@bloxchain/contracts 1.0.0-alpha.2 → 1.0.0-alpha.21

package/core/security/SecureOwnable.sol

@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: MPL-2.0
-pragma solidity 0.8.33;
+pragma solidity 0.8.35;
 
 // Contracts imports
 import "../base/BaseStateMachine.sol";
 import "./lib/definitions/SecureOwnableDefinitions.sol";
-import "../../interfaces/IDefinition.sol";
-import "../../utils/SharedValidation.sol";
+import "../lib/interfaces/IDefinition.sol";
+import "../lib/utils/SharedValidation.sol";
 import "./interface/ISecureOwnable.sol";
 
 /**
@@ -27,8 +27,28 @@ import "./interface/ISecureOwnable.sol";
  * Each operation follows a request -> approval workflow with appropriate time locks
  * and authorization checks. Operations can be cancelled within specific time windows.
  *
- * At most one ownership-transfer or broadcaster-update request may be pending at a time:
- * a pending request of either type blocks new requests until it is approved or cancelled.
+ * Pending secure requests use separate flags for ownership transfer and broadcaster update.
+ * A new ownership-transfer request is allowed if no ownership transfer is already pending
+ * (a broadcaster update may still be pending). A new broadcaster-update request is allowed only
+ * when neither type has a pending request.
+ *
+ * **Ownership transfer vs recovery (threat model):**
+ * - `transferOwnershipRequest` snapshots `getRecovery()` into the pending tx `executionParams`. On execution,
+ *   `executeTransferOwnership` receives that snapshotted address as the new owner. Rotating recovery after
+ *   the request does **not** rewrite the pending payload; the beneficiary remains the recovery address
+ *   at request time.
+ * - `transferOwnershipDelayedApproval` authorizes the **current** owner or **current** recovery (`getRecovery()`
+ *   at approval time). It does **not** require the approver to match the snapshotted beneficiary. Integrators
+ *   must treat approval as consent to execute the **stored** transfer, not “transfer to whoever is recovery now.”
+ * - `transferOwnershipCancellation` allows only the **current** recovery to cancel. If owner and broadcaster
+ *   rotate recovery via `updateRecoveryRequestAndApprove` while a transfer is pending, the **previous**
+ *   recovery loses cancel rights immediately; the pending tx still targets the old address until approved,
+ *   cancelled by the new recovery, or superseded operationally.
+ * - Recovery and timelock updates use a request-and-approve meta-tx path without an additional timelock and
+ *   are **not** blocked when an ownership transfer is pending (unlike broadcaster update requests). This is
+ *   intentional: fast recovery rotation when owner and broadcaster still cooperate; operators who need a
+ *   strict “recovery cannot change during pending ownership transfer” invariant must enforce it off-chain or
+ *   extend this contract.
  *
  * This contract focuses purely on security logic while leveraging the BaseStateMachine
  * for transaction management, meta-transactions, and state machine operations.
@@ -36,8 +56,14 @@ import "./interface/ISecureOwnable.sol";
 abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
     using SharedValidation for *;
 
-    /// @dev True while any pending ownership transfer or broadcaster update request exists; blocks new requests until handled.
-    bool private _hasOpenRequest;
+    /// @dev Lane flags for **delayed** ownership-transfer and broadcaster-update requests only (`transferOwnershipRequest`,
+    ///      `updateBroadcasterRequest`). Recovery and timelock updates use `_requestAndApproveTransaction` and do **not**
+    ///      read or write these booleans. Each flag is set only after a successful `_requestTransaction` in that same tx;
+    ///      clearing happens only in `_completeApprove` / `_completeCancel` in the **same** transaction as a successful
+    ///      `_approveTransaction` / `_cancelTransaction`, so a revert unwinds engine state and flag writes together.
+    /// @dev Upgrading from legacy `_hasOpenRequest` / `_pendingBits` requires no pending requests.
+    bool private _hasOpenOwnershipRequest;
+    bool private _hasOpenBroadcasterRequest;
 
