@massalabs/multisig-contract 0.0.2-dev.20260414091108 → 0.1.0

package/assembly/__tests__/member-management-tests.spec.ts

@@ -0,0 +1,210 @@
+import {
+  constructor,
+  addOwner,
+  removeOwner,
+  replaceOwner,
+} from '../contracts/Multisig';
+import { mockAdminContext } from '@massalabs/massa-as-sdk';
+import { Args } from '@massalabs/as-types';
+import {
+  changeCallStack,
+  resetStorage,
+} from '@massalabs/massa-as-sdk/assembly/vm-mock/storage';
+import { owners, required } from '../contracts/multisig-internals';
+
+// address of the contract set in vm-mock. must match with contractAddr of @massalabs/massa-as-sdk/vm-mock/vm.js
+const contractAddr = 'AS12BqZEQ6sByhRLyEuf0YbQmcF2PsDdkNNG1akBJu9XcjZA1eT';
+
+// multisig owners
+const ownerA = 'AU1qDAxGJ387ETi9JRQzZWSPKYq4YPXrFvdiE4VoXUaiAt38JFEC';
+const ownerB = 'AU125TiSrnD2YatYfEyRAWnBdD7TEuVbvGFkFgDuaYc2bdKyqKtb';
+const ownerC = 'A12UBnqTHDQALpocVBnkPNy7y5CndUJQTLutaVDDFgMJcq5kQiKq';
+
+// additional / replacement addresses
+const newOwner = 'AU1NewOwnerAddressForTestingPurposesOnlyXXXXXXXXXXX';
+const otherOwner = 'AU1OtherNewOwnerForTestingPurposesOnlyXXXXXXXXXXXXX';
+
+// a plain user that is not an owner and not the contract itself
+const randomCaller = 'AU1RandomUserNotAnOwnerXXXXXXXXXXXXXXXXXXXXXXXXXXX';
+
+// Default deployer address used by the vm-mock (caller != callee so
+// Context.isDeployingContract() is true). Must match the mock vm default caller.
+const deployerAddress = 'AU12UBnqTHDQALpocVBnkPNy7y5CndUJQTLutaVDDFgMJcq5kQiKq';
+
+// Simulate the multisig calling itself (required by _isMultisig):
+// Context.caller() == Context.callee() == contractAddr.
+function switchToMultisig(): void {
+  changeCallStack(contractAddr + ' , ' + contractAddr);
+}
+
+// Simulate an external caller: Context.caller() == user, Context.callee() == contractAddr
+function switchUser(user: string): void {
+  changeCallStack(user + ' , ' + contractAddr);
+}
+
+// Helper that bootstraps a 2-of-3 multisig with ownerA/B/C.
+function setupMultisig(required_: i32 = i32(2)): void {
+  resetStorage();
+  // Context.isDeployingContract() requires caller != callee, so make sure
+  // the call stack is set to a deployer context before calling constructor.
+  changeCallStack(deployerAddress + ' , ' + contractAddr);
+  constructor(
+    new Args()
+      .add<Array<string>>([ownerA, ownerB, ownerC])
+      .add(required_)
+      .add(u64(0))
+      .add(u64(0))
+      .serialize(),
+  );
+}
+
+beforeAll(() => {
+  resetStorage();
+  mockAdminContext(true);
+});
+
+describe('addOwner', () => {
+  test('reverts when called by a non-multisig caller', () => {
+    setupMultisig();
+    switchUser(ownerA);
+    expect(() => {
+      addOwner(new Args().add(newOwner).serialize());
+    }).toThrow();
+  });
+
+  test('reverts when the address is already an owner', () => {
+    setupMultisig();
+    switchToMultisig();
+    expect(() => {
+      addOwner(new Args().add(ownerA).serialize());
+    }).toThrow();
+  });
+
+  test('adds a new owner when called by the multisig itself', () => {
+    setupMultisig();
+    switchToMultisig();
+
+    expect(() => {
+      addOwner(new Args().add(newOwner).serialize());
+    }).not.toThrow();
+
+    const storedOwners = owners();
+    expect(storedOwners.length).toBe(4);
+    expect(storedOwners.includes(newOwner)).toBe(true);
+    // Adding an owner must not change the required threshold
