feat: cleaner generator updates (#1537)

**Motivation:**

We want to solve two problems:
1. Currently, `updateGenerator` will not work in all cases because when
we call `updateOperatorTable`, the
`bn254CertificateVerifier.isRootValidByTimestamp` must be true. This
*only* works if the `latestReferenceTimestamp` for the new generator is
the same as what the previous generator was initialized to
2. Have a clearer state machine for special casing the `generator`

**Modifications:**

1. Get rid of `setGenerator` and only have `updateGenerator`
2. Remove notion of a configurable `referenceTimestamp` from
`Generator`. The `Generator` *always* has a reference timestamp of
`GENERATOR_REFERENCE_TIMESTAMP`. Now, the reference timestamp is not set
in initialization or in `updateGenerator`
3. Require that `updateGenerator` can only be called for a *new*
operatorSet.
4. Require the `updateOperatorTable` cannot update the table for the
`Generator`
5. Prevent the `GENERATOR_GLOBAL_TABLE_ROOT` from being disabled
6. Hard-code the `operatorSetConfig` for the `generator`
7. Update deploy scripts to remove the `referenceTimestamp` and
`operatorSetConfig`

Also, update documentation & zeus script for
`CrossChainRegistry.tableUpdateCadence`

**Result:**

Clearer state machine

---------

Co-authored-by: Michael <[email protected]>

Author: ypatil12

docs/multichain/destination/OperatorTableUpdater.md

@@ -19,17 +19,18 @@ The `OperatorTableUpdater` is responsible for updating the `GlobalTableRoot` and
 The contract supports both BN254 and ECDSA operator tables and routes updates to the appropriate certificate verifier based on the curve type.
 
 ## Parameterization
-Upon initialization, the `generator` is updated. The `generator` is represented in storage as an operatorSet. The `generator` should be considered a ghost-operatorSet` since it does not exist in the core protocol, does not have stake backing it, and is not transported to other chains via the multichain protocol. It can only be updated upon initialization or by a [privileged role](#updategenerator). This entity is the same across all destination chains. 
+Upon initialization, the `generator` is updated. The `generator` is represented in storage as an operatorSet. The `generator` should be considered a ghost-operatorSet` since it does not exist in the core protocol, does not have stake backing it, and is not transported to other chains via the multichain protocol. It can only be set upon initialization and a new generator can be set by [privileged role](#updategenerator). This entity is the same across all destination chains. 
 
 The following values are set upon initialization: 
 
 * `generator` is an EigenLabs-run entity that signs off on `globalTableRoots`. The operatorSet is of size 1. 
 * `globalRootConfirmationThreshold`: 10000. The threshold in basis points required for global root confirmation. Since the operatorSet is of size 1 a single signature is needed.
-* `referenceTimestamp`: A past timestamp at which the `generator` is set. We hardcode this value to 1 upon initialization. This value is also the `latestReferenceTimestamp`. Once roots are updated, the `latestReferenceTimestamp` will increase. *Note: the reference timestamp for the `generator`, given by `operatorTableUpdater.getGeneratorReferenceTimestamp` will remain 1 unless [`updateGenerator`](#updategenerator) is called*.
 * `generatorInfo`: The key material needed to verify certificates of the `generator`
 * `operatorSetConfig`: A configuration for the `generator` 
-    * `maxStalenessPeriod`: 0. Set to zero to confirm `globalTableRoots` without updating the `generator` operatorSet. See [`CertificateVerifier`](./CertificateVerifier.md#overview) for specifics`OperatorTableUpdater`. It is the same across all destination chains, even for destination chains that are supported after the initial deployment. 
-    * `owner`: Unused parameter for `Generator`
+    * `maxStalenessPeriod`: 0 (`GENERATOR_MAX_STALENESS_PERIOD`). Set to zero to allow confirmation of generator certificates regardless of `referenceTimestamp`. See [`CertificateVerifier`](./CertificateVerifier.md#overview) for speccifics
+    * `owner`: Unused parameter for `Generator`. Set to the address of the `OperatorTableUpdater`
+* The `latestReferenceTimestamp` for the `Generator` is 1 (`GENERATOR_REFERENCE_TIMESTAMP`)
+* The `globalTableRoot` for the `Generator` is `GENERATOR_GLOBAL_TABLE_ROOT`
 