     /**
      * @notice Initializer to initialize SecureOwnable state
@@ -54,18 +80,15 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
         uint256 timeLockPeriodSec,    
         address eventForwarder
     ) public virtual onlyInitializing {
-        // Initialize base state machine (only if not already initialized)
-        if (!_secureState.initialized) {
-            _initializeBaseStateMachine(initialOwner, broadcaster, recovery, timeLockPeriodSec, eventForwarder);
-        }
-        
+        _initializeBaseStateMachine(initialOwner, broadcaster, recovery, timeLockPeriodSec, eventForwarder);
+
         // Load SecureOwnable-specific definitions
         IDefinition.RolePermission memory secureOwnablePermissions = SecureOwnableDefinitions.getRolePermissions();
         _loadDefinitions(
             SecureOwnableDefinitions.getFunctionSchemas(),
             secureOwnablePermissions.roleHashes,
             secureOwnablePermissions.functionPermissions,
-            true // Allow protected schemas for factory settings
+            true // Enforce all function schemas are protected
         );
     }
 
@@ -81,12 +104,14 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
 
     // Ownership Management
     /**
-     * @dev Requests a transfer of ownership
-     * @return The transaction record
+     * @dev Requests a time-delayed transfer of the OWNER role to the **recovery address at request time**.
+     * @notice Encodes `getRecovery()` into `executionParams`; that address becomes the new owner on successful
+     *         execution. Changing recovery later does not update this pending record.
+     * @return txId The transaction ID (use getTransaction(txId) for full record)
      */
-    function transferOwnershipRequest() public returns (EngineBlox.TxRecord memory) {
+    function transferOwnershipRequest() public returns (uint256 txId) {
         SharedValidation.validateRecovery(getRecovery());
-        _requireNoPendingRequest();
+        _requireNoPendingRequest(SecureOwnableDefinitions.OWNERSHIP_TRANSFER);
 
         EngineBlox.TxRecord memory txRecord = _requestTransaction(
             msg.sender,
@@ -98,66 +123,70 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
             abi.encode(getRecovery())
         );
 
-        _hasOpenRequest = true;
-        _logComponentEvent(abi.encode(owner(), getRecovery()));
-        return txRecord;
+        _hasOpenOwnershipRequest = true;
+        _logAddressPairEvent(owner(), getRecovery());
+        return txRecord.txId;
     }
 
     /**
-     * @dev Approves a pending ownership transfer transaction after the release time
+     * @dev Approves a pending ownership transfer after `releaseTime` (timelock on the direct path).
+     * @notice Callable by **current** owner or **current** recovery. Execution still transfers ownership to
+     *         the address snapshotted at request time, which may differ from `getRecovery()` at approval time.
      * @param txId The transaction ID
-     * @return The updated transaction record
+     * @return The transaction ID
      */
-    function transferOwnershipDelayedApproval(uint256 txId) public returns (EngineBlox.TxRecord memory) {
+    function transferOwnershipDelayedApproval(uint256 txId) public returns (uint256) {
         SharedValidation.validateOwnerOrRecovery(owner(), getRecovery());
-        
-        return _completeOwnershipApprove(_approveTransaction(txId));
+        return _completeApprove(_approveTransaction(txId));
     }
 
     /**
      * @dev Approves a pending ownership transfer transaction using a meta-transaction
      * @param metaTx The meta-transaction
-     * @return The updated transaction record
+     * @return The transaction ID
      */
-    function transferOwnershipApprovalWithMetaTx(EngineBlox.MetaTransaction memory metaTx) public returns (EngineBlox.TxRecord memory) {
+    function transferOwnershipApprovalWithMetaTx(EngineBlox.MetaTransaction memory metaTx) public returns (uint256) {
         _validateBroadcasterAndOwnerSigner(metaTx);
-
-        return _completeOwnershipApprove(_approveTransactionWithMetaTx(metaTx));
+        return _completeApprove(_approveTransactionWithMetaTx(metaTx));
     }
 
