discussion: Should we cut out upgrade cancellations?

[smartcontracts]

The L2ChugSplashDeployer currently comes with two functions cancelTransactionBundle and overrideTransactionBundle that allow the owner of the contract to halt upgrades that are already in progress. We intended these features to be a backstop against any sort of bug that would cause us to publish a faulty transaction bundle and unintentionally brick the system.

Some technical restrictions make these functions difficult to support in practice. Specifically, we've found that these functions don't play nice with #892 (feat[contracts]: add ability to pause EM during upgrades) because the method by which we "pause" the system forces all transactions to be routed through the L2ChugSplashDeployer. This has the (intended) effect of preventing any L1 => L2 messages from being relayed to their target contracts. However, cancelTransactionBundle and overrideTransactionBundle were designed to only by triggered via an L1 => L2 message. In order to support these functions, we'd need to add a non-trivial amount of complex logic to the L2ChugSplashDeployer (which is something we're desperately trying to avoid doing during an upgrade).

This issue is intended to act as a place for discussion about whether or not we can safely move forward by removing the two mentioned functions. This would have the following set of effects:

1. Significantly reduced complexity in L2ChugSplashDeployer.
2. No way to cancel upgrades that have already been started.

Although point (2) is potentially scary, I personally feel that we should absolutely never be triggering an upgrade that needs to be cancelled. Upgrades should be double, triple, and quadruple checked. Every mainnet upgrade should be independently verified by each multisig participant (if not by the community at large). Furthermore, it's unlikely that these functions will be useful for cases in which the transaction bundle is valid (you can actually execute actions inside the bundle) because our automation will likely execute the bundle before we even notice something is wrong. The only case in which I can see these functions being potentially useful is if we were ever to sign off on a random hash that can't actually be used as part of a Merkle proof. This seems like such a dramatic failure that we should aim to avoid it at all costs.

[ben-chain]

I agree that it is very reasonable to enforce/expect that an upgrade is such a big deal that it should be meticulously tested and cannot be cancelled once underway.

However, if we end up feeling otherwise, and the complexity that is coming with this is due to having multiple contracts (both L2ChugSplashDeployer and its owner), then we should consider just re-combining them into one contract. If we still want the owner to optionally be an L2 contract, I left a comment here which outlines a construction that would make me feel comfortable with the approach.

[smartcontracts]

Part of the complexity definitely does come from the two separate contracts, but we'd still have to tack on additional complexity (specifically parsing L1 => L2 messages in a manner identical to the L2CrossDomainMessenger). It ends up being harder to test and will definitely add a non-trivial amount of semi-complex code.

[tynes]

I'm not opposed to keeping the simplicity and not having the cancellation ability. We should be able to upgrade away from a bad upgrade right? Unless it is possible to upgrade the chugsplash deployer in a way that breaks it.

Lets think worst case scenario and the system is bricked by a bad upgrade. The obvious solution would be to have a regenesis like event and have the node software automatically switch to the new address manager at a certain height (without a new address manager, we would rely on an archive node for getting the historical values in the address manager). This would be able to stitch together multiple chains, altho the "block offsets" would be off quite a bit. The block offset config option could be solved by placing that config into a contract, I believe there is already thoughts around how to put config options into a contract.

[smartcontracts]

We should be able to upgrade away from a bad upgrade right?

We can upgrade away from a bad upgrade as long as the previous upgrade completes. It is, however, possible to publish an upgrade with a completely random hash that can't be used for a Merkle proof (i.e., the hash is not the root of a real merkle tree). However, I think this is unlikely to happen in practice assuming we verify upgrades multiple times.

[smartcontracts]

Ok unless anyone here feels very strongly about the need to have the ability to cancel upgrades once in progress, I'm going to make the executive decision that we'll remove these functions. I feel we should be absolutely confident in the correctness of our upgrades. Removing these functions will simplify the upgrade code path to a non-trivial extent and will simultaneously force us to be careful with upgrades.

[smartcontracts]

I'm going to open up a PR that removes these functions from the codebase. Any interested parties have until that PR is merged and approved (~1-2 days) to list their complaints. Ty!