA
@@ -1499,6 +1567,9 @@ contract RandomBeaconGovernance is Ownable {
         return getRemainingChangeTime(minimumAuthorizationChangeInitiated);
     }
 
+    /// @notice Get the time remaining until the authorization decrease delay
+    ///         can be updated.
+    /// @return Remaining time in seconds.
     function getRemainingAuthorizationDecreaseDelayUpdateTime()
         external
         view
@@ -1508,6 +1579,20 @@ contract RandomBeaconGovernance is Ownable {
             getRemainingChangeTime(authorizationDecreaseDelayChangeInitiated);
     }
 
+    /// @notice Get the time remaining until the authorization decrease change
+    ///         period can be updated.
+    /// @return Remaining time in seconds.
+    function getRemainingAuthorizationDecreaseChangePeriodUpdateTime()
+        external
+        view
+        returns (uint256)
+    {
+        return
+            getRemainingChangeTime(
+                authorizationDecreaseChangePeriodChangeInitiated
+            );
+    }
+
     /// @notice Get the time remaining until the sortition pool rewards ban
     ///         duration can be updated.
     /// @return Remaining time in seconds.