     /**
-     * @dev Cancels a pending ownership transfer transaction
+     * @dev Cancels a pending ownership transfer transaction.
+     * @notice Only the **current** `getRecovery()` may cancel. After a recovery rotation, the prior recovery
+     *         address can no longer cancel.
      * @param txId The transaction ID
-     * @return The updated transaction record
+     * @return The transaction ID
      */
-    function transferOwnershipCancellation(uint256 txId) public returns (EngineBlox.TxRecord memory) {
+    function transferOwnershipCancellation(uint256 txId) public returns (uint256) {
         SharedValidation.validateRecovery(getRecovery());
-        return _completeOwnershipCancel(_cancelTransaction(txId));
+        return _completeCancel(_cancelTransaction(txId));
     }
 
     /**
      * @dev Cancels a pending ownership transfer transaction using a meta-transaction
      * @param metaTx The meta-transaction
-     * @return The updated transaction record
+     * @return The transaction ID
      */
-    function transferOwnershipCancellationWithMetaTx(EngineBlox.MetaTransaction memory metaTx) public returns (EngineBlox.TxRecord memory) {
+    function transferOwnershipCancellationWithMetaTx(EngineBlox.MetaTransaction memory metaTx) public returns (uint256) {
         _validateBroadcasterAndOwnerSigner(metaTx);
-
-        return _completeOwnershipCancel(_cancelTransactionWithMetaTx(metaTx));
+        return _completeCancel(_cancelTransactionWithMetaTx(metaTx));
     }
 
     // Broadcaster Management
     /**
-     * @dev Updates the broadcaster address
-     * @param newBroadcaster The new broadcaster address
-     * @return The execution options
+     * @dev Requests a broadcaster role change identified by addresses.
+     * @notice Requires no pending broadcaster-update and no pending ownership-transfer request.
+     * @param newBroadcaster New broadcaster (`address(0)` to revoke `currentBroadcaster`)
+     * @param currentBroadcaster Existing broadcaster to replace or revoke; `address(0)` to add `newBroadcaster`
+     * @return txId The transaction ID for the pending request (use getTransaction(txId) for full record)
      */
-    function updateBroadcasterRequest(address newBroadcaster) public returns (EngineBlox.TxRecord memory) {
+    function updateBroadcasterRequest(address newBroadcaster, address currentBroadcaster) public returns (uint256 txId) {
         SharedValidation.validateOwner(owner());
-        _requireNoPendingRequest();
-        address currentBroadcaster = _getAuthorizedWalletAt(EngineBlox.BROADCASTER_ROLE, 0);
-        SharedValidation.validateAddressUpdate(newBroadcaster, currentBroadcaster);
-        
+        _requireNoPendingRequest(SecureOwnableDefinitions.BROADCASTER_UPDATE);
+        _requireNoPendingRequest(SecureOwnableDefinitions.OWNERSHIP_TRANSFER);
+
+        _validateBroadcasterUpdatePair(newBroadcaster, currentBroadcaster);
+
         EngineBlox.TxRecord memory txRecord = _requestTransaction(
             msg.sender,
             address(this),
@@ -165,69 +194,69 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
             0, // gas limit
             SecureOwnableDefinitions.BROADCASTER_UPDATE,
             SecureOwnableDefinitions.UPDATE_BROADCASTER_SELECTOR,
-            abi.encode(newBroadcaster)
+            abi.encode(newBroadcaster, currentBroadcaster)
         );
 
-        _hasOpenRequest = true;
-        _logComponentEvent(abi.encode(currentBroadcaster, newBroadcaster));
-        return txRecord;
+        _hasOpenBroadcasterRequest = true;
+        _logAddressPairEvent(currentBroadcaster, newBroadcaster);
+        return txRecord.txId;
     }
 
