feat: Allow vetoer to disable slasher temporarily (#16971)

Allows the vetoer to disable slashing altogether temporarily. This
allows the vetoer to stop all slashes if a bug is detected that
continuously triggers slashes that are not valid, so the vetoer does not
need to continuously vetoed every individual slash until the issue is
solved.

Slashing is disabled for `slashingDisableDuration` (immutable, set
during deployment, defaults to 5 days) and then automatically resumed.
Vetoer can extend the disabled period at any time, and can also resume
the slashing.

Author: spalladino

l1-contracts/src/core/RollupCore.sol

@@ -255,7 +255,8 @@ contract RollupCore is EIP712("Aztec Rollup", "1"), Ownable, IStakingCore, IVali
         _config.slashAmounts,
         _config.targetCommitteeSize,
         _config.aztecEpochDuration,
-        _config.slashingOffsetInRounds
+        _config.slashingOffsetInRounds,
+        _config.slashingDisableDuration
       );
     } else {
       slasher = EmpireSlasherDeploymentExtLib.deployEmpireSlasher(
@@ -265,7 +266,8 @@ contract RollupCore is EIP712("Aztec Rollup", "1"), Ownable, IStakingCore, IVali
         _config.slashingQuorum,
         _config.slashingRoundSize,
         _config.slashingLifetimeInRounds,
-        _config.slashingExecutionDelayInRounds
+        _config.slashingExecutionDelayInRounds,
+        _config.slashingDisableDuration
       );
     }
 

l1-contracts/src/core/interfaces/IRollup.sol

@@ -67,6 +67,7 @@ struct RollupConfigInput {
   uint256 slashingOffsetInRounds;
   SlasherFlavor slasherFlavor;
   address slashingVetoer;
+  uint256 slashingDisableDuration;
   uint256 manaTarget;
   uint256 exitDelaySeconds;
   uint32 version;

l1-contracts/src/core/interfaces/ISlasher.sol

@@ -12,7 +12,10 @@ enum SlasherFlavor {
 
 interface ISlasher {
   event VetoedPayload(address indexed payload);
+  event SlashingDisabled(uint256 disabledUntil);
 
   function slash(IPayload _payload) external returns (bool);
   function vetoPayload(IPayload _payload) external returns (bool);
+  function setSlashingEnabled(bool _enabled) external;
+  function isSlashingEnabled() external view returns (bool);
 }

l1-contracts/src/core/libraries/rollup/EmpireSlasherDeploymentExtLib.sol

@@ -24,10 +24,11 @@ library EmpireSlasherDeploymentExtLib {
     uint256 _quorumSize,
     uint256 _roundSize,
     uint256 _lifetimeInRounds,
-    uint256 _executionDelayInRounds
+    uint256 _executionDelayInRounds,
+    uint256 _slashingDisableDuration
   ) external returns (ISlasher) {
     // Deploy slasher first
-    Slasher slasher = new Slasher(_vetoer, _governance);
+    Slasher slasher = new Slasher(_vetoer, _governance, _slashingDisableDuration);
 
     // Deploy proposer with slasher address
     EmpireSlashingProposer proposer = new EmpireSlashingProposer(

l1-contracts/src/core/libraries/rollup/TallySlasherDeploymentExtLib.sol

@@ -27,10 +27,11 @@ library TallySlasherDeploymentExtLib {
     uint256[3] calldata _slashAmounts,
     uint256 _committeeSize,
     uint256 _epochDuration,
-    uint256 _slashOffsetInRounds
+    uint256 _slashOffsetInRounds,
+    uint256 _slashingDisableDuration
   ) external returns (ISlasher) {
     // Deploy slasher first
-    Slasher slasher = new Slasher(_vetoer, _governance);
+    Slasher slasher = new Slasher(_vetoer, _governance, _slashingDisableDuration);
 
