Merge pull request 'fix: Remove recenterAccess — make recenter() public with TWAP enforcement (#706)' (#713) from fix/issue-706 into master

2026-03-14 10:48:59 +01:00 · 2026-03-14 10:48:59 +01:00 · 6ff8282a7e
commit 6ff8282a7e
parent 42e0d93df9 0d3aee15b4
19 changed files with 241 additions and 330 deletions
--- a/onchain/script/BootstrapVWAPPhase2.s.sol
+++ b/onchain/script/BootstrapVWAPPhase2.s.sol
@ -0,0 +1,45 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+pragma solidity ^0.8.19;
+
+import { LiquidityManager } from "../src/LiquidityManager.sol";
+import "forge-std/Script.sol";
+
+/**
+ * @title BootstrapVWAPPhase2
+ * @notice Second phase of the VWAP bootstrap for Base mainnet deployments.
+ *
+ * Run this script >= 60 seconds after DeployBase (or DeployBaseMainnet/DeployBaseSepolia)
+ * finishes. The first recenter() sets lastRecenterTime; the 60-second cooldown must
+ * elapse before this second recenter() can succeed.
+ *
+ * What this does:
+ *   - Calls liquidityManager.recenter() a second time.
+ *   - At this point cumulativeVolume == 0 (bootstrap path) and the seed buy has
+ *     generated ethFee > 0, so recenter() records the VWAP anchor.
+ *   - Asserts cumulativeVolume > 0 to confirm bootstrap success.
+ *
+ * Usage:
+ *   export LM_ADDRESS=<deployed LiquidityManager address>
+ *   forge script script/BootstrapVWAPPhase2.s.sol --tc BootstrapVWAPPhase2 \
+ *     --fork-url $BASE_RPC --broadcast
+ */
+contract BootstrapVWAPPhase2 is Script {
+    function run() public {
+        address lmAddress = vm.envAddress("LM_ADDRESS");
+        LiquidityManager lm = LiquidityManager(payable(lmAddress));
+
+        string memory seedPhrase = vm.readFile(".secret");
+        uint256 privateKey = vm.deriveKey(seedPhrase, 0);
+        vm.startBroadcast(privateKey);
+
+        console.log("Running VWAP bootstrap phase 2 on LiquidityManager:", lmAddress);
+
+        lm.recenter();
+
+        uint256 cumVol = lm.cumulativeVolume();
+        require(cumVol > 0, "VWAP bootstrap failed: cumulativeVolume is still 0");
+        console.log("VWAP bootstrapped successfully. cumulativeVolume:", cumVol);
+
+        vm.stopBroadcast();
+    }
+}
--- a/onchain/script/DeployBase.sol
+++ b/onchain/script/DeployBase.sol
@ -108,32 +108,38 @@ contract DeployBase is Script {
        // Fix: execute a small buy BEFORE handing control to users so that
        // cumulativeVolume>0 by the time the protocol is live.
        //
+        // recenter() is now permissionless and always enforces TWAP stability.
+        // For a fresh pool on Base mainnet this bootstrap must run at least
+        // 300 seconds after pool initialisation (so the TWAP oracle has history).
+        // If the pool was just created in this same script run, the first
+        // recenter() will revert with "price deviated from oracle" — wait 5 min
+        // and call the bootstrap as a separate transaction or script.
+        //
        // Deployer must have SEED_LM_ETH + SEED_SWAP_ETH available (≈0.015 ETH).
        // =====================================================================
        console.log("\nBootstrapping VWAP with seed trade...");

-        // Step 1: Temporarily set deployer as feeDestination to call setRecenterAccess.
-        liquidityManager.setFeeDestination(sender);
-        liquidityManager.setRecenterAccess(sender);
+        // Step 1: Set the real feeDestination before any recenter.
+        liquidityManager.setFeeDestination(feeDest);
+        console.log("feeDestination set to", feeDest);

        // Step 2: Fund LM and place initial bootstrap positions.
+        //   NOTE: recenter() requires TWAP history (>= 300s since pool init).
+        //         On Base mainnet this call will revert if the pool is too fresh.
        (bool funded,) = address(liquidityManager).call{ value: SEED_LM_ETH }("");
        require(funded, "Failed to fund LM for seed bootstrap");
        liquidityManager.recenter();
+        console.log("First recenter complete -> positions placed, cumulativeVolume still 0");