 Operator tables are updated daily on testnet and weekly on mainnet. 
 ---
@@ -113,6 +114,7 @@ Updates an operator table by verifying its inclusion in a confirmed global table
 *Requirements*:
 * The contract MUST NOT be paused for operator table updates
 * The `globalTableRoot` MUST be valid (not disabled)
+* The `operatorSet` MUST NOT be the `generator` (generator updates are handled separately)
 * The `referenceTimestamp` MUST be greater than the latest timestamp for the operator set
 * The merkle proof MUST verify the operator table's inclusion in the global root
 * The `globalTableRoot` at `referenceTimestamp` MUST match the provided root
@@ -124,28 +126,40 @@ Updates an operator table by verifying its inclusion in a confirmed global table
 
 The `owner` can configure the `generator` and confirmation parameters.
 
-### `setGenerator`
+### `updateGenerator`
 
 ```solidity
 /**
- * @notice Set the operatorSet which certifies against global roots
- * @param operatorSet the operatorSet which certifies against global roots
- * @dev The `operatorSet` is used to verify the certificate of the global table root
+ * @notice Updates the `Generator` to a new operatorSet
+ * @param generator The operatorSet which certifies against global roots
+ * @param GeneratorInfo The operatorSetInfo for the generator
+ * @param GeneratorConfig The operatorSetConfig for the generator
+ * @dev We have a separate function for updating this operatorSet since it's not transported and updated
+ *      in the same way as the other operatorSets
  * @dev Only callable by the owner of the contract
+ * @dev Uses GENERATOR_GLOBAL_TABLE_ROOT constant to break circular dependency for certificate verification
+ * @dev We ensure that there are no collisions with other reference timestamps because we expect the generator to have an initial reference timestamp of 0
+ * @dev The `_latestReferenceTimestamp` is not updated since this root is ONLY used for the `Generator`
  */
-function setGenerator(
-    OperatorSet calldata operatorSet
+function updateGenerator(
+    OperatorSet calldata generator,
+    BN254OperatorSetInfo calldata GeneratorInfo,
+    OperatorSetConfig calldata GeneratorConfig
 ) external;
 ```
 
-Updates the operator set responsible for confirming global table roots.
+Updates the operator set responsible for confirming global table roots. This function can only be called for operatorSets that have an uninitialized `latestReferenceTimestamp` in the `BN254CertificateVerifier`, ensuring that only *new* operatorSets can be the generator. Once set, the `latestReferenceTimestamp` for the generator is always 1 (`GENERATOR_REFERENCE_TIMESTAMP`).
 
 *Effects*:
 * Updates `_generator` to the new `operatorSet`
+* Calls [`bn254CertificateVerifier.updateOperatorTable`](./CertificateVerifier.md#updateoperatortable-1)
 * Emits a `GeneratorUpdated` event
+* Sets the `GENERATOR_GLOBAL_TABLE_ROOT` to be valid
 
 *Requirements*:
 * Caller MUST be the `owner`
+* The `latestReferenceTimestamp` for the `generator` MUST be zero
+* Meet all requirements in [`bn254CertificateVerifier.updateOperatorTable`](../destination/CertificateVerifier.md#updateoperatortable-1)
 
