Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: automated ejector #146

Merged
merged 16 commits into from
Apr 11, 2024
Merged

feat: automated ejector #146

merged 16 commits into from
Apr 11, 2024

Conversation

0x0aa0
Copy link
Contributor

@0x0aa0 0x0aa0 commented Jan 15, 2024

Here we introduce the EjectionManager contract, the purpose of which is to enforce a ratelimit on stake for ejections called automatically by an offchain component. The contract prioritizes successful execution over the race conditions of changes in total stake and regular operator deregistration.

- trailing window
- try/catch ejection
src/Ejector.sol Outdated Show resolved Hide resolved
src/Ejector.sol Outdated Show resolved Hide resolved
src/Ejector.sol Outdated Show resolved Hide resolved
0x0aa0 and others added 7 commits January 18, 2024 19:27
* @dev This function will eject as many operators as possible without reverting
* @param _operatorIds The ids of the operators to eject for each quorum
*/
function ejectOperators(bytes32[][] memory _operatorIds) external {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i feel like ejectOperators(uint8 quorumNumber, bytes32[] calldata _operatorIds) is more in line with our style

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you caught me red handed. now i realize why i wanted that is we want to eject from multiple quorums at the same time

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could do that outside of the contract too, but ok

break;
}

try registryCoordinator.ejectOperator(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why would we not revert if this failed? why would this fail?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would fail if the operator leaves the set before ejection is called

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah gpgp

@0x0aa0 0x0aa0 requested a review from jianoaix April 6, 2024 22:41

/**
* @notice Ejects operators from the AVSs RegistryCoordinator under a ratelimit
* @param _operatorIds The ids of the operators to eject for each quorum
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's assumed in this parameter by this function?
From the impl below it looks: 1) the caller provides all operators eligible for ejection, but delegate to this function for rate limiting; 2) the operators in each quorum are ordered by priority to eject (in case not all can be ejected, it'll just eject a leading prefix of the array)
Might be good to document the assumptions so the caller knows how to pass the params.

@0x0aa0 0x0aa0 requested review from gpsanant and wadealexc April 11, 2024 04:25
@0x0aa0 0x0aa0 marked this pull request as ready for review April 11, 2024 04:26
@0x0aa0 0x0aa0 requested a review from ChaoticWalrus April 11, 2024 16:35
//if caller is ejector enforce ratelimit
if(
msg.sender == ejector &&
quorumEjectionParams[quorumNumber].rateLimitWindow > 0 &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like this means that no limit will be enforced for new quorums until a limit is explicitly set on this contract for the quorum?
possibly a bit of a "footgun"?
please correct me if I'm reading this wrong though.

Copy link
Contributor Author

@0x0aa0 0x0aa0 Apr 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is correct. My thinking here is that when adding a new quorum, while it is finding its footing we will not want to run automated ejection but reserve the ability to eject without ratelimit in that period. Once the set is more stable the quorum params can be set and offchain can be turned on to run regularly.

Copy link
Contributor

@ChaoticWalrus ChaoticWalrus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. Noted a couple more minor edge cases / quirks.
I reviewed the tests briefly but not in detail.

src/EjectionManager.sol Outdated Show resolved Hide resolved
quorumEjectionParams[quorumNumber].rateLimitWindow > 0 &&
stakeForEjection + operatorStake > amountEjectable
){
stakeEjectedForQuorum[quorumNumber].push(StakeEjection({
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we pushing and not continuing here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we do not want to revert if the stake of the ops in the input is greater than the ratelimit. Here we checkpoint the stake ejected inside the ratelimit and then end execution

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh my bad, i completely misread this

@0x0aa0 0x0aa0 merged commit c29cf07 into dev Apr 11, 2024
3 checks passed
@0x0aa0 0x0aa0 deleted the auto-eject branch April 11, 2024 22:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants