Upgradability & Opt-in Proxy

Lagoon vaults are Transparent Upgradable Proxy. This type of contract allow there administrator to upgrade the logic used.

Lagoon uses edited versions of the OpenZeppelin Transparent Upgradeable Proxy and ProxyAdmin, allowing them to carry two more features: an Opt-in system and a Delay mechanism.

Opt-in system

Vault administrator can upgrade there vault to a limited set of audited versions, developed and whitelisted by Lagoon.

When a new version is available, the vault admin can choose to upgrade at any time. Rolling back to a previous version is also supported.

Delay mechanism

Every upgrade will take at least 24 hours to be effective and at maximum 30 days. This system ensure that users have time to evaluate the in-coming upgrade and request a redemption it they want to.

This delay itself can be upgraded. This change is also subject to the same delay mechanism.

Design

Opt-in Proxy

The Opt-in Proxy is what you will usually consider as the vault. This contract is a TransparentUpgradbleProxy by OpenZeppelin with two differences. First it doesn't deploy a ProxyAdmin but DelayProxyAdmin. Second, before each implementation update, it will asked the authorization to the ProtocolRegistry, by calling canUseLogic(address oldLogic, address newLogic).

ProtocolRegistry

A protocol level smart-contract that contains a whitelist of authorized implementations.

Function
Description

canUseLogic(address oldLogic, address newLogic) returns (boolean)

This function checks if newLogic is an authorized Lagoon vault version, in this case, it returns true.

DelayProxyAdmin

A Proxy Admin is a smart-contract deployed by an Opt-inProxy at it's creation. This contract is the only address that can upgrade the Opt-inProxy.

The DelayProxyAdmin has an editable owner that is the only one capable of doing the following calls:

Function
Description

submitImplementation(address _implementation) onlyOwner

Submit an address in the DelayProxyAdmin contract. When the delay is passed, the owner can upgrade the contract to this address.

upgradeAndCall( address proxy, address, bytes memory data ) onlyOwner

Upgrade the target proxy using the implementation previously stored via submitImplementation.

submitDelay( uint256 _delay ) onlyOwner

Submit a new delay. When the current delay is passed, the new delay can be applied.

function updateDelay() onlyOwner

Update the value of the delay to be the one previously submitted via submitDelay.

renounceOwnership() onlyOwner

Renounce the ownership of the DelayAdminProxy making it unusable.

function transferOwnership(address newOwner)

Transfer the ownership and thus the vault upgradability management to another address.

Q&A

Can I make my vault immutable ?

Yes, a vault can become immutable if the owner of DelayProxyAdmin gives up his ownership.

Can I rollback a vault upgrade ?

Any form of downgrades are authorized for now. Not that a downgrade won't re-initialize the state of your vault, which means that if you upgrade again to the previous version, you will get back the previous state.

How can I be informed of new vault versions releases ?

You can track new smart contracts release on our github.

We will also propose soon a telegram chanel to follow our latest updates.

Are the vault owner (admin) and the DelayProxyAdmin owner the same ?

No, those are two different variables present in two different contracts. The vault owner, that we usually call the admin if defined here. His scope is exclusively over the vault roles and operations. On the other hand, the owner of the DelayProxyAdmin can only do operations related to the upgradability of the proxy. They can have the same value but changing one won't change the other.

PreviousFeesNextRoles and capacities

Last updated