fix: address Protocol Registry informationals from Certora audit (#1690)

**Motivation:**

Address informational findings from the Certora audit for Protocol
Registry (PR-1655). These improvements enhance validation, prevent
potential issues with orphaned configurations, and improve documentation
clarity.

**Modifications:**

1. **Fix I-01: ship() lacks validation**
- Added array length validation: `addresses.length == configs.length ==
names.length`
- Added zero address validation: revert if any address is `address(0)`
   - Added new errors: `ArrayLengthMismatch()` and `InputAddressZero()`

2. **Fix I-02: Orphaned configs on name overwrite**
- When re-shipping a name with a new address, the old address's
`DeploymentConfig` is now deleted
   - Added `DeploymentConfigDeleted(address)` event to signal cleanup
   - Prevents orphaned configs that could cause confusion

3. **Fix I-03: configure() for unshipped addresses**
   - Update `configure` function to pass in a name
- Added validation that the address must be a shipped deployment before
allowing configuration

5. **Fix I-04: Fix misleading NatSpec**
- Updated `ship()` NatSpec to document that names can be re-shipped with
new addresses
- Clarified that old address configs are automatically deleted when this
happens
- Updated `configure()` NatSpec to indicate address must be previously
shipped

6. **Fix I-05: Document pauseAll blocking**
- Added warning documentation that `pauseAll()` will revert if ANY
pausable deployment fails
- A single misconfigured deployment can block the entire protocol pause
   - Important for operational awareness during emergency scenarios

**Result:**

- `ship()` validates inputs before processing
- No more orphaned configs when re-shipping names
- `configure()` only works for shipped addresses
- Clearer documentation on expected behavior and edge cases
- Operators understand risks of `pauseAll()` failure scenarios

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: ypatil12

docs/core/ProtocolRegistry.md

@@ -82,17 +82,19 @@ A contract name may be passed to this function repeatedly; each time, the previo
 ### `configure`
 
 ```solidity
-function configure(address addr, DeploymentConfig calldata config) external onlyRole(DEFAULT_ADMIN_ROLE)
+function configure(string calldata name, DeploymentConfig calldata config) external onlyRole(DEFAULT_ADMIN_ROLE)
 ```
 
 Updates the stored `DeploymentConfig` for a single deployment:
 
 *Effects*:
+* Looks up the address for `name` from `_deployments`.
 * Overwrites `_deploymentConfigs[addr]` with the supplied configuration.
 * Emits `DeploymentConfigured(addr, config)`.
 
 *Requirements*:
 * Caller must hold `DEFAULT_ADMIN_ROLE`.
+* `name` must have been previously shipped.
 
 ### `pauseAll`
 

pkg/bindings/IProtocolRegistry/binding.go

@@ -37,26 +37,37 @@ contract ProtocolRegistry is Initializable, AccessControlEnumerableUpgradeable,
         string[] calldata names,
         string calldata semanticVersion
     ) external onlyRole(DEFAULT_ADMIN_ROLE) {
+        // Validate array lengths match
+        require(addresses.length == configs.length && configs.length == names.length, ArrayLengthMismatch());
+
         // Update the semantic version.
         _updateSemanticVersion(semanticVersion);
         for (uint256 i = 0; i < addresses.length; ++i) {
+            // Validate no zero addresses
+            require(addresses[i] != address(0), InputAddressZero());
             // Append each provided
             _appendDeployment(addresses[i], configs[i], names[i]);
         }
     }
 
     /// @inheritdoc IProtocolRegistry
     function configure(
-        address addr,
+        string calldata name,
         DeploymentConfig calldata config
     ) external onlyRole(DEFAULT_ADMIN_ROLE) {
+        // Verify name is a shipped deployment and get its address (O(1) lookup)
+        (bool exists, address addr) = _deployments.tryGet(_unwrap(name.toShortString()));
+        require(exists, DeploymentNotShipped());
         // Update the config
         _deploymentConfigs[addr] = config;
         // Emit the event.
         emit DeploymentConfigured(addr, config);
     }
 
