IPC-304: add permissioned flag to disable validator changes

src/SubnetActorDiamond.sol

@@ -31,6 +31,7 @@ contract SubnetActorDiamond {
         uint16 activeValidatorsLimit;
         uint256 minCrossMsgFee;
         int8 powerScale;
+        bool permissioned;
     }
 
     constructor(IDiamond.FacetCut[] memory _diamondCut, ConstructorParams memory params) {
@@ -70,6 +71,7 @@ contract SubnetActorDiamond {
         s.powerScale = params.powerScale;
         s.minCrossMsgFee = params.minCrossMsgFee;
         s.currentSubnetHash = s.parentId.createSubnetId(address(this)).toHash();
+        s.permissioned = params.permissioned;
 
         s.validatorSet.activeLimit = params.activeValidatorsLimit;
         // Start the next configuration number from 1, 0 is reserved for no change and the genesis membership

src/errors/IPCErrors.sol

@@ -71,3 +71,4 @@ error FacetCannotBeZero();
 error WrongGateway();
 error CannotFindSubnet();
 error UnknownSubnet();
+error MethodNotAllowed();

src/lib/LibSubnetActorStorage.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT OR Apache-2.0
 pragma solidity 0.8.19;
 
 import {ConsensusType} from "../enums/ConsensusType.sol";
 import {NotGateway, SubnetAlreadyKilled} from "../errors/IPCErrors.sol";
@@ -43,6 +43,8 @@
     ConsensusType consensus;
     /// @notice Determines if the subnet has been bootstrapped (i.e. it has been activated)
     bool bootstrapped;
+    /// @notice Determines if the subnet is permissionless or not
+    bool permissioned;
     /// @notice Determines if the subnet has been successfully killed
     bool killed;
     // =========== Staking ===========

src/subnet/SubnetActorManagerFacet.sol

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: MIT OR Apache-2.0
 pragma solidity 0.8.19;
 
-import {SubnetAlreadyBootstrapped, NotEnoughFunds, CollateralIsZero, CannotReleaseZero, NotOwnerOfPublicKey, EmptyAddress, NotEnoughBalance, NotEnoughBalanceForRewards, NotEnoughCollateral, NotValidator, NotAllValidatorsHaveLeft, NotStakedBefore, InvalidSignatureErr, InvalidCheckpointEpoch, InvalidCheckpointMessagesHash, InvalidPublicKeyLength} from "../errors/IPCErrors.sol";
+import {SubnetAlreadyBootstrapped, NotEnoughFunds, CollateralIsZero, CannotReleaseZero, NotOwnerOfPublicKey, EmptyAddress, NotEnoughBalance, NotEnoughBalanceForRewards, NotEnoughCollateral, NotValidator, NotAllValidatorsHaveLeft, NotStakedBefore, InvalidSignatureErr, InvalidCheckpointEpoch, InvalidCheckpointMessagesHash, InvalidPublicKeyLength, MethodNotAllowed} from "../errors/IPCErrors.sol";
 import {IGateway} from "../interfaces/IGateway.sol";
 import {ISubnetActor} from "../interfaces/ISubnetActor.sol";
 import {BottomUpCheckpoint, CrossMsg} from "../structs/Checkpoint.sol";
@@ -136,6 +136,12 @@ contract SubnetActorManagerFacet is ISubnetActor, SubnetActorModifiers, Reentran
     /// @notice method that allows a validator to join the subnet
     /// @param publicKey The off-chain 65 byte public key that should be associated with the validator
     function join(bytes calldata publicKey) external payable nonReentrant notKilled {
+        // adding this check to prevent new validators from joining
+        // after the subnet has been bootstrapped. We will increase the
+        // functionality in the future to support explicit permissioning.
+        if (s.bootstrapped && s.permissioned) {
+            revert MethodNotAllowed();
+        }
         if (msg.value == 0) {
             revert CollateralIsZero();
         }
@@ -180,6 +186,11 @@ contract SubnetActorManagerFacet is ISubnetActor, SubnetActorModifiers, Reentran
 