+    expect(required()).toBe(2);
+  });
+});
+
+describe('removeOwner', () => {
+  test('reverts when called by a non-multisig caller', () => {
+    setupMultisig();
+    switchUser(ownerA);
+    expect(() => {
+      removeOwner(new Args().add(ownerB).serialize());
+    }).toThrow();
+  });
+
+  test('removes an existing owner when called by the multisig itself', () => {
+    // 2-of-3 → drop one, leaving 2-of-2
+    setupMultisig();
+    switchToMultisig();
+
+    expect(() => {
+      removeOwner(new Args().add(ownerC).serialize());
+    }).not.toThrow();
+
+    const storedOwners = owners();
+    expect(storedOwners.length).toBe(2);
+    expect(storedOwners.includes(ownerC)).toBe(false);
+    expect(storedOwners.includes(ownerA)).toBe(true);
+    expect(storedOwners.includes(ownerB)).toBe(true);
+    expect(required()).toBe(2);
+  });
+
+  test('reverts when removing would drop owners below the required threshold', () => {
+    // 3-of-3 → cannot remove any owner without breaking the threshold
+    setupMultisig(i32(3));
+    switchToMultisig();
+
+    expect(() => {
+      removeOwner(new Args().add(ownerC).serialize());
+    }).toThrow();
+
+    // state unchanged
+    expect(owners().length).toBe(3);
+  });
+
+  test('reverts when trying to remove an address that is not an owner', () => {
+    setupMultisig();
+    switchToMultisig();
+    expect(() => {
+      removeOwner(new Args().add(randomCaller).serialize());
+    }).toThrow();
+  });
+
+  test('reverts when removing would leave the multisig with zero owners', () => {
+    // 1-of-1 → cannot drop the last owner
+    resetStorage();
+    changeCallStack(deployerAddress + ' , ' + contractAddr);
+    constructor(
+      new Args()
+        .add<Array<string>>([ownerA])
+        .add(i32(1))
+        .add(u64(0))
+        .add(u64(0))
+        .serialize(),
+    );
+    switchToMultisig();
+
+    expect(() => {
+      removeOwner(new Args().add(ownerA).serialize());
+    }).toThrow();
+
+    expect(owners().length).toBe(1);
+  });
+});
+
+describe('replaceOwner', () => {
+  test('reverts when called by a non-multisig caller', () => {
+    setupMultisig();
+    switchUser(ownerA);
+    expect(() => {
+      replaceOwner(new Args().add(ownerC).add(newOwner).serialize());
+    }).toThrow();
+  });
+
+  test('reverts when the old owner does not exist', () => {
+    setupMultisig();
+    switchToMultisig();
+    expect(() => {
+      replaceOwner(new Args().add(randomCaller).add(newOwner).serialize());
+    }).toThrow();
+  });
+
+  test('reverts when the new owner is already an owner', () => {
+    setupMultisig();
+    switchToMultisig();
+    expect(() => {
+      // try to replace ownerA with ownerB (already present)
+      replaceOwner(new Args().add(ownerA).add(ownerB).serialize());
+    }).toThrow();
+  });
+
+  test('replaces an owner without changing the owner count or threshold', () => {
+    setupMultisig();
+    switchToMultisig();
+
+    expect(() => {
+      replaceOwner(new Args().add(ownerC).add(otherOwner).serialize());
+    }).not.toThrow();
+
+    const storedOwners = owners();
+    expect(storedOwners.length).toBe(3);
+    expect(storedOwners.includes(ownerC)).toBe(false);
+    expect(storedOwners.includes(otherOwner)).toBe(true);
+    expect(storedOwners.includes(ownerA)).toBe(true);
+    expect(storedOwners.includes(ownerB)).toBe(true);
+    expect(required()).toBe(2);
+  });
+});

