feat: ejectImplant to support disallowing self-eject with threshold reduction

Detoo · Detoo · commit 4157544eef87 · 2025-04-25T12:02:25.000-07:00
diff --git a/scripts/yearnBorg.s.sol b/scripts/yearnBorg.s.sol
@@ -119,7 +119,8 @@ contract YearnBorgDeployScript is Script {
             address(ychadSafe),
             address(new PlaceholderFailSafeImplant()), // Placeholder because Yearn BORG does not use failSafe
             true, // _allowManagement
-            true // _allowEjection
+            true, // _allowEjection
+            false // _allowSelfEjectReduce
         );
         sudo = new sudoImplant(
             implantAuth,
diff --git a/src/implants/ejectImplant.sol b/src/implants/ejectImplant.sol
@@ -22,6 +22,7 @@ contract ejectImplant is BaseImplant {
     address public immutable FAIL_SAFE;
     bool public immutable ALLOW_AUTH_MANAGEMENT;
     bool public immutable ALLOW_AUTH_EJECT;
+    bool public immutable ALLOW_AUTH_SELF_EJECT_REDUCE;
     uint256 public failSafeSignerThreshold;
 
     // Errors and Events
@@ -40,12 +41,13 @@ contract ejectImplant is BaseImplant {
 
     /// @param _auth initialize authorization parameters for this contract, including applicable conditions
     /// @param _borgSafe address of the applicable BORG's Gnosis Safe which is adding this ejectImplant
-    constructor(BorgAuth _auth, address _borgSafe, address _failSafe, bool _allowManagement, bool _allowEjection) BaseImplant(_auth, _borgSafe) {
+    constructor(BorgAuth _auth, address _borgSafe, address _failSafe, bool _allowManagement, bool _allowEjection, bool _allowSelfEjectReduce) BaseImplant(_auth, _borgSafe) {
         if (IBaseImplant(_failSafe).IMPLANT_ID() != 0)
             revert ejectImplant_InvalidFailSafeImplant();
         FAIL_SAFE = _failSafe;
         ALLOW_AUTH_MANAGEMENT = _allowManagement;
         ALLOW_AUTH_EJECT = _allowEjection;
+        ALLOW_AUTH_SELF_EJECT_REDUCE = _allowSelfEjectReduce;
     }
 
     /// @notice setFailSafeSignerThreshold for the DAO or oversight BORG to set the maximum threshold for the fail safe to be triggered
@@ -193,6 +195,7 @@ contract ejectImplant is BaseImplant {
     /// @param _reduce boolean to reduce the threshold if the owner is the last to self-eject
     function selfEject(bool _reduce) public conditionCheck {
         if (!ISafe(BORG_SAFE).isOwner(msg.sender)) revert ejectImplant_NotOwner();
+        if(_reduce && !ALLOW_AUTH_SELF_EJECT_REDUCE) revert ejectImplant_ActionNotEnabled();
 
         address[] memory owners = ISafe(BORG_SAFE).getOwners();
          address prevOwner = address(0x1);
diff --git a/test/PBVBorg.t.sol b/test/PBVBorg.t.sol
@@ -60,7 +60,7 @@ contract PBVBorgTest is Test {
     safe = IGnosisSafe(MULTISIG);
     core = new borgCore(auth, 0x1, borgCore.borgModes.whitelist, 'pbv-borg-testing', address(safe));
     failSafe = new failSafeImplant(auth, address(safe), dao);
-    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true);
+    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true, true);
 
 
     //for test: give out some tokens
diff --git a/test/blackList.t.sol b/test/blackList.t.sol
@@ -50,7 +50,7 @@ contract BlackListTest is Test {
     mockPerm = new MockPerm();
 
     failSafe = new failSafeImplant(auth, address(safe), dao);
-    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true);
+    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true, true);
 
     deal(owner, 2 ether);
     deal(MULTISIG, 2 ether);
diff --git a/test/borgCore.t.sol b/test/borgCore.t.sol
@@ -48,7 +48,7 @@ contract BorgCoreTest is Test {
     core = new borgCore(auth, 0x1, borgCore.borgModes.whitelist, 'borg-core-testing', address(safe));
 
     failSafe = new failSafeImplant(auth, address(safe), dao);
-    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true);
+    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true, true);
 