     /**
      * @dev Approves a pending broadcaster update transaction after the release time
      * @param txId The transaction ID
-     * @return The updated transaction record
+     * @return The transaction ID
      */
-    function updateBroadcasterDelayedApproval(uint256 txId) public returns (EngineBlox.TxRecord memory) {
+    function updateBroadcasterDelayedApproval(uint256 txId) public returns (uint256) {
         SharedValidation.validateOwner(owner());
-        return _completeBroadcasterApprove(_approveTransaction(txId));
+        return _completeApprove(_approveTransaction(txId));
     }
 
     /**
      * @dev Approves a pending broadcaster update transaction using a meta-transaction
      * @param metaTx The meta-transaction
-     * @return The updated transaction record
+     * @return The transaction ID
      */
-    function updateBroadcasterApprovalWithMetaTx(EngineBlox.MetaTransaction memory metaTx) public returns (EngineBlox.TxRecord memory) {
+    function updateBroadcasterApprovalWithMetaTx(EngineBlox.MetaTransaction memory metaTx) public returns (uint256) {
         _validateBroadcasterAndOwnerSigner(metaTx);
-
-        return _completeBroadcasterApprove(_approveTransactionWithMetaTx(metaTx));
+        return _completeApprove(_approveTransactionWithMetaTx(metaTx));
     }
 
     /**
      * @dev Cancels a pending broadcaster update transaction
      * @param txId The transaction ID
-     * @return The updated transaction record
+     * @return The transaction ID
      */
-    function updateBroadcasterCancellation(uint256 txId) public returns (EngineBlox.TxRecord memory) {
+    function updateBroadcasterCancellation(uint256 txId) public returns (uint256) {
         SharedValidation.validateOwner(owner());
-        return _completeBroadcasterCancel(_cancelTransaction(txId));
+        return _completeCancel(_cancelTransaction(txId));
     }
 
     /**
      * @dev Cancels a pending broadcaster update transaction using a meta-transaction
      * @param metaTx The meta-transaction
-     * @return The updated transaction record
+     * @return The transaction ID
      */
-    function updateBroadcasterCancellationWithMetaTx(EngineBlox.MetaTransaction memory metaTx) public returns (EngineBlox.TxRecord memory) {
+    function updateBroadcasterCancellationWithMetaTx(EngineBlox.MetaTransaction memory metaTx) public returns (uint256) {
         _validateBroadcasterAndOwnerSigner(metaTx);
-
-        return _completeBroadcasterCancel(_cancelTransactionWithMetaTx(metaTx));
+        return _completeCancel(_cancelTransactionWithMetaTx(metaTx));
     }
 
     // Recovery Management
 
     /**
-     * @dev Requests and approves a recovery address update using a meta-transaction
+     * @dev Requests and approves a recovery address update using a meta-transaction (owner signs, broadcaster submits).
+     * @notice Does **not** revert when an ownership transfer is pending. A pending transfer continues to target
+     *         the recovery address snapshotted at its request until executed or cancelled by **current** recovery.
      * @param metaTx The meta-transaction
-     * @return The transaction record
+     * @return The transaction ID
      */
     function updateRecoveryRequestAndApprove(
         EngineBlox.MetaTransaction memory metaTx
-    ) public returns (EngineBlox.TxRecord memory) {
+    ) public returns (uint256) {
         _validateBroadcasterAndOwnerSigner(metaTx);
-
-        return _requestAndApproveTransaction(metaTx);
+        EngineBlox.TxRecord memory txRecord = _requestAndApproveTransaction(metaTx);
+        return txRecord.txId;
     }
 
     // TimeLock Management
@@ -235,20 +264,21 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
     /**
      * @dev Requests and approves a time lock period update using a meta-transaction
      * @param metaTx The meta-transaction
-     * @return The transaction record
+     * @return The transaction ID
      */
     function updateTimeLockRequestAndApprove(
         EngineBlox.MetaTransaction memory metaTx
-    ) public returns (EngineBlox.TxRecord memory) {
+    ) public returns (uint256) {
         _validateBroadcasterAndOwnerSigner(metaTx);
-
-        return _requestAndApproveTransaction(metaTx);
+        EngineBlox.TxRecord memory txRecord = _requestAndApproveTransaction(metaTx);
+        return txRecord.txId;
     }
 
