1.0.0-rc3

contracts/DualGovernance.sol

@@ -226,7 +226,7 @@ contract DualGovernance is IDualGovernance {
     ///     or `VetoSignallingDeactivation` state.
     /// @dev If the Dual Governance state is not `VetoSignalling` or `VetoSignallingDeactivation`, the function will
     ///     exit early, emitting the `CancelAllPendingProposalsSkipped` event without canceling any proposals.
-    /// @return isProposalsCancelled A boolean indicating whether the proposals were successfully canceled (`true`)
+    /// @return isProposalsCancelled A boolean indicating whether the proposals were successfully cancelled (`true`)
     ///     or the cancellation was skipped due to an inappropriate state (`false`).
     function cancelAllPendingProposals() external returns (bool) {
         _stateMachine.activateNextState();
@@ -240,7 +240,7 @@ contract DualGovernance is IDualGovernance {
             ///     reached consensus. This could lead to a situation where a proposer’s cancelAllPendingProposals() call
             ///     becomes unexecutable if the Dual Governance state changes. However, it might become executable again if
             ///     the system state shifts back to VetoSignalling or VetoSignallingDeactivation.
-            ///     To avoid such a scenario, an early return is used instead of a revert when proposals cannot be canceled
+            ///     To avoid such a scenario, an early return is used instead of a revert when proposals cannot be cancelled
             ///     due to an unsuitable Dual Governance state.
             emit CancelAllPendingProposalsSkipped();
             return false;
@@ -265,7 +265,7 @@ contract DualGovernance is IDualGovernance {
     ///     - The Dual Governance system is in the `Normal` or `VetoCooldown` state.
     ///     - If the system is in the `VetoCooldown` state, the proposal must have been submitted before the system
     ///         last entered the `VetoSignalling` state.
-    ///     - The proposal has not already been scheduled, canceled, or executed.
+    ///     - The proposal has not already been scheduled, cancelled, or executed.
     ///     - The required delay period, as defined by `ITimelock.getAfterSubmitDelay()`, has elapsed since the proposal
     ///         was submitted.
     /// @param proposalId The unique identifier of the proposal to check.
@@ -282,9 +282,9 @@ contract DualGovernance is IDualGovernance {
     ///     `DualGovernance.cancelAllPendingProposals()` method.
     /// @dev Proposal cancellation is only allowed when the Dual Governance system is in the `VetoSignalling` or
     ///     `VetoSignallingDeactivation` states. In any other state, the cancellation will be skipped and no proposals
-    ///     will be canceled.
+    ///     will be cancelled.
     /// @return canCancelAllPendingProposals A boolean value indicating whether the pending proposals can be
-    ///     canceled (`true`) or not (`false`) based on the current `effective` state of the Dual Governance system.
+    ///     cancelled (`true`) or not (`false`) based on the current `effective` state of the Dual Governance system.
     function canCancelAllPendingProposals() external view returns (bool) {
         return _stateMachine.canCancelAllPendingProposals({useEffectiveState: true});
     }
@@ -397,7 +397,7 @@ contract DualGovernance is IDualGovernance {
         _proposers.setProposerExecutor(proposerAccount, newExecutor);
 
         /// @dev after update of the proposer, check that admin executor still belongs to some proposer
-        _proposers.checkRegisteredExecutor(TIMELOCK.getAdminExecutor());
+        _proposers.checkRegisteredExecutor(msg.sender);
     }
 
     /// @notice Unregisters a proposer from the system.

contracts/EmergencyProtectedTimelock.sol

@@ -137,7 +137,7 @@ contract EmergencyProtectedTimelock is IEmergencyProtectedTimelock {
     /// @param proposalId The id of the proposal to be executed.
     function execute(uint256 proposalId) external {
         _emergencyProtection.checkEmergencyMode({isActive: false});
-        _proposals.execute(proposalId, _timelockState.getAfterScheduleDelay());
+        _proposals.execute(proposalId, _timelockState.getAfterScheduleDelay(), MIN_EXECUTION_DELAY);
     }
 
     /// @notice Cancels all non-executed proposals, preventing them from being executed in the future.
@@ -237,7 +237,11 @@ contract EmergencyProtectedTimelock is IEmergencyProtectedTimelock {
     function emergencyExecute(uint256 proposalId) external {
         _emergencyProtection.checkEmergencyMode({isActive: true});
         _emergencyProtection.checkCallerIsEmergencyExecutionCommittee();
-        _proposals.execute({proposalId: proposalId, afterScheduleDelay: Duration.wrap(0)});
+        _proposals.execute({
+            proposalId: proposalId,
+            afterScheduleDelay: Durations.ZERO,
+            minExecutionDelay: Durations.ZERO
+        });
     }
 