     deal(owner, 2 ether);
     deal(MULTISIG, 2 ether);
diff --git a/test/ejectImplant.t.sol b/test/ejectImplant.t.sol
@@ -49,7 +49,7 @@ contract EjectTest is Test {
     core = new borgCore(auth, 0x1, borgCore.borgModes.whitelist, "eject-testing", address(safe));
     
     failSafe = new failSafeImplant(auth, address(safe), dao);
-    eject = new ejectImplant(auth, MULTISIG, address(failSafe), true, true);
+    eject = new ejectImplant(auth, MULTISIG, address(failSafe), true, true, true);
     vm.prank(dao);
     auth.updateRole(address(eject), 99);
 
diff --git a/test/grantBorg.t.sol b/test/grantBorg.t.sol
@@ -97,7 +97,7 @@ contract GrantBorgTest is Test {
     safe = IGnosisSafe(MULTISIG);
     core = new borgCore(auth, 0x1, borgCore.borgModes.whitelist, 'grant-bool-testing', address(safe));
     failSafe = new failSafeImplant(auth, address(safe), dao);
-    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true);
+    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true, true);
     opGrant = new optimisticGrantImplant(auth, MULTISIG, address(metaVesTController));
     //constructor(Auth _auth, address _borgSafe, uint256 _duration, uint _quorum, uint256 _threshold, uint _cooldown, address _governanceAdapter, address _governanceExecutor, address _metaVesT, address _metaVesTController)
     vetoGrant = new daoVetoGrantImplant(auth, MULTISIG, 600, 5, 10, 600, address(governanceAdapter), address(mockDao), address(metaVesTController));
diff --git a/test/signatureCondition.t.sol b/test/signatureCondition.t.sol
@@ -69,7 +69,7 @@ contract SigConditionTest is Test {
     safe = IGnosisSafe(MULTISIG);
     core = new borgCore(auth, 0x1, borgCore.borgModes.whitelist, 'sig-condition-testing', address(safe));
     failSafe = new failSafeImplant(auth, address(safe), dao);
-    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true);
+    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true, true);
 
     //create SignatureCondition.Logic for and
      SignatureCondition.Logic logic = SignatureCondition.Logic.AND;
diff --git a/test/voteBorg.t.sol b/test/voteBorg.t.sol
@@ -101,7 +101,7 @@ contract VoteBorgTest is Test {
     safe = IGnosisSafe(MULTISIG);
     core = new borgCore(auth, 0x1, borgCore.borgModes.whitelist, 'grant-bool-testing', address(safe));
     failSafe = new failSafeImplant(auth, address(safe), dao);
-    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true);
+    eject = new ejectImplant(auth, MULTISIG, address(failSafe), false, true, true);
     opGrant = new optimisticGrantImplant(auth, MULTISIG, address(metaVesTController));
     //constructor(Auth _auth, address _borgSafe, uint256 _duration, uint _quorum, uint256 _threshold, uint _cooldown, address _governanceAdapter, address _governanceExecutor, address _metaVesT, address _metaVesTController)
     vetoGrant = new daoVetoGrantImplant(auth, MULTISIG, 600, 5, 10, 600, address(governanceAdapter), address(mockDao), address(metaVesTController));
diff --git a/test/yearnBorgAcceptance.t.sol b/test/yearnBorgAcceptance.t.sol
@@ -164,6 +164,7 @@ contract YearnBorgAcceptanceTest is Test {
         assertEq(eject.failSafeSignerThreshold(), 0, "Unexpected failSafeSignerThreshold");
         assertTrue(eject.ALLOW_AUTH_MANAGEMENT(), "Auth management should be allowed");
         assertTrue(eject.ALLOW_AUTH_EJECT(), "Auth ejection should be allowed");
+        assertFalse(eject.ALLOW_AUTH_SELF_EJECT_REDUCE(), "Auth self-eject with reduce should not be allowed");
     }
 
     /// @dev Safe normal operations should be unrestricted
@@ -190,6 +191,12 @@ contract YearnBorgAcceptanceTest is Test {
         // Self-resign without changing threshold
         uint256 thresholdBefore = ychadSafe.getThreshold();
 
+        // Self-resign with threshold reduce should not be allowed
+        vm.expectRevert(abi.encodeWithSelector(ejectImplant.ejectImplant_ActionNotEnabled.selector));
+        vm.prank(testSigner);
+        eject.selfEject(true);
+
+        // Otherwise, it should pass
         vm.prank(testSigner);
         eject.selfEject(false);
 