 ### `setGlobalRootConfirmationThreshold`
 
@@ -192,31 +206,4 @@ Disables a global table root, preventing further operator table updates against
 *Requirements*:
 * Caller MUST be the `pauser`
 * The `globalTableRoot` MUST exist and be currently valid
-
-### `updateGenerator`
-
-```solidity
-/**
- * @notice Updates the operator table for the generator
- * @param referenceTimestamp The reference timestamp of the operator table update
- * @param generatorInfo The operatorSetInfo for the generator
- * @param generatorConfig The operatorSetConfig for the generator
- * @dev We have a separate function for updating this operatorSet since it's not transported and updated
- *      in the same way as the other operatorSets
- * @dev Only callable by the owner of the contract
- */
-function updateGenerator(
-    uint32 referenceTimestamp,
-    BN254OperatorSetInfo calldata generatorInfo,
-    OperatorSetConfig calldata generatorConfig
-) external;
-```
-
-Updates the operator table for the `generator` itself. This operatorSet is a ["shadow-operatorSet"](#parameterization), so it must be updated manually
-
-*Effects*:
-* Calls `bn254CertificateVerifier.updateOperatorTable` for the `generator`
-
-*Requirements*:
-* Caller MUST be the `owner`
-* Meet all requirements in [`bn254CertificateVerifier.updateOperatorTable`](../destination/CertificateVerifier.md#updateoperatortable-1)
+* The `globalTableRoot` MUST NOT be the `GENERATOR_GLOBAL_TABLE_ROOT`