     /// @inheritdoc IProtocolRegistry
+    /// @dev WARNING: This function will revert if ANY pausable deployment fails to pause.
+    ///      Ensure all deployments marked as pausable correctly implement IPausable.pauseAll().
+    ///      A single misconfigured deployment will block the entire protocol pause.
     function pauseAll() external onlyRole(PAUSER_ROLE) {
         uint256 length = totalDeployments();
         // Iterate over all stored deployments.
@@ -89,8 +100,17 @@ contract ProtocolRegistry is Initializable, AccessControlEnumerableUpgradeable,
         DeploymentConfig calldata config,
         string calldata name
     ) internal {
+        uint256 nameKey = _unwrap(name.toShortString());
+
+        // Clean up old config if name exists with different address
+        (bool exists, address oldAddr) = _deployments.tryGet(nameKey);
+        if (exists && oldAddr != addr) {
+            delete _deploymentConfigs[oldAddr];
+            emit DeploymentConfigDeleted(oldAddr);
+        }
+
         // Store name => address mapping
-        _deployments.set({key: _unwrap(name.toShortString()), value: addr});
+        _deployments.set({key: nameKey, value: addr});
         // Store deployment config
         _deploymentConfigs[addr] = config;
         // Emit the events.

pkg/bindings/ProtocolRegistry/binding.go

@@ -1,7 +1,16 @@
 // SPDX-License-Identifier: BUSL-1.1
 pragma solidity ^0.8.27;
 
-interface IProtocolRegistryErrors {}
+interface IProtocolRegistryErrors {
+    /// @notice Thrown when array lengths don't match in ship().
+    error ArrayLengthMismatch();
+
+    /// @notice Thrown when a zero address is provided.
+    error InputAddressZero();
+
+    /// @notice Thrown when trying to configure an address that hasn't been shipped.
+    error DeploymentNotShipped();
+}
 
 interface IProtocolRegistryTypes {
     /// @notice Configuration for a protocol deployment.
@@ -24,6 +33,10 @@ interface IProtocolRegistryEvents is IProtocolRegistryTypes {
     /// @param config The configuration for the deployment.
     event DeploymentConfigured(address indexed addr, DeploymentConfig config);
 
+    /// @notice Emitted when a deployment config is deleted due to name re-assignment.
+    /// @param addr The address whose config was deleted.
+    event DeploymentConfigDeleted(address indexed addr);
+
     /// @notice Emitted when the semantic version is updated.
     /// @param previousSemanticVersion The previous semantic version.
     /// @param semanticVersion The new semantic version.
@@ -41,13 +54,15 @@ interface IProtocolRegistry is IProtocolRegistryErrors, IProtocolRegistryEvents
 
     /// @notice Ships a list of deployments.
     /// @dev Only callable by the admin.
-    /// @param addresses The addresses of the deployments to ship.
+    /// @param addresses The addresses of the deployments to ship. Must not contain zero addresses.
     /// @param configs The configurations of the deployments to ship.
     /// @param contractNames The names of the contracts to ship.
     /// @param semanticVersion The semantic version to ship.
     /// @dev Contract names can be passed in as type(contract).name, e.g. `type(AllocationManager).name`
     /// @dev Contract names must be <= 31 bytes
-    /// @dev Contract names can be overridden any number of times.
+    /// @dev Contract names can be re-shipped with a new address. When this happens,
+    ///      the old address's config is automatically deleted to prevent orphaned configs.
+    /// @dev All input arrays (`addresses`, `configs`, `names`) must have the same length.
     function ship(
         address[] calldata addresses,
         DeploymentConfig[] calldata configs,
@@ -56,16 +71,18 @@ interface IProtocolRegistry is IProtocolRegistryErrors, IProtocolRegistryEvents
     ) external;
 
     /// @notice Configures a deployment.
-    /// @dev Only callable by the admin.
-    /// @param addr The address of the deployment to configure.
+    /// @dev Only callable by the admin. Name must have been previously shipped.
+    /// @param name The name of the deployment to configure.
     /// @param config The configuration to set.
     function configure(
-        address addr,
+        string calldata name,
         DeploymentConfig calldata config
     ) external;
 
     /// @notice Pauses all deployments that support pausing.
     /// @dev Loops over all deployments and attempts to invoke `pauseAll()` on each contract that is marked as pausable.
+    /// @dev WARNING: Reverts if any pausable deployment doesn't implement IPausable or if any pauseAll() call reverts.
+    ///      A single misconfigured deployment will block the entire protocol pause. Ensure registry is correctly configured.
     function pauseAll() external;
 
     /// @notice Returns the full semantic version string of the protocol (e.g. "1.2.3").

pkg/bindings/ProtocolRegistryStorage/binding.go

@@ -139,17 +139,171 @@ contract ProtocolRegistryUnitTests is EigenLayerUnitTestSetup, IProtocolRegistry
         assertEq(protocolRegistry.getAddress("Contract3"), addr3);
     }
 
