feat(orc-483): add delegtaion docs

chasingrainbows · chasingrainbows · commit 623fb02b0016 · 2026-03-05T16:01:31.000+03:00
diff --git a/README.md b/README.md
@@ -220,7 +220,7 @@ In manual mode all sleeps are disabled and `ALLOW_REPORTING_IN_BUNKER_MODE` is T
 | `KEYS_API_URI`                                         | URI of the Keys API                                                                                                                                                      | True                | `http://localhost:8080`        |
 | `LIDO_LOCATOR_ADDRESS`                                 | Address of the Lido contract                                                                                                                                             | True                | `0x1...`                       |
 | `STAKING_MODULE_ADDRESS`                               | Address of the Staking Module contract                                                                                                                                   | Staking Module only | `0x1...`                       |
-| `DELEGATION_CONTRACT_ADDRESS`                          | Address of the delegation contract. When set, oracle calls are routed through this contract                                                                              | False               | `0x1...`                       |
+| `DELEGATION_CONTRACT_ADDRESS`                          | Address of the delegation contract. When set, oracle calls are routed through this contract. See [delegation guide](docs/delegation.md)                                  | False               | `0x1...`                       |
 | `MEMBER_PRIV_KEY`                                      | Private key of the Oracle member account                                                                                                                                 | False               | `0x1...`                       |
 | `MEMBER_PRIV_KEY_FILE`                                 | A path to the file contained the private key of the Oracle member account. It takes precedence over `MEMBER_PRIV_KEY`                                                    | False               | `/app/private_key`             |
 | `PINATA_JWT`                                           | JWT token to access pinata.cloud IPFS provider                                                                                                                           | True                | `aBcD1234...`                  |
@@ -272,6 +272,10 @@ In manual mode all sleeps are disabled and `ALLOW_REPORTING_IN_BUNKER_MODE` is T
 > STAKING_MODULE_ADDRESS=0xdA7dE2ECdDfccC6c3AF10108Db212ACBBf9EA83F
 > ALLOW_REPORTING_IN_BUNKER_MODE=False
 
+### Delegation
+
+Check out our [delegation guide](docs/delegation.md) for setting up oracle with a delegation contract.
+
 ### Alerts
 
 Check out our [alerting guide](docs/alerts.md) for Prometheus Alertmanager configuration examples.
diff --git a/docs/delegation.md b/docs/delegation.md
@@ -0,0 +1,73 @@
+## Delegation
+
+Delegation allows separating protocol permissions from oracle hot keys. Instead of granting permissions directly to the oracle account, they are granted to a [DelegationContract](https://github.com/lidofinance/delegation-execution-authority), and the oracle executes calls through it.
+
+This enables instant hot key rotation by the contract admin without governance voting.
+
+### How it works
+
+```
+Oracle (hot key)
+    │
+    │  calls execute(target, calldata)
+    ▼
+DelegationContract (holds protocol permissions)
+    │
+    │  forwards call as msg.sender
+    ▼
+Target contract (HashConsensus, AccountingOracle, ExitBusOracle, CSFeeOracle)
+```
+
+When delegation is enabled, the following calls are affected:
+
+| Target contract                                                                            | Method                        | Module             |
+|--------------------------------------------------------------------------------------------|-------------------------------|--------------------|
+| [HashConsensus](https://docs.lido.fi/contracts/hash-consensus)                             | `submitReport`                | All                |
+| [AccountingOracle](https://docs.lido.fi/contracts/accounting-oracle)                       | `submitReportData`            | Accounting         |
+| [AccountingOracle](https://docs.lido.fi/contracts/accounting-oracle)                       | `submitReportExtraDataList`   | Accounting         |
+| [AccountingOracle](https://docs.lido.fi/contracts/accounting-oracle)                       | `submitReportExtraDataEmpty`  | Accounting         |
+| [ValidatorsExitBusOracle](https://docs.lido.fi/contracts/validators-exit-bus-oracle)       | `submitReportData`            | Ejector            |
+| CSFeeOracle                                                                                | `submitReportData`            | Staking Module     |
+
+The target contract sees `DelegationContract` as `msg.sender`, so all permissions must be granted to the delegation contract address, not to the oracle account.
+
+### Setup
+
+#### 1. Deploy delegation contract
+
+The contract admin deploys a `DelegationContract` instance via `DelegationFactory` from the [delegation-execution-authority](https://github.com/lidofinance/delegation-execution-authority) repository.
+
+#### 2. Grant protocol permissions
+
+Governance grants oracle member permissions to the deployed `DelegationContract` address (not to the oracle hot key).
+
+#### 3. Assign oracle as delegatee
+
+The contract admin calls `assignDelegate(oracleAddress)` on the delegation contract, where `oracleAddress` is the oracle operator's account address.
+
+#### 4. Configure the oracle
+
+Set the environment variable:
+
+```bash
+DELEGATION_CONTRACT_ADDRESS=0x...  # deployed DelegationContract address
+```
+
+### Startup validation
+
+On startup the oracle validates the delegation setup:
+
+- If `DELEGATION_CONTRACT_ADDRESS` is not set, delegation is disabled and the oracle sends transactions directly.
+- If set but `MEMBER_PRIV_KEY` is not configured (dry mode), validation is skipped.
+- If the contract has no delegatee (`address(0)`), the oracle fails with `NotConfiguredError`.
+- If the contract's delegatee does not match the oracle account, the oracle fails with `DelegateMismatchError`.
+
+### Key rotation
+
+To rotate the oracle hot key:
+
+1. Admin calls `assignDelegate(newOracleAddress)` on the delegation contract.
+2. Update `MEMBER_PRIV_KEY` in the oracle config to the new key.
+3. Restart the oracle.
+
+No governance vote is required.