     // Deploy proposer with slasher address
     TallySlashingProposer proposer = new TallySlashingProposer(

l1-contracts/src/core/slashing/Slasher.sol

@@ -8,9 +8,12 @@ import {IPayload} from "@aztec/governance/interfaces/IPayload.sol";
 contract Slasher is ISlasher {
   address public immutable GOVERNANCE;
   address public immutable VETOER;
+  uint256 public immutable SLASHING_DISABLE_DURATION;
   // solhint-disable-next-line var-name-mixedcase
   address public PROPOSER;
 
+  uint256 public slashingDisabledUntil = 0;
+
   mapping(address payload => bool vetoed) public vetoedPayloads;
 
   error Slasher__SlashFailed(address target, bytes data, bytes returnData);
@@ -19,10 +22,12 @@ contract Slasher is ISlasher {
   error Slasher__PayloadVetoed(address payload);
   error Slasher__AlreadyInitialized();
   error Slasher__ProposerZeroAddress();
+  error Slasher__SlashingDisabled();
 
-  constructor(address _vetoer, address _governance) {
+  constructor(address _vetoer, address _governance, uint256 _slashingDisableDuration) {
     GOVERNANCE = _governance;
     VETOER = _vetoer;
+    SLASHING_DISABLE_DURATION = _slashingDisableDuration;
   }
 
   // solhint-disable-next-line comprehensive-interface
@@ -39,8 +44,19 @@ contract Slasher is ISlasher {
     return true;
   }
 
+  function setSlashingEnabled(bool _enabled) external override(ISlasher) {
+    require(msg.sender == VETOER, Slasher__CallerNotVetoer(msg.sender, VETOER));
+    if (!_enabled) {
+      slashingDisabledUntil = block.timestamp + SLASHING_DISABLE_DURATION;
+    } else {
+      slashingDisabledUntil = 0;
+    }
+    emit SlashingDisabled(slashingDisabledUntil);
+  }
+
   function slash(IPayload _payload) external override(ISlasher) returns (bool) {
     require(msg.sender == PROPOSER || msg.sender == GOVERNANCE, Slasher__CallerNotAuthorizedToSlash(msg.sender));
+    require(block.timestamp >= slashingDisabledUntil, Slasher__SlashingDisabled());
     require(!vetoedPayloads[address(_payload)], Slasher__PayloadVetoed(address(_payload)));
 
     IPayload.Action[] memory actions = _payload.getActions();
@@ -51,4 +67,8 @@ contract Slasher is ISlasher {
 
     return true;
   }
+
+  function isSlashingEnabled() external view override(ISlasher) returns (bool) {
+    return block.timestamp >= slashingDisabledUntil;
+  }
 }

l1-contracts/test/governance/scenario/slashing/TallySlashing.t.sol

@@ -205,7 +205,7 @@ contract SlashingTest is TestBase {
 
     _setupCommitteeForSlashing(_lifetimeInRounds, _executionDelayInRounds);
     address[] memory attesters = rollup.getEpochCommittee(Epoch.wrap(INITIAL_EPOCH));
-    uint96 slashAmount = 20e18;
+    uint96 slashAmount = uint96(slashingProposer.SLASH_AMOUNT_SMALL());
     SlashRound firstSlashingRound = _createSlashingVotes(slashAmount, attesters.length);
 
     uint256 firstExecutableSlot =
@@ -232,7 +232,7 @@ contract SlashingTest is TestBase {
     _lifetimeInRounds = bound(_lifetimeInRounds, _executionDelayInRounds + 1, 127); // Must be < ROUNDABOUT_SIZE
 
     _setupCommitteeForSlashing(_lifetimeInRounds, _executionDelayInRounds);
-    uint96 slashAmount = 20e18;
+    uint96 slashAmount = uint96(slashingProposer.SLASH_AMOUNT_SMALL());
     SlashRound firstSlashingRound = _createSlashingVotes(slashAmount, COMMITTEE_SIZE);
 
     uint256 firstExecutableSlot =
@@ -275,7 +275,7 @@ contract SlashingTest is TestBase {
 