     // Execution Functions
     /**
-     * @dev External function that can only be called by the contract itself to execute ownership transfer
-     * @param newOwner The new owner address
+     * @dev External function that can only be called by the contract itself to execute ownership transfer.
+     * @param newOwner The new owner; for the OWNERSHIP_TRANSFER flow this is the recovery address encoded at
+     *        request time (see `transferOwnershipRequest`), not necessarily `getRecovery()` at execution time.
      */
     function executeTransferOwnership(address newOwner) external {
         _validateExecuteBySelf();
@@ -257,11 +287,12 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
 
     /**
      * @dev External function that can only be called by the contract itself to execute broadcaster update
-     * @param newBroadcaster The new broadcaster address
+     * @param newBroadcaster New broadcaster (`address(0)` to revoke `currentBroadcaster`)
+     * @param currentBroadcaster Existing broadcaster to replace or revoke; `address(0)` to add `newBroadcaster`
      */
-    function executeBroadcasterUpdate(address newBroadcaster) external {
+    function executeBroadcasterUpdate(address newBroadcaster, address currentBroadcaster) external {
         _validateExecuteBySelf();
-        _updateBroadcaster(newBroadcaster, 0);
+        _updateBroadcaster(newBroadcaster, currentBroadcaster);
     }
 
     /**
@@ -284,12 +315,6 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
 
     // ============ INTERNAL FUNCTIONS ============
 
-    /**
-     * @dev Reverts if an ownership-transfer or broadcaster-update request is already pending.
-     */
-    function _requireNoPendingRequest() internal view {
-        if (_hasOpenRequest) revert SharedValidation.PendingSecureRequest();
-    }
 
     /**
      * @dev Validates that the caller is the broadcaster and that the meta-tx signer is the owner.
@@ -301,37 +326,54 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
     }
 
     /**
-     * @dev Completes ownership flow after approval: resets flag and returns record.
+     * @dev Completes ownership/broadcaster flow after approval: clears the matching pending flag and returns txId.
+     * @param updatedRecord The updated transaction record from approval
+     * @return txId The transaction ID
      */
-    function _completeOwnershipApprove(EngineBlox.TxRecord memory updatedRecord) internal returns (EngineBlox.TxRecord memory) {
-        _hasOpenRequest = false;
-        return updatedRecord;
+    function _completeApprove(EngineBlox.TxRecord memory updatedRecord) internal returns (uint256 txId) {
+        _clearPendingFlagForOperation(updatedRecord.params.operationType);
+        return updatedRecord.txId;
     }
 
     /**
-     * @dev Completes ownership flow after cancellation: resets flag, logs txId, returns record.
+     * @dev Completes ownership/broadcaster flow after cancellation: clears the matching pending flag and returns txId.
+     * @param updatedRecord The updated transaction record from cancellation
+     * @return txId The transaction ID
      */
-    function _completeOwnershipCancel(EngineBlox.TxRecord memory updatedRecord) internal returns (EngineBlox.TxRecord memory) {
-        _hasOpenRequest = false;
-        _logComponentEvent(abi.encode(updatedRecord.txId));
-        return updatedRecord;
+    function _completeCancel(EngineBlox.TxRecord memory updatedRecord) internal returns (uint256 txId) {
+        _clearPendingFlagForOperation(updatedRecord.params.operationType);
+        return updatedRecord.txId;
     }
 