     /// @notice method that allows a validator to increase its stake
     function stake() external payable notKilled {
+        // disbling validator changes for permissioned subnets (at least for now
+        // until a more complex mechanism is implemented).
+        if (s.permissioned) {
+            revert MethodNotAllowed();
+        }
         if (msg.value == 0) {
             revert CollateralIsZero();
         }
@@ -199,6 +210,11 @@ contract SubnetActorManagerFacet is ISubnetActor, SubnetActorModifiers, Reentran
     /// @notice method that allows a validator to unstake a part of its collateral from a subnet
     /// @dev `leave` must be used to unstake the entire stake.
     function unstake(uint256 amount) external notKilled {
+        // disbling validator changes for permissioned subnets (at least for now
+        // until a more complex mechanism is implemented).
+        if (s.permissioned) {
+            revert MethodNotAllowed();
+        }
         if (amount == 0) {
             revert CannotReleaseZero();
         }
@@ -223,8 +239,16 @@ contract SubnetActorManagerFacet is ISubnetActor, SubnetActorModifiers, Reentran
     /// @dev it also return the validators initial balance if the
     /// subnet was not yet bootstrapped.
     function leave() external notKilled nonReentrant {
-        // remove bootstrap nodes added by this validator
+        // disbling validator changes for permissioned subnets (at least for now
+        // until a more complex mechanism is implemented).
+        // This means that initial validators won't be able to recover
+        // their collateral ever (worth noting in the docs if this ends
+        // up sticking around for a while).
+        if (s.permissioned) {
+            revert MethodNotAllowed();
+        }
 
+        // remove bootstrap nodes added by this validator
         uint256 amount = LibStaking.totalValidatorCollateral(msg.sender);
         if (amount == 0) {
             revert NotValidator(msg.sender);

test/GatewayDiamond.t.sol

@@ -264,7 +264,8 @@ contract GatewayActorDiamondTest is StdInvariant, Test {
             majorityPercentage: DEFAULT_MAJORITY_PERCENTAGE,
             activeValidatorsLimit: 100,
             powerScale: 12,
-            minCrossMsgFee: CROSS_MSG_FEE
+            minCrossMsgFee: CROSS_MSG_FEE,
+            permissioned: false
         });
 
         saManager = new SubnetManagerTestUtil();

test/SubnetActorDiamond.t.sol

@@ -449,6 +449,7 @@ contract SubnetActorDiamondTest is Test {
                 majorityPercentage: DEFAULT_MAJORITY_PERCENTAGE,
                 activeValidatorsLimit: 100,
                 powerScale: 12,
+                permissioned: false,
                 minCrossMsgFee: CROSS_MSG_FEE
             }),
             address(saDupGetterFaucet),
@@ -1332,6 +1333,7 @@ contract SubnetActorDiamondTest is Test {
                 majorityPercentage: _majorityPercentage,
                 activeValidatorsLimit: 100,
                 powerScale: 12,
+                permissioned: false,
                 minCrossMsgFee: CROSS_MSG_FEE
             })
         );

test/SubnetRegistry.t.sol

@@ -267,6 +267,7 @@ contract SubnetRegistryTest is Test {
             majorityPercentage: DEFAULT_MAJORITY_PERCENTAGE,
             activeValidatorsLimit: 100,
             powerScale: DEFAULT_POWER_SCALE,
+            permissioned: false,
             minCrossMsgFee: CROSS_MSG_FEE
         });
         vm.expectRevert(WrongGateway.selector);
@@ -285,6 +286,7 @@ contract SubnetRegistryTest is Test {
             majorityPercentage: DEFAULT_MAJORITY_PERCENTAGE,
             activeValidatorsLimit: 100,
             powerScale: DEFAULT_POWER_SCALE,
+            permissioned: false,
             minCrossMsgFee: CROSS_MSG_FEE
         });
         registerSubnetFacet.newSubnetActor(params);
@@ -304,6 +306,7 @@ contract SubnetRegistryTest is Test {
             majorityPercentage: DEFAULT_MAJORITY_PERCENTAGE,
             activeValidatorsLimit: 100,
             powerScale: DEFAULT_POWER_SCALE,
+            permissioned: false,
             minCrossMsgFee: CROSS_MSG_FEE
         });
         registerSubnetFacet.newSubnetActor(params);
@@ -343,6 +346,7 @@ contract SubnetRegistryTest is Test {
             majorityPercentage: _majorityPercentage,
             activeValidatorsLimit: 100,
             powerScale: _powerScale,
+            permissioned: false,
             minCrossMsgFee: CROSS_MSG_FEE
         });
         registerSubnetFacet.newSubnetActor(params);