     /// @notice Deactivates the emergency mode.

contracts/Escrow.sol

@@ -140,7 +140,7 @@ contract Escrow is ISignallingEscrow, IRageQuitEscrow {
         }
         _checkCallerIsDualGovernance();
 
-        _escrowState.initialize(minAssetsLockDuration);
+        _escrowState.initialize(minAssetsLockDuration, MAX_MIN_ASSETS_LOCK_DURATION);
 
         ST_ETH.approve(address(WST_ETH), type(uint256).max);
         ST_ETH.approve(address(WITHDRAWAL_QUEUE), type(uint256).max);
@@ -275,6 +275,9 @@ contract Escrow is ISignallingEscrow, IRageQuitEscrow {
     /// @param hints An array of hints required by the WithdrawalQueue to efficiently retrieve
     ///        the claimable amounts for the unstETH NFTs.
     function markUnstETHFinalized(uint256[] memory unstETHIds, uint256[] calldata hints) external {
+        if (unstETHIds.length == 0) {
+            revert EmptyUnstETHIds();
+        }
         DUAL_GOVERNANCE.activateNextState();
         _escrowState.checkSignallingEscrow();
 
@@ -310,6 +313,7 @@ contract Escrow is ISignallingEscrow, IRageQuitEscrow {
     /// @param newMinAssetsLockDuration The new minimum lock duration to be set.
     function setMinAssetsLockDuration(Duration newMinAssetsLockDuration) external {
         _checkCallerIsDualGovernance();
+        _escrowState.checkSignallingEscrow();
         _escrowState.setMinAssetsLockDuration(newMinAssetsLockDuration, MAX_MIN_ASSETS_LOCK_DURATION);
     }
 

contracts/TimelockedGovernance.sol

@@ -70,6 +70,7 @@ contract TimelockedGovernance is IGovernance {
     }
 
     /// @notice Cancels all pending proposals that have not been executed.
+    /// @return A boolean indicating whether the operation was successful.
     function cancelAllPendingProposals() external returns (bool) {
         _checkCallerIsGovernance();
         TIMELOCK.cancelAllNonExecutedProposals();

contracts/committees/TiebreakerCoreCommittee.sol

@@ -11,6 +11,7 @@ import {ITimelock} from "../interfaces/ITimelock.sol";
 import {ITiebreaker} from "../interfaces/ITiebreaker.sol";
 import {IDualGovernance} from "../interfaces/IDualGovernance.sol";
 import {ITiebreakerCoreCommittee} from "../interfaces/ITiebreakerCoreCommittee.sol";
+import {ISealable} from "../interfaces/ISealable.sol";
 
 import {HashConsensus} from "./HashConsensus.sol";
 import {ProposalsList} from "./ProposalsList.sol";
@@ -26,6 +27,7 @@ enum ProposalType {
 contract TiebreakerCoreCommittee is ITiebreakerCoreCommittee, HashConsensus, ProposalsList {
     error ResumeSealableNonceMismatch();
     error ProposalDoesNotExist(uint256 proposalId);
+    error SealableIsNotPaused(address sealable);
     error InvalidSealable(address sealable);
 
     address public immutable DUAL_GOVERNANCE;
@@ -112,15 +114,12 @@ contract TiebreakerCoreCommittee is ITiebreakerCoreCommittee, HashConsensus, Pro
 
     /// @notice Votes on a proposal to resume a sealable address
     /// @dev Allows committee members to vote on resuming a sealable address
-    ///      reverts if the sealable address is the zero address
+    ///      reverts if the sealable address is the zero address or if the sealable address is not paused
     /// @param sealable The address to resume
     /// @param nonce The nonce for the resume proposal
     function sealableResume(address sealable, uint256 nonce) external {
         _checkCallerIsMember();
-
-        if (sealable == address(0)) {
-            revert InvalidSealable(sealable);
-        }
+        checkSealableIsPaused(sealable);
 
         if (nonce != _sealableResumeNonces[sealable]) {
             revert ResumeSealableNonceMismatch();
@@ -147,6 +146,18 @@ contract TiebreakerCoreCommittee is ITiebreakerCoreCommittee, HashConsensus, Pro
         return _getHashState(key);
     }
 