     /**
-     * @dev Completes broadcaster flow after approval: resets flag and returns record.
+     * @dev Reverts if the pending flag for `requestOperationType` is already set (one lane per call).
+     *      `OWNERSHIP_TRANSFER` checks only `_hasOpenOwnershipRequest` (a broadcaster update may still be pending).
+     *      `BROADCASTER_UPDATE` checks only `_hasOpenBroadcasterRequest`. Callers that need both lanes idle
+     *      (e.g. `updateBroadcasterRequest`) invoke this once per operation type.
+     * @param requestOperationType Lane to validate (`OWNERSHIP_TRANSFER` or `BROADCASTER_UPDATE`).
      */
-    function _completeBroadcasterApprove(EngineBlox.TxRecord memory updatedRecord) internal returns (EngineBlox.TxRecord memory) {
-        _hasOpenRequest = false;
-        return updatedRecord;
+    function _requireNoPendingRequest(bytes32 requestOperationType) internal view {
+        if (requestOperationType == SecureOwnableDefinitions.OWNERSHIP_TRANSFER) {
+            if (_hasOpenOwnershipRequest) revert SharedValidation.PendingSecureRequest();
+        } else if (requestOperationType == SecureOwnableDefinitions.BROADCASTER_UPDATE) {
+            if (_hasOpenBroadcasterRequest) revert SharedValidation.PendingSecureRequest();
+        } else {
+            revert();
+        }
     }
 
     /**
-     * @dev Completes broadcaster flow after cancellation: resets flag, logs txId, returns record.
+     * @dev Clears the pending flag for a completed or cancelled secure op (approve/cancel paths).
+     * @param operationType The tx record's `operationType` (`OWNERSHIP_TRANSFER` or `BROADCASTER_UPDATE`).
      */
-    function _completeBroadcasterCancel(EngineBlox.TxRecord memory updatedRecord) internal returns (EngineBlox.TxRecord memory) {
-        _hasOpenRequest = false;
-        _logComponentEvent(abi.encode(updatedRecord.txId));
-        return updatedRecord;
+    function _clearPendingFlagForOperation(bytes32 operationType) private {
+        if (operationType == SecureOwnableDefinitions.OWNERSHIP_TRANSFER) {
+            _hasOpenOwnershipRequest = false;
+        } else if (operationType == SecureOwnableDefinitions.BROADCASTER_UPDATE) {
+            _hasOpenBroadcasterRequest = false;
+        } else {
+            revert();
+        }
     }
 
     /**
@@ -340,54 +382,47 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
      */
     function _transferOwnership(address newOwner) internal virtual {
         address oldOwner = owner();
-        _updateAssignedWallet(EngineBlox.OWNER_ROLE, newOwner, oldOwner);
-        _logComponentEvent(abi.encode(oldOwner, newOwner));
+        _updateWallet(EngineBlox.OWNER_ROLE, newOwner, oldOwner);
+        _logAddressPairEvent(oldOwner, newOwner);
     }
 
     /**
-     * @dev Updates the broadcaster role at a specific index (location)
-     * @param newBroadcaster The new broadcaster address (zero address to revoke)
-     * @param location The index in the broadcaster role's authorized wallets set
-     *
-     * Logic:
-     * - If a broadcaster exists at `location` and `newBroadcaster` is non-zero,
-     *   update that slot from old to new (role remains full).
-     * - If no broadcaster exists at `location` and `newBroadcaster` is non-zero,
-     *   assign `newBroadcaster` to the broadcaster role (respecting maxWallets).
-     * - If `newBroadcaster` is the zero address and a broadcaster exists at `location`,
-     *   revoke that broadcaster from the role.
+     * @dev Validates broadcaster update pair at request time.
+     * @param newBroadcaster New broadcaster (`address(0)` to revoke)
+     * @param currentBroadcaster Existing broadcaster; `address(0)` to add `newBroadcaster`
      */
-    function _updateBroadcaster(address newBroadcaster, uint256 location) internal virtual {
-        EngineBlox.Role storage role = _getSecureState().roles[EngineBlox.BROADCASTER_ROLE];
-
-        address oldBroadcaster;
-        uint256 length = role.walletCount;
-
-        if (location < length) {
-            oldBroadcaster = _getAuthorizedWalletAt(EngineBlox.BROADCASTER_ROLE, location);
-        } else {
-            oldBroadcaster = address(0);
+    function _validateBroadcasterUpdatePair(address newBroadcaster, address currentBroadcaster) internal view {
+        if (newBroadcaster == address(0) && currentBroadcaster == address(0)) {
+            revert SharedValidation.InvalidOperation(address(0));
         }
+        bytes32 role = EngineBlox.BROADCASTER_ROLE;
+        if (currentBroadcaster != address(0)) {
+            if (!hasRole(role, currentBroadcaster)) revert SharedValidation.ItemNotFound(currentBroadcaster);
+        }
+        if (newBroadcaster != address(0)) {
+            if (hasRole(role, newBroadcaster)) revert SharedValidation.ItemAlreadyExists(newBroadcaster);
+        }
+    }
 