+    function test_ship_revert_arrayLengthMismatch_addressesConfigs() public {
+        address[] memory addresses = new address[](2);
+        addresses[0] = address(0x1);
+        addresses[1] = address(0x2);
+
+        IProtocolRegistryTypes.DeploymentConfig[] memory configs = new IProtocolRegistryTypes.DeploymentConfig[](1);
+        configs[0] = IProtocolRegistryTypes.DeploymentConfig({pausable: false, deprecated: false});
+
+        string[] memory names = new string[](2);
+        names[0] = "A";
+        names[1] = "B";
+
+        cheats.expectRevert(ArrayLengthMismatch.selector);
+        protocolRegistry.ship(addresses, configs, names, "1.0.0");
+    }
+
+    function test_ship_revert_arrayLengthMismatch_configsNames() public {
+        address[] memory addresses = new address[](2);
+        addresses[0] = address(0x1);
+        addresses[1] = address(0x2);
+
+        IProtocolRegistryTypes.DeploymentConfig[] memory configs = new IProtocolRegistryTypes.DeploymentConfig[](2);
+        configs[0] = IProtocolRegistryTypes.DeploymentConfig({pausable: false, deprecated: false});
+        configs[1] = IProtocolRegistryTypes.DeploymentConfig({pausable: false, deprecated: false});
+
+        string[] memory names = new string[](1);
+        names[0] = "A";
+
+        cheats.expectRevert(ArrayLengthMismatch.selector);
+        protocolRegistry.ship(addresses, configs, names, "1.0.0");
+    }
+
+    function test_ship_revert_zeroAddress() public {
+        address[] memory addresses = new address[](2);
+        addresses[0] = address(0x1);
+        addresses[1] = address(0); // Zero address
+
+        IProtocolRegistryTypes.DeploymentConfig[] memory configs = new IProtocolRegistryTypes.DeploymentConfig[](2);
+        configs[0] = IProtocolRegistryTypes.DeploymentConfig({pausable: false, deprecated: false});
+        configs[1] = IProtocolRegistryTypes.DeploymentConfig({pausable: false, deprecated: false});
+
+        string[] memory names = new string[](2);
+        names[0] = "A";
+        names[1] = "B";
+
+        cheats.expectRevert(InputAddressZero.selector);
+        protocolRegistry.ship(addresses, configs, names, "1.0.0");
+    }
+
+    function test_ship_overwriteName_deletesOldConfig() public {
+        address oldAddr = address(0x111);
+        address newAddr = address(0x222);
+        string memory name = "TestContract";
+
+        // Ship with old address
+        address[] memory addresses1 = new address[](1);
+        addresses1[0] = oldAddr;
+        IProtocolRegistryTypes.DeploymentConfig[] memory configs1 = new IProtocolRegistryTypes.DeploymentConfig[](1);
+        configs1[0] = IProtocolRegistryTypes.DeploymentConfig({pausable: true, deprecated: false});
+        string[] memory names1 = new string[](1);
+        names1[0] = name;
+        protocolRegistry.ship(addresses1, configs1, names1, "1.0.0");
+
+        // Verify old address is set
+        assertEq(protocolRegistry.getAddress(name), oldAddr);
+
+        // Ship same name with new address - should emit DeploymentConfigDeleted for old address
+        address[] memory addresses2 = new address[](1);
+        addresses2[0] = newAddr;
+        IProtocolRegistryTypes.DeploymentConfig[] memory configs2 = new IProtocolRegistryTypes.DeploymentConfig[](1);
+        configs2[0] = IProtocolRegistryTypes.DeploymentConfig({pausable: false, deprecated: true});
+        string[] memory names2 = new string[](1);
+        names2[0] = name;
+
+        cheats.expectEmit(true, true, true, true, address(protocolRegistry));
+        emit DeploymentConfigDeleted(oldAddr);
+        cheats.expectEmit(true, true, true, true, address(protocolRegistry));
+        emit DeploymentShipped(newAddr, configs2[0]);
+
+        protocolRegistry.ship(addresses2, configs2, names2, "1.1.0");
+
+        // Verify new address is set
+        assertEq(protocolRegistry.getAddress(name), newAddr);
+        // Verify total deployments is still 1 (not 2)
+        assertEq(protocolRegistry.totalDeployments(), 1);
+    }
+
+    function test_ship_sameNameSameAddress_noDeleteEvent() public {
+        address addr = address(0x111);
+        string memory name = "TestContract";
+
+        // Ship with address
+        address[] memory addresses1 = new address[](1);
+        addresses1[0] = addr;
+        IProtocolRegistryTypes.DeploymentConfig[] memory configs1 = new IProtocolRegistryTypes.DeploymentConfig[](1);
+        configs1[0] = IProtocolRegistryTypes.DeploymentConfig({pausable: true, deprecated: false});
+        string[] memory names1 = new string[](1);
+        names1[0] = name;
+        protocolRegistry.ship(addresses1, configs1, names1, "1.0.0");
+
+        // Ship same name with same address - should NOT emit DeploymentConfigDeleted
+        IProtocolRegistryTypes.DeploymentConfig[] memory configs2 = new IProtocolRegistryTypes.DeploymentConfig[](1);
+        configs2[0] = IProtocolRegistryTypes.DeploymentConfig({pausable: false, deprecated: true});
+
+        // We only expect DeploymentShipped, not DeploymentConfigDeleted
+        cheats.expectEmit(true, true, true, true, address(protocolRegistry));
+        emit DeploymentShipped(addr, configs2[0]);
+
+        protocolRegistry.ship(addresses1, configs2, names1, "1.1.0");
+    }
+
     /// -----------------------------------------------------------------------
     /// configure()
     /// -----------------------------------------------------------------------
 