        // Step 3: Seed buy -> generates a non-zero fee in the anchor position.
        SeedSwapper seedSwapper = new SeedSwapper(weth, address(pool), token0isWeth);
        seedSwapper.executeSeedBuy{ value: SEED_SWAP_ETH }(sender);
+        console.log("Seed buy executed -> fee generated in anchor position");

        // Step 4: Second recenter records VWAP (bootstrap path + ethFee > 0).
-        liquidityManager.recenter();
-        require(liquidityManager.cumulativeVolume() > 0, "VWAP bootstrap failed: cumulativeVolume is 0");
-        console.log("VWAP bootstrapped -> cumulativeVolume:", liquidityManager.cumulativeVolume());
-
-        // Step 5: Clean up -> revoke temporary access and set the real feeDestination.
-        liquidityManager.revokeRecenterAccess();
-        liquidityManager.setFeeDestination(feeDest);
-        console.log("recenterAccess revoked, feeDestination set to", feeDest);
+        //   Cannot be called in the same Forge broadcast as Step 2 — recenter() enforces a
+        //   60-second cooldown and there is no time-warp mechanism in a live broadcast.
+        //   Run BootstrapVWAPPhase2.s.sol at least 60 seconds after this script completes.

        console.log("\n=== Deployment Complete ===");
        console.log("Kraiken:", address(kraiken));
@ -142,9 +148,11 @@ contract DeployBase is Script {
        console.log("LiquidityManager:", address(liquidityManager));
        console.log("Optimizer:", optimizerAddress);
        console.log("\nPost-deploy steps:");
-        console.log("  1. Fund LiquidityManager with operational ETH (VWAP already bootstrapped)");
-        console.log("  2. Set recenterAccess to txnBot: lm.setRecenterAccess(txnBot) from feeDestination");
-        console.log("  3. txnBot can now call recenter()");
+        console.log("  1. Wait >= 60 s after this script finishes.");
+        console.log("  2. Run: forge script script/BootstrapVWAPPhase2.s.sol --tc BootstrapVWAPPhase2 --fork-url <RPC> --broadcast");
+        console.log("     This performs the second recenter that records cumulativeVolume > 0.");
+        console.log("  3. Fund LiquidityManager with operational ETH.");
+        console.log("  4. recenter() is permissionless - any address (e.g. txnBot) can call it.");

        vm.stopBroadcast();
    }
--- a/onchain/script/DeployLocal.sol
+++ b/onchain/script/DeployLocal.sol
@ -11,7 +11,6 @@ import { ERC1967Proxy } from "@openzeppelin/proxy/ERC1967/ERC1967Proxy.sol";
 import "@uniswap-v3-core/interfaces/IUniswapV3Factory.sol";
 import "@uniswap-v3-core/interfaces/IUniswapV3Pool.sol";
 import "forge-std/Script.sol";
-import "./DeployCommon.sol";

 /**
 * @title DeployLocal
@ -28,17 +27,6 @@ contract DeployLocal is Script {
    address internal constant weth = 0x4200000000000000000000000000000000000006;
    address internal constant v3Factory = 0x4752ba5DBc23f44D87826276BF6Fd6b1C372aD24;

-    // Seed amounts for VWAP bootstrap.
-    // seedLmEth: initial ETH sent to the LM to create thin bootstrap positions.
-    // seedSwapEth: ETH used for the seed buy.  Must be large enough to move the
-    //   Uniswap tick >400 ticks past the ANCHOR center (minAmplitude = 2*tickSpacing
-    //   = 400 for the 1%-fee pool).  The ANCHOR typically holds ~25% of seedLmEth as
-    //   WETH across a ~7200-tick range; consuming half of that WETH (≈0.125 ETH)
-    //   moves the price ~3600 ticks — well above the 400-tick threshold.
-    //   0.5 ether provides a 4× margin over the minimum needed.
-    uint256 internal constant SEED_LM_ETH = 1 ether;
-    uint256 internal constant SEED_SWAP_ETH = 0.5 ether;
-
    // Deployed contracts
    Kraiken public kraiken;
    Stake public stake;
@ -60,7 +48,7 @@ contract DeployLocal is Script {

        // Deploy Kraiken token
        kraiken = new Kraiken("Kraiken", "KRK");
-        console.log("\n[1/7] Kraiken deployed:", address(kraiken));
+        console.log("\n[1/6] Kraiken deployed:", address(kraiken));

        // Determine token ordering
        token0isWeth = address(weth) < address(kraiken);
@ -68,7 +56,7 @@ contract DeployLocal is Script {