-        // Case 1: Revoke existing broadcaster at location
+    /**
+     * @dev Updates the broadcaster role by address pair (revoke, replace, or add).
+     * @param newBroadcaster New broadcaster (`address(0)` to revoke `currentBroadcaster`)
+     * @param currentBroadcaster Existing broadcaster; `address(0)` to add `newBroadcaster`
+     */
+    function _updateBroadcaster(address newBroadcaster, address currentBroadcaster) internal virtual {
+        bytes32 role = EngineBlox.BROADCASTER_ROLE;
         if (newBroadcaster == address(0)) {
-            if (oldBroadcaster != address(0)) {
-                _revokeWallet(EngineBlox.BROADCASTER_ROLE, oldBroadcaster);
-                _logComponentEvent(abi.encode(oldBroadcaster, address(0)));
-            }
+            _revokeWallet(role, currentBroadcaster);
+            _logAddressPairEvent(currentBroadcaster, address(0));
             return;
         }
-
-        // Case 2: Update existing broadcaster at location
-        if (oldBroadcaster != address(0)) {
-            _updateAssignedWallet(EngineBlox.BROADCASTER_ROLE, newBroadcaster, oldBroadcaster);
-            _logComponentEvent(abi.encode(oldBroadcaster, newBroadcaster));
+        if (currentBroadcaster == address(0)) {
+            _assignWallet(role, newBroadcaster);
+            _logAddressPairEvent(address(0), newBroadcaster);
             return;
         }
-
-        // Case 3: No broadcaster at location, assign a new one (will respect maxWallets)
-        _assignWallet(EngineBlox.BROADCASTER_ROLE, newBroadcaster);
-        _logComponentEvent(abi.encode(address(0), newBroadcaster));
+        _updateWallet(role, newBroadcaster, currentBroadcaster);
+        _logAddressPairEvent(currentBroadcaster, newBroadcaster);
     }
 
     /**
@@ -396,17 +431,16 @@ abstract contract SecureOwnable is BaseStateMachine, ISecureOwnable {
      */
     function _updateRecoveryAddress(address newRecoveryAddress) internal virtual {
         address oldRecovery = getRecovery();
-        _updateAssignedWallet(EngineBlox.RECOVERY_ROLE, newRecoveryAddress, oldRecovery);
-        _logComponentEvent(abi.encode(oldRecovery, newRecoveryAddress));
+        _updateWallet(EngineBlox.RECOVERY_ROLE, newRecoveryAddress, oldRecovery);
+        _logAddressPairEvent(oldRecovery, newRecoveryAddress);
     }
 
     /**
-     * @dev Updates the time lock period
-     * @param newTimeLockPeriodSec The new time lock period in seconds
+     * @dev Emits ComponentEvent with ABI-encoded (address, address) payload. Reused to reduce contract size.
+     * @param a First address
+     * @param b Second address
      */
-    function _updateTimeLockPeriod(uint256 newTimeLockPeriodSec) internal virtual override {
-        uint256 oldPeriod = getTimeLockPeriodSec();
-        super._updateTimeLockPeriod(newTimeLockPeriodSec);
-        _logComponentEvent(abi.encode(oldPeriod, newTimeLockPeriodSec));
+    function _logAddressPairEvent(address a, address b) internal {
+        _logComponentEvent(abi.encode(a, b));
     }
 }