+    /// @notice Checks if a sealable address is paused
+    /// @dev Checks if the sealable address is paused by calling the getResumeSinceTimestamp function on the ISealable contract
+    /// @param sealable The address to check
+    function checkSealableIsPaused(address sealable) public view {
+        if (sealable == address(0)) {
+            revert InvalidSealable(sealable);
+        }
+        if (ISealable(sealable).getResumeSinceTimestamp() <= block.timestamp) {
+            revert SealableIsNotPaused(sealable);
+        }
+    }
+
     /// @notice Executes an approved resume sealable proposal
     /// @dev Executes the resume sealable proposal by calling the tiebreakerResumeSealable function on the Dual Governance contract
     /// @param sealable The address to resume

contracts/committees/TiebreakerSubCommittee.sol

@@ -21,8 +21,6 @@ enum ProposalType {
 /// @notice This contract allows a subcommittee to vote on and execute proposals for scheduling and resuming sealable addresses
 /// @dev Inherits from HashConsensus for voting mechanisms and ProposalsList for proposal management
 contract TiebreakerSubCommittee is HashConsensus, ProposalsList {
-    error InvalidSealable(address sealable);
-
     address public immutable TIEBREAKER_CORE_COMMITTEE;
 
     constructor(
@@ -95,14 +93,12 @@ contract TiebreakerSubCommittee is HashConsensus, ProposalsList {
 
     /// @notice Votes on a proposal to resume a sealable address
     /// @dev Allows committee members to vote on resuming a sealable address
-    ///      reverts if the sealable address is the zero address
+    ///      reverts if the sealable address is the zero address or if the sealable address is not paused
     /// @param sealable The address to resume
     function sealableResume(address sealable) external {
         _checkCallerIsMember();
+        ITiebreakerCoreCommittee(TIEBREAKER_CORE_COMMITTEE).checkSealableIsPaused(sealable);
 
-        if (sealable == address(0)) {
-            revert InvalidSealable(sealable);
-        }
         (bytes memory proposalData, bytes32 key,) = _encodeSealableResume(sealable);
         _vote(key, true);
         _pushProposal(key, uint256(ProposalType.ResumeSealable), proposalData);

contracts/interfaces/IDualGovernance.sol

@@ -38,17 +38,20 @@ interface IDualGovernance is IGovernance, ITiebreaker {
     function getEffectiveState() external view returns (State effectiveState);
     function getStateDetails() external view returns (StateDetails memory stateDetails);
 
-    function registerProposer(address proposer, address executor) external;
+    function registerProposer(address proposerAccount, address executor) external;
     function setProposerExecutor(address proposerAccount, address newExecutor) external;
-    function unregisterProposer(address proposer) external;
-    function isProposer(address account) external view returns (bool);
-    function getProposer(address account) external view returns (Proposers.Proposer memory proposer);
+    function unregisterProposer(address proposerAccount) external;
+    function isProposer(address proposerAccount) external view returns (bool);
+    function getProposer(address proposerAccount) external view returns (Proposers.Proposer memory proposer);
     function getProposers() external view returns (Proposers.Proposer[] memory proposers);
-    function isExecutor(address account) external view returns (bool);
+    function isExecutor(address executor) external view returns (bool);
 
     function resealSealable(address sealable) external;
     function setResealCommittee(address newResealCommittee) external;
     function setResealManager(IResealManager newResealManager) external;
     function getResealManager() external view returns (IResealManager);
     function getResealCommittee() external view returns (address);
+
+    function setProposalsCanceller(address newProposalsCanceller) external;
+    function getProposalsCanceller() external view returns (address);
 }

contracts/interfaces/ITiebreakerCoreCommittee.sol

@@ -7,4 +7,5 @@ interface ITiebreakerCoreCommittee {
     function scheduleProposal(uint256 proposalId) external;
     function sealableResume(address sealable, uint256 nonce) external;
     function checkProposalExists(uint256 proposalId) external view;
+    function checkSealableIsPaused(address sealable) external view;
 }

contracts/libraries/DualGovernanceConfig.sol

@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: MIT
 pragma solidity 0.8.26;
 
-import {PercentD16} from "../types/PercentD16.sol";
+import {PercentD16, PercentsD16, HUNDRED_PERCENT_D16} from "../types/PercentD16.sol";
 import {Duration, Durations} from "../types/Duration.sol";
 import {Timestamp, Timestamps} from "../types/Timestamp.sol";
 
@@ -13,6 +13,7 @@ library DualGovernanceConfig {
     // Errors
     // ---
 
+    error InvalidSecondSealRageQuitSupport(PercentD16 secondSealRageQuitSupport);
     error InvalidRageQuitSupportRange(PercentD16 firstSealRageQuitSupport, PercentD16 secondSealRageQuitSupport);
     error InvalidRageQuitEthWithdrawalsDelayRange(
         Duration rageQuitEthWithdrawalsMinDelay, Duration rageQuitEthWithdrawalsMaxDelay
@@ -26,7 +27,7 @@ library DualGovernanceConfig {
 