     _setupCommitteeForSlashing(_lifetimeInRounds, _executionDelayInRounds);
     address[] memory attesters = rollup.getEpochCommittee(Epoch.wrap(INITIAL_EPOCH));
-    uint96 slashAmount = 20e18;
+    uint96 slashAmount = uint96(slashingProposer.SLASH_AMOUNT_SMALL());
     SlashRound firstSlashingRound = _createSlashingVotes(slashAmount, attesters.length);
 
     // For tally slashing, we need to predict the payload address and veto it
@@ -307,6 +307,81 @@ contract SlashingTest is TestBase {
     slashingProposer.executeRound(firstSlashingRound, committees);
   }
 
+  function test_SlashingDisableTimestamp() public {
+    _setupCommitteeForSlashing();
+    address[] memory attesters = rollup.getEpochCommittee(Epoch.wrap(INITIAL_EPOCH));
+    uint96 slashAmount = uint96(slashingProposer.SLASH_AMOUNT_SMALL());
+    SlashRound firstSlashingRound = _createSlashingVotes(slashAmount, attesters.length);
+
+    // Initially slashing should be enabled
+    assertEq(slasher.isSlashingEnabled(), true, "Slashing should be enabled initially");
+
+    // Disable slashing temporarily
+    vm.prank(address(slasher.VETOER()));
+    slasher.setSlashingEnabled(false);
+
+    // Should be disabled now
+    assertEq(slasher.isSlashingEnabled(), false, "Slashing should be disabled after setting to false");
+    uint256 disableDuration = slasher.SLASHING_DISABLE_DURATION();
+
+    // Fast forward time but not past the disable duration (still disabled)
+    vm.warp(block.timestamp + disableDuration - 10 minutes);
+    assertEq(slasher.isSlashingEnabled(), false, "Slashing should still be disabled after 30 minutes");
+
+    // Fast forward time beyond the disable duration (should be enabled again)
+    vm.warp(block.timestamp + disableDuration + 1 minutes);
+    assertEq(slasher.isSlashingEnabled(), true, "Slashing should be enabled again after disable duration expires");
+
+    // Re-enable manually by calling setSlashingEnabled(true)
+    vm.prank(address(slasher.VETOER()));
+    slasher.setSlashingEnabled(false);
+    assertEq(slasher.isSlashingEnabled(), false, "Slashing should be disabled again");
+
+    vm.prank(address(slasher.VETOER()));
+    slasher.setSlashingEnabled(true);
+    assertEq(slasher.isSlashingEnabled(), true, "Slashing should be enabled after manual re-enable");
+  }
+
+  function test_CannotSlashIfDisabled() public {
+    // Use fixed values for a deterministic test
+    uint256 _lifetimeInRounds = 5;
+    uint256 _executionDelayInRounds = 1;
+
+    _setupCommitteeForSlashing(_lifetimeInRounds, _executionDelayInRounds);
+    address[] memory attesters = rollup.getEpochCommittee(Epoch.wrap(INITIAL_EPOCH));
+    uint96 slashAmount = uint96(slashingProposer.SLASH_AMOUNT_SMALL());
+    SlashRound firstSlashingRound = _createSlashingVotes(slashAmount, attesters.length);
+
+    // Calculate executable slot
+    uint256 firstExecutableSlot =
+      (SlashRound.unwrap(firstSlashingRound) + _executionDelayInRounds + 1) * slashingProposer.ROUND_SIZE();
+
+    // Setup committees
+    address[][] memory committees = new address[][](slashingProposer.ROUND_SIZE_IN_EPOCHS());
+    for (uint256 i = 0; i < committees.length; i++) {
+      Epoch epochSlashed = slashingProposer.getSlashTargetEpoch(firstSlashingRound, i);
+      committees[i] = rollup.getEpochCommittee(epochSlashed);
+    }
+
+    // Jump to executable slot
+    timeCheater.cheat__jumpToSlot(firstExecutableSlot);
+
+    // Disable slashing - this should prevent execution for 1 hour
+    vm.prank(address(slasher.VETOER()));
+    slasher.setSlashingEnabled(false);
+
+    // Should fail while slashing is disabled
+    vm.expectRevert(abi.encodeWithSelector(Slasher.Slasher__SlashingDisabled.selector));
+    slashingProposer.executeRound(firstSlashingRound, committees);
+
+    // Re-enable manually by calling setSlashingEnabled(true)
+    vm.prank(address(slasher.VETOER()));
+    slasher.setSlashingEnabled(true);
+
+    // Should now work since slashing was re-enabled
+    slashingProposer.executeRound(firstSlashingRound, committees);
+  }
+
   function test_SlashingSmallAmount() public {
     _setupCommitteeForSlashing();
     uint256 howManyToSlash = HOW_MANY_SLASHED;