package/assembly/__tests__/single-owner-tests.spec.ts

@@ -0,0 +1,155 @@
+import {
+  submit,
+  approve,
+  constructor,
+  getTransactions,
+} from '../contracts/Multisig';
+import { mockAdminContext, Address } from '@massalabs/massa-as-sdk';
+import {
+  Args,
+  u64ToBytes,
+  bytesToSerializableObjectArray,
+} from '@massalabs/as-types';
+import {
+  changeCallStack,
+  resetStorage,
+} from '@massalabs/massa-as-sdk/assembly/vm-mock/storage';
+import { Transaction } from '../structs/Transaction';
+import {
+  getApprovalCount,
+  hasApproved,
+  required,
+  owners,
+} from '../contracts/multisig-internals';
+
+// address of the contract set in vm-mock. must match with contractAddr of @massalabs/massa-as-sdk/vm-mock/vm.js
+const contractAddr = 'AS12BqZEQ6sByhRLyEuf0YbQmcF2PsDdkNNG1akBJu9XcjZA1eT';
+
+// default deployer address (caller != callee so Context.isDeployingContract() is true)
+const deployerAddress = 'AU12UBnqTHDQALpocVBnkPNy7y5CndUJQTLutaVDDFgMJcq5kQiKq';
+
+// the single owner of the multisig
+const soloOwner = 'AU1qDAxGJ387ETi9JRQzZWSPKYq4YPXrFvdiE4VoXUaiAt38JFEC';
+
+// a non-owner for negative testing
+const nonOwner = 'AU125TiSrnD2YatYfEyRAWnBdD7TEuVbvGFkFgDuaYc2bdKyqKtb';
+
+// destination for the dummy transaction
+const destination = 'AU155TiSrnD2YatYfEyRAWnBdD7TEuVbvGFkFgDuaYc2bdKyqKtb';
+
+function switchUser(user: string): void {
+  changeCallStack(user + ' , ' + contractAddr);
+}
+
+function retrieveOperation(opIndex: i32): Transaction {
+  let operationList = bytesToSerializableObjectArray<Transaction>(
+    getTransactions([]),
+  ).unwrap();
+  return operationList[opIndex];
+}
+
+beforeAll(() => {
+  resetStorage();
+  mockAdminContext(true);
+});
+
+describe('Single-owner multisig tests', () => {
+  test('constructor rejects 0 owners', () => {
+    expect(() => {
+      const serializedArgs = new Args()
+        .add<Array<string>>([])
+        .add(i32(1))
+        .add(u64(0))
+        .add(u64(0))
+        .serialize();
+      constructor(serializedArgs);
+    }).toThrow();
+  });
+
+  test('constructor accepts a single owner with required=1', () => {
+    resetStorage();
+    // Context.isDeployingContract() requires caller != callee.
+    changeCallStack(deployerAddress + ' , ' + contractAddr);
+
+    expect(() => {
+      constructor(
+        new Args()
+          .add<Array<string>>([soloOwner])
+          .add(i32(1))
+          .add(u64(0))
+          .add(u64(0))
+          .serialize(),
+      );
+    }).not.toThrow();
+
+    // check the owner list has exactly one entry matching soloOwner
+    const storedOwners = owners();
+    expect(storedOwners.length).toBe(1);
+    expect(storedOwners[0]).toBe(soloOwner);
+
+    // required number of confirmations is 1
+    expect(required()).toBe(1);
+  });
+
+  test('non-owner cannot submit a transaction', () => {
+    switchUser(nonOwner);
+    expect(() => {
+      submit(
+        new Args()
+          .add(
+            new Transaction(
+              new Address(destination),
+              '',
+              u64(15000),
+              [],
+              0,
+              false,
+            ),
+          )
+          .serialize(),
+      );
+    }).toThrow();
+  });
+
+  test('solo owner can submit and approve (single approval validates)', () => {
+    switchUser(soloOwner);
+
+    const tx = new Transaction(
+      new Address(destination),
+      '',
+      u64(15000),
+      [],
+      0,
+      false,
+    );
+
+    // submit returns txId 0 (first tx)
+    const opId: u64 = 0;
+    expect(submit(new Args().add(tx).serialize())).toStrictEqual(
+      u64ToBytes(opId),
+    );
+
+    // before approval, timestamp is 0 and approval count is 0
+    expect(retrieveOperation(i32(opId)).timestamp).toBe(0);
+    expect(getApprovalCount(opId)).toBe(0);
+
+    // solo owner approves
+    approve(new Args().add(opId).serialize());
+
+    // the owner's approval is recorded
+    expect(hasApproved(opId, new Address(soloOwner))).toBe(true);
+
+    // approval count equals the required threshold (1) so the tx is validated:
+    // a non-zero timestamp must have been set for it.
+    expect(getApprovalCount(opId)).toBe(required());
+    expect(retrieveOperation(i32(opId)).timestamp).toBeGreaterThan(0);
+  });
+
+  test('solo owner cannot approve the same tx twice', () => {
+    switchUser(soloOwner);
+    const opId: u64 = 0;
+    expect(() => {
+      approve(new Args().add(opId).serialize());
+    }).toThrow();
+  });
+});