        // Deploy Stake contract
        stake = new Stake(address(kraiken), feeDest);
-        console.log("\n[2/7] Stake deployed:", address(stake));
+        console.log("\n[2/6] Stake deployed:", address(stake));

        // Set staking pool in Kraiken
        kraiken.setStakingPool(address(stake));
@ -79,9 +67,9 @@ contract DeployLocal is Script {
        address liquidityPool = factory.getPool(weth, address(kraiken), FEE);
        if (liquidityPool == address(0)) {
            liquidityPool = factory.createPool(weth, address(kraiken), FEE);
-            console.log("\n[3/7] Uniswap pool created:", liquidityPool);
+            console.log("\n[3/6] Uniswap pool created:", liquidityPool);
        } else {
-            console.log("\n[3/7] Using existing pool:", liquidityPool);
+            console.log("\n[3/6] Using existing pool:", liquidityPool);
        }
        pool = IUniswapV3Pool(liquidityPool);

@ -103,70 +91,22 @@ contract DeployLocal is Script {
        bytes memory params = abi.encodeWithSignature("initialize(address,address)", address(kraiken), address(stake));
        ERC1967Proxy proxy = new ERC1967Proxy(address(optimizerImpl), params);
        address optimizerAddress = address(proxy);
-        console.log("\n[4/7] Optimizer deployed:", optimizerAddress);
+        console.log("\n[4/6] Optimizer deployed:", optimizerAddress);

        // Deploy LiquidityManager
        liquidityManager = new LiquidityManager(v3Factory, weth, address(kraiken), optimizerAddress);
-        console.log("\n[5/7] LiquidityManager deployed:", address(liquidityManager));
+        console.log("\n[5/6] LiquidityManager deployed:", address(liquidityManager));

        // Configure contracts
        kraiken.setLiquidityManager(address(liquidityManager));
        console.log("      LiquidityManager set in Kraiken");

-        console.log("\n[6/7] Configuration complete");
-
-        // =====================================================================
-        // [7/7] VWAP Bootstrap -> seed trade during deployment
-        //
-        // The cumulativeVolume==0 path in recenter() records VWAP from whatever
-        // price exists at the time of the first fee event.  An attacker who
-        // front-runs deployment with a whale buy inflates that anchor.
-        //
-        // Fix: execute a small buy BEFORE handing control to users so that
-        // cumulativeVolume>0 by the time the protocol is live.
-        //
-        // Sequence:
-        //   1. Temporarily make sender the feeDestination (deployer can do this
-        //      because setFeeDestination is gated on deployer, not feeDestination).
-        //      This allows sender to call setRecenterAccess.
-        //   2. Fund LM with SEED_LM_ETH and call recenter() -> places thin initial
-        //      positions; no fees collected yet, so cumulativeVolume stays 0.
-        //   3. Execute seed buy via SeedSwapper -> generates a non-zero WETH fee
-        //      in the anchor position and moves the tick >400 (minimum amplitude).
-        //   4. Call recenter() again -> cumulativeVolume==0 triggers the bootstrap
-        //      path (shouldRecordVWAP=true); ethFee>0 → _recordVolumeAndPrice fires
-        //      → cumulativeVolume>0.  VWAP is now anchored to the real launch price.
-        //   5. Revoke recenterAccess and restore the real feeDestination.
-        // =====================================================================
-        console.log("\n[7/7] Bootstrapping VWAP with seed trade...");
-
-        // Step 1: Grant deployer temporary feeDestination role to enable setRecenterAccess.
-        liquidityManager.setFeeDestination(sender);
-        liquidityManager.setRecenterAccess(sender);
-        console.log("      Temporary recenterAccess granted to deployer");
-
-        // Step 2: Fund LM and place initial bootstrap positions.
-        (bool funded,) = address(liquidityManager).call{ value: SEED_LM_ETH }("");
-        require(funded, "Failed to fund LM for seed bootstrap");
-        liquidityManager.recenter();
-        console.log("      First recenter complete -> positions placed, cumulativeVolume still 0");
-
-        // Step 3: Seed buy -> generates a non-zero fee in the anchor position.
-        SeedSwapper seedSwapper = new SeedSwapper(weth, address(pool), token0isWeth);
-        seedSwapper.executeSeedBuy{ value: SEED_SWAP_ETH }(sender);
-        console.log("      Seed buy executed -> fee generated in anchor position");
-
-        // Step 4: Second recenter records VWAP (bootstrap path + ethFee > 0).
-        liquidityManager.recenter();
-        require(liquidityManager.cumulativeVolume() > 0, "VWAP bootstrap failed: cumulativeVolume is 0");
-        console.log("      Second recenter complete -> VWAP bootstrapped");
-        console.log("      cumulativeVolume:", liquidityManager.cumulativeVolume());
-        console.log("      VWAP (X96):", liquidityManager.getVWAP());
-
-        // Step 5: Clean up -> revoke temporary access and set the real feeDestination.
-        liquidityManager.revokeRecenterAccess();
+        // Set the real feeDestination.
        liquidityManager.setFeeDestination(feeDest);
-        console.log("      recenterAccess revoked, feeDestination restored to", feeDest);
+
+        console.log("\n[6/6] Configuration complete");
+        console.log("      feeDestination set to", feeDest);
+        console.log("      VWAP bootstrap will be performed by the bootstrap script");