docs/multichain/source/CrossChainRegistry.md

@@ -303,9 +303,10 @@ Removes chain IDs from the global whitelist, preventing them from being used as
 
 ```solidity
 /**
- * @notice Sets the global table update cadence
- * @param tableUpdateCadence The table update cadence to set
+ * @notice Sets the table update cadence in seconds
+ * @param tableUpdateCadence the table update cadence
  * @dev msg.sender must be the owner of the CrossChainRegistry
+ * @dev The table update cadence cannot be 0
  */
 function setTableUpdateCadence(
     uint32 tableUpdateCadence

script/deploy/multichain/deploy_globalRootConfirmerSet.s.sol

@@ -63,23 +63,14 @@ contract DeployGlobalRootConfirmerSet is Script, Test {
         );
         operatorSetInfo.operatorInfoTreeRoot = operatorInfoLeaves.merkleizeKeccak();
 
-        /**
-         *
-         *                     Create the `operatorSetConfig` struct
-         *
-         */
-        ICrossChainRegistry.OperatorSetConfig memory operatorSetConfig;
-        operatorSetConfig.owner = operator.key.addr;
-        operatorSetConfig.maxStalenessPeriod = 0;
-
         /**
          *
          *                     OUTPUT - OPERATOR SET INFO (TOML FORMAT)
          *
          */
 
         // Write operator set info to TOML file
-        _writeOperatorSetToml(network, operatorSetInfo, operatorSetConfig);
+        _writeOperatorSetToml(network, operatorSetInfo);
 
         /**
          *
@@ -129,29 +120,20 @@ contract DeployGlobalRootConfirmerSet is Script, Test {
 
     function _writeOperatorSetToml(
         string memory network,
-        IOperatorTableCalculatorTypes.BN254OperatorSetInfo memory operatorSetInfo,
-        ICrossChainRegistry.OperatorSetConfig memory operatorSetConfig
+        IOperatorTableCalculatorTypes.BN254OperatorSetInfo memory operatorSetInfo
     ) internal {
         // Build JSON object using serializeJson
         string memory json_obj = "toml_output";
 
         // Top level fields
         vm.serializeUint(json_obj, "globalRootConfirmationThreshold", 10_000);
-        vm.serializeUint(json_obj, "referenceTimestamp", block.timestamp);
 
         // globalRootConfirmerSet object
         string memory confirmerSet_obj = "globalRootConfirmerSet";
         vm.serializeString(confirmerSet_obj, "avs", AVS.toHexString());
         string memory confirmerSetOutput = vm.serializeUint(confirmerSet_obj, "id", 0);
         vm.serializeString(json_obj, "globalRootConfirmerSet", confirmerSetOutput);
 
-        // globalRootConfirmerSetConfig object
-        string memory confirmerSetConfig_obj = "globalRootConfirmerSetConfig";
-        vm.serializeUint(confirmerSetConfig_obj, "maxStalenessPeriod", operatorSetConfig.maxStalenessPeriod);
-        string memory confirmerSetConfigOutput =
-            vm.serializeAddress(confirmerSetConfig_obj, "owner", operatorSetConfig.owner);
-        vm.serializeString(json_obj, "globalRootConfirmerSetConfig", confirmerSetConfigOutput);
-
         // globalRootConfirmerSetInfo object
         string memory confirmerSetInfo_obj = "globalRootConfirmerSetInfo";
         vm.serializeUint(confirmerSetInfo_obj, "numOperators", operatorSetInfo.numOperators);

script/releases/Env.sol

@@ -177,6 +177,10 @@ library Env {
         return _envU256("CROSS_CHAIN_REGISTRY_INIT_PAUSE_STATUS");
     }
 
+    function TABLE_UPDATE_CADENCE() internal view returns (uint32) {
+        return _envU32("TABLE_UPDATE_CADENCE");
+    }
+
     function isSourceChain() internal view returns (bool) {
         return _envBool("SOURCE_CHAIN");
     }

script/releases/v1.7.0-multichain/1-deploySourceChain.s.sol

@@ -68,7 +68,7 @@ contract DeploySourceChain is EOADeployer {
                         CrossChainRegistry.initialize,
                         (
                             Env.opsMultisig(), // initialOwner
-                            1 days, // initialMinimumStalenessPeriod
+                            Env.TABLE_UPDATE_CADENCE(),
                             Env.CROSS_CHAIN_REGISTRY_PAUSE_STATUS()
                         )
                     )
@@ -125,6 +125,9 @@ contract DeploySourceChain is EOADeployer {
         CrossChainRegistry crossChainRegistry = Env.proxy.crossChainRegistry();
         assertTrue(crossChainRegistry.owner() == Env.opsMultisig(), "ccr.owner invalid");
