Pause - Detailed Documentation
A delegatecall based proxy with an enforced delay
Last updated
A delegatecall based proxy with an enforced delay
Last updated
Contract Name: pause.sol
Type/Category: Governance Module
The ds-pause is a delegatecall based proxy with an enforced delay. This allows authorized users to schedule function calls that can only be executed once a predetermined waiting period has elapsed. The configurable delay attribute sets the minimum wait time that will be used during the governance of the system.
Plans A plan describes a single delegatecall operation and a unix timestamp eta before which it cannot be executed.
A plan consists of:
usr: address to delegatecall into
tag: the expected codehash of usr
fax: calldata to use
eta: first possible time of execution (as seconds since unix epoch)
It is important to note that each plan has a unique id, defined as a keccack256(abi.encode(usr, tag, fax, eta)).
Plans can be manipulated in the following ways:
plot: schedule a plan
exec: execute a scheduled plan
drop: cancel a scheduled plan
The pause contract contains the DSPauseProxy contract in order to allow plan to be executed in an isolated storage context to protect the pause from malicious storage modification during plan execution.
The ds-pause was designed to be used as a component in the Maker Protocol’s governance system in order to give affected parties time to respond to decisions. If those affected by governance decisions have e.g. exit or veto rights, then the pause can serve as an effective check on governance power.
In order to protect the internal storage of the pause from malicious writes during plan execution, we perform the delegatecall operation in a separate contract with an isolated storage context (DSPauseProxy), where each pause has its own individual proxy.
This means that plans are executed with the identity of the proxy. Thus when integrating the pause into some auth scheme, you will want to trust the pause's proxy and not the pause itself.
A break of any of the following would be classified as a critical issue:
High level
There is no way to bypass the delay
The code executed by the delegatecall cannot directly modify storage on the pause
The pause will always retain ownership of it's proxy
Administrative
authority, owner, and delay can only be changed if an authorized user plots a plan to do so
Plot
A plan can only be plotted if its eta is after block.timestamp + delay
A plan can only be plotted by authorized users
Exec
A plan can only be executed if it has previously been plotted
A plan can only be executed once it's eta has passed
A plan can only be executed if its tag matches extcodehash(usr)
A plan can only be executed once
A plan can be executed by anyone
Drop
A plan can only be dropped by authorized users
DSPause.delay - when the pause delay is set to the maximum, governance can no longer modify the system.
DSPause.delay - when the pause delay is set to the minimum, it is easier to pass malicious governance actions.