        // Print deployment summary
        console.log("\n=== Deployment Summary ===");
@ -177,12 +117,11 @@ contract DeployLocal is Script {
        console.log("Optimizer:", optimizerAddress);

        console.log("\n=== Next Steps ===");
-        console.log("VWAP is already bootstrapped. To go live:");
-        console.log("1. Fund LiquidityManager with operational ETH (current balance includes seed):");
+        console.log("1. bootstrap-common.sh bootstrap_vwap() advances chain time and seeds VWAP.");
+        console.log("2. Fund LiquidityManager with operational ETH:");
        console.log("   cast send", address(liquidityManager), "--value 10ether");
-        console.log("2. Grant recenterAccess to txnBot (call from feeDestination):");
-        console.log("   cast send", address(liquidityManager), "\"setRecenterAccess(address)\" <txnBotAddr>");
-        console.log("3. txnBot can now call recenter() to rebalance positions.");
+        console.log("3. recenter() is permissionless - any address (e.g. txnBot) can call it.");
+        console.log("   TWAP manipulation protection is always enforced (no bypass path).");

        vm.stopBroadcast();
    }
--- a/onchain/script/backtesting/BacktestRunner.s.sol
+++ b/onchain/script/backtesting/BacktestRunner.s.sol
@ -143,14 +143,13 @@ contract BacktestRunner is Script {
        // ------------------------------------------------------------------
        KrAIkenSystem memory sys = KrAIkenDeployer.deploy(address(sp.factory), address(mockWeth), address(krk), sender, initialCapital);

-        // Deploy StrategyExecutor and grant it recenter access on the LM.
-        // recenterAccess bypasses TWAP stability check and cooldown — correct
-        // for simulation where vm.warp drives time, not a real oracle.
-        // sender == feeDestination, so the onlyFeeDestination guard is satisfied.
+        // Deploy StrategyExecutor — recenter() is now permissionless, so no
+        // access grant is needed.  StrategyExecutor.maybeRecenter() calls
+        // recenter() via try/catch and logs "SKIP" on cooldown/TWAP failures.
+        // vm.warp in EventReplayer drives time so TWAP and cooldown pass.
        bool token0isWeth = sp.token0 == address(mockWeth);
        StrategyExecutor executor =
            new StrategyExecutor(sys.lm, IERC20(address(mockWeth)), IERC20(address(krk)), sender, recenterInterval, sp.pool, token0isWeth);
-        sys.lm.setRecenterAccess(address(executor));

        // Deploy baseline strategies and initialize with the same capital as KrAIken.
        BaselineStrategies baselines =
--- a/onchain/script/backtesting/StrategyExecutor.sol
+++ b/onchain/script/backtesting/StrategyExecutor.sol
@ -24,9 +24,9 @@ import { console2 } from "forge-std/console2.sol";
 * notified on every block (for time-in-range) and on each successful recenter
 * (for position lifecycle and fee/IL accounting).
 *
- * Access model: StrategyExecutor must be set as recenterAccess on the LM so that
- * the cooldown and TWAP price-stability checks are bypassed in the simulation
- * (vm.warp advances simulated time, not real oracle state).
+ * Access model: recenter() is permissionless — no special access grant is required.
+ * EventReplayer advances block.timestamp via vm.warp, so the 60-second cooldown and
+ * the 300-second TWAP window pass normally during simulation.
 *
 * TODO(#319): The negligible-impact assumption means we replay historical events
 * as-is without accounting for KrAIken's own liquidity affecting swap outcomes.