     function test_configure_OnlyOwner() public {
+        // First ship a deployment
         address addr = cheats.randomAddress();
-        IProtocolRegistryTypes.DeploymentConfig memory config = IProtocolRegistryTypes.DeploymentConfig({pausable: true, deprecated: false});
+        address[] memory addresses = new address[](1);
+        addresses[0] = addr;
+        IProtocolRegistryTypes.DeploymentConfig[] memory configs = new IProtocolRegistryTypes.DeploymentConfig[](1);
+        configs[0] = IProtocolRegistryTypes.DeploymentConfig({pausable: false, deprecated: false});
+        string[] memory names = new string[](1);
+        names[0] = "TestName";
+        protocolRegistry.ship(addresses, configs, names, "1.0.0");
+
+        IProtocolRegistryTypes.DeploymentConfig memory newConfig =
+            IProtocolRegistryTypes.DeploymentConfig({pausable: true, deprecated: false});
 
         cheats.prank(nonOwner);
         cheats.expectRevert();
-        protocolRegistry.configure(addr, config);
+        protocolRegistry.configure("TestName", newConfig);
+    }
+
+    function test_configure_revert_unshippedName() public {
+        IProtocolRegistryTypes.DeploymentConfig memory config = IProtocolRegistryTypes.DeploymentConfig({pausable: true, deprecated: false});
+
+        cheats.expectRevert(DeploymentNotShipped.selector);
+        protocolRegistry.configure("Unshipped", config);
+    }
+
+    function test_configure_succeeds_shippedName() public {
+        address shipped = address(0x111);
+
+        // First ship the address
+        address[] memory addresses = new address[](1);
+        addresses[0] = shipped;
+        IProtocolRegistryTypes.DeploymentConfig[] memory configs = new IProtocolRegistryTypes.DeploymentConfig[](1);
+        configs[0] = IProtocolRegistryTypes.DeploymentConfig({pausable: false, deprecated: false});
+        string[] memory names = new string[](1);
+        names[0] = "Test";
+        protocolRegistry.ship(addresses, configs, names, "1.0.0");
+
+        // Now configure should succeed
+        IProtocolRegistryTypes.DeploymentConfig memory newConfig =
+            IProtocolRegistryTypes.DeploymentConfig({pausable: true, deprecated: true});
+
+        cheats.expectEmit(true, true, true, true, address(protocolRegistry));
+        emit DeploymentConfigured(shipped, newConfig);
+
+        protocolRegistry.configure("Test", newConfig);
+
+        (, IProtocolRegistryTypes.DeploymentConfig memory retrievedConfig) = protocolRegistry.getDeployment("Test");
+        assertEq(retrievedConfig.pausable, true);
+        assertEq(retrievedConfig.deprecated, true);
     }
 
     function test_configure_Correctness() public {
@@ -178,7 +332,7 @@ contract ProtocolRegistryUnitTests is EigenLayerUnitTestSetup, IProtocolRegistry
         cheats.expectEmit(true, true, true, true, address(protocolRegistry));
         emit DeploymentConfigured(addr, newConfig);
 
-        protocolRegistry.configure(addr, newConfig);
+        protocolRegistry.configure("TestContract", newConfig);
 
         (, IProtocolRegistryTypes.DeploymentConfig memory retrievedConfig) = protocolRegistry.getDeployment("TestContract");
         assertEq(retrievedConfig.pausable, true);