     /// @notice Configuration values for Dual Governance.
     /// @param firstSealRageQuitSupport The percentage of the total stETH supply that must be reached in the Signalling
-    ///     Escrow to transition Dual Governance from the Normal state to the VetoSignalling state.
+    ///     Escrow to transition Dual Governance from Normal, VetoCooldown and RageQuit states to the VetoSignalling state.
     /// @param secondSealRageQuitSupport The percentage of the total stETH supply that must be reached in the
     ///     Signalling Escrow to transition Dual Governance into the RageQuit state.
     ///
@@ -64,6 +65,12 @@ library DualGovernanceConfig {
         Duration rageQuitEthWithdrawalsDelayGrowth;
     }
 
+    // ---
+    // Constants
+    // ---
+
+    uint256 internal constant MAX_SECOND_SEAL_RAGE_QUIT_SUPPORT = HUNDRED_PERCENT_D16;
+
     // ---
     // Main Functionality
     // ---
@@ -72,6 +79,10 @@ library DualGovernanceConfig {
     ///     of the Dual Governance system.
     /// @param self The configuration context.
     function validate(Context memory self) internal pure {
+        if (self.secondSealRageQuitSupport > PercentsD16.from(MAX_SECOND_SEAL_RAGE_QUIT_SUPPORT)) {
+            revert InvalidSecondSealRageQuitSupport(self.secondSealRageQuitSupport);
+        }
+
         if (self.firstSealRageQuitSupport >= self.secondSealRageQuitSupport) {
             revert InvalidRageQuitSupportRange(self.firstSealRageQuitSupport, self.secondSealRageQuitSupport);
         }
@@ -203,11 +214,11 @@ library DualGovernanceConfig {
         Context memory self,
         uint256 rageQuitRound
     ) internal pure returns (Duration) {
-        return Durations.min(
-            self.rageQuitEthWithdrawalsMinDelay.plusSeconds(
-                rageQuitRound * self.rageQuitEthWithdrawalsDelayGrowth.toSeconds()
-            ),
-            self.rageQuitEthWithdrawalsMaxDelay
-        );
+        uint256 rageQuitWithdrawalsDelayInSeconds = self.rageQuitEthWithdrawalsMinDelay.toSeconds()
+            + rageQuitRound * self.rageQuitEthWithdrawalsDelayGrowth.toSeconds();
+
+        return rageQuitWithdrawalsDelayInSeconds > self.rageQuitEthWithdrawalsMaxDelay.toSeconds()
+            ? self.rageQuitEthWithdrawalsMaxDelay
+            : Durations.from(rageQuitWithdrawalsDelayInSeconds);
     }
 }

contracts/libraries/EscrowState.sol

@@ -71,11 +71,16 @@ library EscrowState {
 
     /// @notice Initializes the Escrow state to SignallingEscrow.
     /// @param self The context of the Escrow State library.
-    /// @param minAssetsLockDuration The minimum assets lock duration.
-    function initialize(Context storage self, Duration minAssetsLockDuration) internal {
+    /// @param minAssetsLockDuration The initial minimum assets lock duration.
+    /// @param maxMinAssetsLockDuration Sanity check upper bound for min assets lock duration.
+    function initialize(
+        Context storage self,
+        Duration minAssetsLockDuration,
+        Duration maxMinAssetsLockDuration
+    ) internal {
         _checkState(self, State.NotInitialized);
         _setState(self, State.SignallingEscrow);
-        _setMinAssetsLockDuration(self, minAssetsLockDuration);
+        setMinAssetsLockDuration(self, minAssetsLockDuration, maxMinAssetsLockDuration);
     }
 
     /// @notice Starts the rage quit process.
@@ -116,7 +121,8 @@ library EscrowState {
         ) {
             revert InvalidMinAssetsLockDuration(newMinAssetsLockDuration);
         }
-        _setMinAssetsLockDuration(self, newMinAssetsLockDuration);
+        self.minAssetsLockDuration = newMinAssetsLockDuration;
+        emit MinAssetsLockDurationSet(newMinAssetsLockDuration);
     }
 
     // ---
@@ -205,12 +211,4 @@ library EscrowState {
         self.state = newState;
         emit EscrowStateChanged(prevState, newState);
     }
-
-    /// @notice Sets the minimum assets lock duration.
-    /// @param self The context of the Escrow State library.
-    /// @param newMinAssetsLockDuration The new minimum assets lock duration.
-    function _setMinAssetsLockDuration(Context storage self, Duration newMinAssetsLockDuration) private {
-        self.minAssetsLockDuration = newMinAssetsLockDuration;
-        emit MinAssetsLockDurationSet(newMinAssetsLockDuration);
-    }
 }