         assertTrue(crossChainRegistry.paused() == Env.CROSS_CHAIN_REGISTRY_PAUSE_STATUS(), "ccr.paused invalid");
+        assertEq(
+            crossChainRegistry.getTableUpdateCadence(), Env.TABLE_UPDATE_CADENCE(), "ccr.tableUpdateCadence invalid"
+        );
 
         // Validate ReleaseManager
         ReleaseManager releaseManager = Env.proxy.releaseManager();

script/releases/v1.7.0-multichain/3-deployDestinationChainImpls.s.sol

@@ -129,17 +129,14 @@ contract DeployDestinationChainImpls is EOADeployer, DeployDestinationChainProxi
         OperatorTableUpdater operatorTableUpdater = Env.impl.operatorTableUpdater();
         OperatorSet memory dummyOperatorSet = OperatorSet({avs: address(0), id: 0});
         IOperatorTableCalculatorTypes.BN254OperatorSetInfo memory dummyBN254Info;
-        ICrossChainRegistryTypes.OperatorSetConfig memory dummyConfig;
 
         vm.expectRevert(errInit);
         operatorTableUpdater.initialize(
             address(0), // owner
             0, // initial paused status
             dummyOperatorSet, // globalRootConfirmerSet
             0, // globalRootConfirmationThreshold
-            0, // referenceTimestamp
-            dummyBN254Info, // globalRootConfirmerSetInfo
-            dummyConfig // globalRootConfirmerSetConfig
+            dummyBN254Info // globalRootConfirmerSetInfo
         );
 
         // ECDSACertificateVerifier and BN254CertificateVerifier don't have initialize functions

script/releases/v1.7.0-multichain/4-instantiateDestinationChainProxies.s.sol

@@ -54,9 +54,7 @@ contract InstantiateDestinationChainProxies is DeployDestinationChainImpls {
                     0, // initial paused status
                     initParams.globalRootConfirmerSet,
                     initParams.globalRootConfirmationThreshold,
-                    initParams.referenceTimestamp,
-                    initParams.globalRootConfirmerSetInfo,
-                    initParams.globalRootConfirmerSetConfig
+                    initParams.globalRootConfirmerSetInfo
                 )
             )
         );
@@ -102,7 +100,45 @@ contract InstantiateDestinationChainProxies is DeployDestinationChainImpls {
         OperatorTableUpdater operatorTableUpdater = Env.proxy.operatorTableUpdater();
         assertTrue(operatorTableUpdater.owner() == Env.opsMultisig(), "operatorTableUpdater.owner invalid");
         assertTrue(operatorTableUpdater.paused() == 0, "operatorTableUpdater.paused invalid");
-        // TODO: add checks on global root confirmer set
+
+        // Checks on the generator
+        OperatorTableUpdaterInitParams memory initParams = _getTableUpdaterInitParams();
+        assertEq(
+            operatorTableUpdater.getGenerator().key(),
+            initParams.globalRootConfirmerSet.key(),
+            "operatorTableUpdater.generator invalid"
+        );
+        assertEq(
+            operatorTableUpdater.getGeneratorReferenceTimestamp(),
+            operatorTableUpdater.GENERATOR_REFERENCE_TIMESTAMP(),
+            "operatorTableUpdater.generatorReferenceTimestamp invalid"
+        );
+        assertEq(
+            operatorTableUpdater.getGeneratorReferenceTimestamp(),
+            1,
+            "operatorTableUpdater.generatorReferenceTimestamp invalid"
+        );
+        assertEq(
+            operatorTableUpdater.getGlobalTableRootByTimestamp(1),
+            operatorTableUpdater.GENERATOR_GLOBAL_TABLE_ROOT(),
+            "operatorTableUpdater.generatorGlobalTableRoot invalid"
+        );
+        assertEq(
+            operatorTableUpdater.getLatestReferenceTimestamp(),
+            0,
+            "operatorTableUpdater.latestReferenceTimestamp invalid"
+        );
+        assertTrue(
+            operatorTableUpdater.isRootValid(operatorTableUpdater.GENERATOR_GLOBAL_TABLE_ROOT()),
+            "operatorTableUpdater.generatorGlobalTableRoot invalid"
+        );
+        assertTrue(
+            operatorTableUpdater.isRootValidByTimestamp(operatorTableUpdater.GENERATOR_REFERENCE_TIMESTAMP()),
+            "operatorTableUpdater.generatorGlobalTableRoot invalid"
+        );
+        ICrossChainRegistryTypes.OperatorSetConfig memory generatorConfig = operatorTableUpdater.getGeneratorConfig();
+        assertEq(generatorConfig.maxStalenessPeriod, 0, "generatorConfig.maxStalenessPeriod invalid");