l1-contracts/test/harnesses/TestConstants.sol

@@ -26,6 +26,7 @@ library TestConstants {
   uint256 internal constant AZTEC_SLASHING_EXECUTION_DELAY_IN_ROUNDS = 0;
   uint256 internal constant AZTEC_SLASHING_OFFSET_IN_ROUNDS = 2;
   address internal constant AZTEC_SLASHING_VETOER = address(0);
+  uint256 internal constant AZTEC_SLASHING_DISABLE_DURATION = 5 days;
   uint256 internal constant AZTEC_SLASH_AMOUNT_SMALL = 20e18;
   uint256 internal constant AZTEC_SLASH_AMOUNT_MEDIUM = 40e18;
   uint256 internal constant AZTEC_SLASH_AMOUNT_LARGE = 60e18;
@@ -103,6 +104,7 @@ library TestConstants {
       slashingExecutionDelayInRounds: AZTEC_SLASHING_EXECUTION_DELAY_IN_ROUNDS,
       slashingOffsetInRounds: AZTEC_SLASHING_OFFSET_IN_ROUNDS,
       slashingVetoer: AZTEC_SLASHING_VETOER,
+      slashingDisableDuration: AZTEC_SLASHING_DISABLE_DURATION,
       manaTarget: AZTEC_MANA_TARGET,
       exitDelaySeconds: AZTEC_EXIT_DELAY_SECONDS,
       provingCostPerMana: AZTEC_PROVING_COST_PER_MANA,

yarn-project/cli/src/config/chain_l2_config.ts

@@ -45,6 +45,8 @@ const DefaultSlashConfig = {
   slashingOffsetInRounds: 2,
   /** No slash vetoer */
   slashingVetoer: EthAddress.ZERO,
+  /** Use default disable duration */
+  slashingDisableDuration: DefaultL1ContractsConfig.slashingDisableDuration,
   /** Use default slash amounts */
   slashAmountSmall: DefaultL1ContractsConfig.slashAmountSmall,
   slashAmountMedium: DefaultL1ContractsConfig.slashAmountMedium,

yarn-project/end-to-end/src/e2e_p2p/add_rollup.test.ts

@@ -162,6 +162,7 @@ describe('e2e_p2p_add_rollup', () => {
         slashingLifetimeInRounds: t.ctx.aztecNodeConfig.slashingLifetimeInRounds,
         slashingExecutionDelayInRounds: t.ctx.aztecNodeConfig.slashingExecutionDelayInRounds,
         slashingVetoer: t.ctx.aztecNodeConfig.slashingVetoer,
+        slashingDisableDuration: t.ctx.aztecNodeConfig.slashingDisableDuration,
         manaTarget: t.ctx.aztecNodeConfig.manaTarget,
         provingCostPerMana: t.ctx.aztecNodeConfig.provingCostPerMana,
         feeJuicePortalInitialBalance: fundingNeeded,