+        assertEq(generatorConfig.owner, address(operatorTableUpdater), "generatorConfig.owner invalid");
 
         // Validate ECDSACertificateVerifier
         ECDSACertificateVerifier ecdsaCertificateVerifier = Env.proxy.ecdsaCertificateVerifier();
@@ -111,6 +147,11 @@ contract InstantiateDestinationChainProxies is DeployDestinationChainImpls {
         // Validate BN254CertificateVerifier
         BN254CertificateVerifier bn254CertificateVerifier = Env.proxy.bn254CertificateVerifier();
         assertTrue(address(bn254CertificateVerifier) != address(0), "bn254CertificateVerifier not deployed");
+        assertEq(
+            bn254CertificateVerifier.latestReferenceTimestamp(initParams.globalRootConfirmerSet),
+            1,
+            "bn254CertificateVerifier.latestReferenceTimestamp invalid"
+        );
     }
 
     /// @dev Ensure each deployed TUP/beacon is owned by the proxyAdmin/executorMultisig
@@ -165,17 +206,14 @@ contract InstantiateDestinationChainProxies is DeployDestinationChainImpls {
         OperatorTableUpdater operatorTableUpdater = Env.proxy.operatorTableUpdater();
         OperatorSet memory dummyOperatorSet = OperatorSet({avs: address(0), id: 0});
         IOperatorTableCalculatorTypes.BN254OperatorSetInfo memory dummyBN254Info;
-        ICrossChainRegistryTypes.OperatorSetConfig memory dummyConfig;
 
         vm.expectRevert(errInit);
         operatorTableUpdater.initialize(
             address(0), // owner
             0, // initial paused status
             dummyOperatorSet, // globalRootConfirmerSet
             0, // globalRootConfirmationThreshold
-            0, // referenceTimestamp
-            dummyBN254Info, // globalRootConfirmerSetInfo
-            dummyConfig // globalRootConfirmerSetConfig
+            dummyBN254Info // globalRootConfirmerSetInfo
         );
 
         // ECDSACertificateVerifier and BN254CertificateVerifier don't have initialize functions
@@ -217,20 +255,11 @@ contract InstantiateDestinationChainProxies is DeployDestinationChainImpls {
         // Parse globalRootConfirmationThreshold
         initParams.globalRootConfirmationThreshold = uint16(toml.readUint(".globalRootConfirmationThreshold"));
 
-        // Parse referenceTimestamp
-        initParams.referenceTimestamp = uint32(toml.readUint(".referenceTimestamp"));
-
         // Parse globalRootConfirmerSet
         address avs = toml.readAddress(".globalRootConfirmerSet.avs");
         uint32 id = uint32(toml.readUint(".globalRootConfirmerSet.id"));
         initParams.globalRootConfirmerSet = OperatorSet({avs: avs, id: id});
 
-        // Parse globalRootConfirmerSetConfig
-        address owner = toml.readAddress(".globalRootConfirmerSetConfig.owner");
-        uint32 maxStalenessPeriod = uint32(toml.readUint(".globalRootConfirmerSetConfig.maxStalenessPeriod"));
-        initParams.globalRootConfirmerSetConfig =
-            ICrossChainRegistryTypes.OperatorSetConfig({owner: owner, maxStalenessPeriod: maxStalenessPeriod});
-
         // Parse globalRootConfirmerSetInfo
         initParams.globalRootConfirmerSetInfo.numOperators =
             uint256(toml.readUint(".globalRootConfirmerSetInfo.numOperators"));
@@ -248,8 +277,6 @@ contract InstantiateDestinationChainProxies is DeployDestinationChainImpls {
     struct OperatorTableUpdaterInitParams {
         uint16 globalRootConfirmationThreshold;
         OperatorSet globalRootConfirmerSet;
-        ICrossChainRegistryTypes.OperatorSetConfig globalRootConfirmerSetConfig;
         IOperatorTableCalculatorTypes.BN254OperatorSetInfo globalRootConfirmerSetInfo;
-        uint32 referenceTimestamp;
     }
 }

script/releases/v1.7.0-multichain/configs/mainnet.toml

@@ -1,19 +1,10 @@
-# Global root confirmation threshold in basis points (e.g., 10000 = 100%)
-globalRootConfirmationThreshold = 10000
-
-# Reference timestamp
-referenceTimestamp = 1700000000
 
+globalRootConfirmationThreshold = 10000
 # Global root confirmer set configuration
 [globalRootConfirmerSet]
 avs = "0x0000000000000000000000000000000000000042"
 id = 0
 
-# Global root confirmer set config
-[globalRootConfirmerSetConfig]
-maxStalenessPeriod = 0
-owner = "0x0000000000000000000000000000000000000042"
-
 # Global root confirmer set info
 [globalRootConfirmerSetInfo]
 numOperators = 1