package/assembly/__tests__/upgradeable-tests.spec.ts

@@ -0,0 +1,124 @@
+import { constructor, proposeUpgrade, upgrade } from '../contracts/Multisig';
+import { mockAdminContext } from '@massalabs/massa-as-sdk';
+import {
+  mockBalance,
+  mockTimestamp,
+} from '@massalabs/massa-as-sdk/assembly/vm-mock';
+import { Args } from '@massalabs/as-types';
+import {
+  changeCallStack,
+  resetStorage,
+} from '@massalabs/massa-as-sdk/assembly/vm-mock/storage';
+
+// address of the contract set in vm-mock. must match contractAddr of vm.js
+const contractAddr = 'AS12BqZEQ6sByhRLyEuf0YbQmcF2PsDdkNNG1akBJu9XcjZA1eT';
+
+// default deployer used so Context.isDeployingContract() is true
+const deployerAddress = 'AU12UBnqTHDQALpocVBnkPNy7y5CndUJQTLutaVDDFgMJcq5kQiKq';
+
+// multisig owner
+const ownerA = 'AU1qDAxGJ387ETi9JRQzZWSPKYq4YPXrFvdiE4VoXUaiAt38JFEC';
+
+// An arbitrary non-empty payload used as "new bytecode" for proposeUpgrade.
+const newBytecode: StaticArray<u8> = [1, 2, 3, 4];
+
+const UPGRADE_DELAY: u64 = 1_000; // 1 second, in ms
+
+function switchUser(user: string): void {
+  changeCallStack(user + ' , ' + contractAddr);
+}
+
+function switchToMultisig(): void {
+  changeCallStack(contractAddr + ' , ' + contractAddr);
+}
+
+function setupMultisig(upgDelay: u64 = UPGRADE_DELAY): void {
+  resetStorage();
+  mockTimestamp(u64(1_000_000)); // deterministic starting time
+  // Seed the contract address in the ledger so setBytecode can write to it.
+  mockBalance(contractAddr, u64(0));
+  changeCallStack(deployerAddress + ' , ' + contractAddr);
+  constructor(
+    new Args()
+      .add<Array<string>>([ownerA])
+      .add(i32(1))
+      .add(upgDelay)
+      .add(u64(0))
+      .serialize(),
+  );
+}
+
+beforeAll(() => {
+  mockAdminContext(true);
+});
+
+describe('Upgradeable: access control', () => {
+  test('proposeUpgrade reverts when not called by the multisig itself', () => {
+    setupMultisig();
+    switchUser(ownerA);
+    expect(() => {
+      proposeUpgrade(newBytecode);
+    }).toThrow();
+  });
+
+  test('upgrade reverts when not called by the multisig itself', () => {
+    setupMultisig();
+    switchUser(ownerA);
+    expect(() => {
+      upgrade([]);
+    }).toThrow();
+  });
+});
+
+// ==========================================================================
+// islocked() / upgrade() - timelock semantics
+//
+// A timelock must *block* upgrades until the configured delay has elapsed
+// after a proposal, and then *allow* them. The current implementation of
+// `Upgradeable.islocked()` (see assembly/libraries/Upgradeable.ts) has its
+// comparison inverted, so `upgrade()` is allowed while the delay has not
+// yet passed and blocked after. These tests document the correct behaviour
+// and therefore fail against the buggy implementation.
+// ==========================================================================
+
+describe('Upgradeable: timelock semantics', () => {
+  test('upgrade reverts when called before the upgrade delay has elapsed', () => {
+    setupMultisig(UPGRADE_DELAY);
+
+    switchToMultisig();
+    proposeUpgrade(newBytecode);
+
+    // Only part of the delay has passed - still locked.
+    mockTimestamp(u64(1_000_000) + UPGRADE_DELAY / 2);
+
+    expect(() => {
+      upgrade([]);
+    }).toThrow('upgrade should be blocked while the timelock is active');
+  });
+
+  test('upgrade succeeds once the upgrade delay has elapsed', () => {
+    setupMultisig(UPGRADE_DELAY);
+
+    switchToMultisig();
+    proposeUpgrade(newBytecode);
+
+    // Advance time strictly past the delay.
+    mockTimestamp(u64(1_000_000) + UPGRADE_DELAY + 1);
+
+    // Should not throw.
+    upgrade([]);
+  });
+
+  test('upgrade reverts if no upgrade has been proposed (after delay)', () => {
+    setupMultisig(UPGRADE_DELAY);
+
+    // No proposeUpgrade() call. Still advance time so that the timelock
+    // check cannot mask the "no proposal" error.
+    mockTimestamp(u64(1_000_000) + UPGRADE_DELAY + 1);
+
+    switchToMultisig();
+    expect(() => {
+      upgrade([]);
+    }).toThrow('upgrade should revert when no proposal exists');
+  });
+});

package/assembly/contracts/Multisig.ts

@@ -54,7 +54,7 @@ export function constructor(bs: StaticArray<u8>): void {
   const executionDelay = args.nextU64().expect('executionDelay not found');
 
   Upgradeable.__Upgradeable_init(upgradeDelay);
-  assert(owners.length > 1, 'At least 2 owners required');
+  assert(owners.length >= 1, 'At least 1 owner required');
   assert(required > 0 && required <= owners.length, 'invalid required');
 
   for (let i = 0; i < owners.length; i++) {
@@ -236,7 +236,7 @@ export function removeOwner(bs: StaticArray<u8>): void {
 
   _isMultisig();
   assert(
-    owners().length - 1 >= required() && owners().length > 2,
+    owners().length - 1 >= required() && owners().length > 1,
     'cannot remove owner',
   );
 
@@ -362,7 +362,7 @@ export function getApprovals(bs: StaticArray<u8>): StaticArray<u8> {
   const approvals: string[] = [];
   const _owners = owners();
 
-  for (let i = 0; i < owners.length; i++) {
+  for (let i = 0; i < _owners.length; i++) {
     const owner = _owners[i];
     if (hasApproved(txId, new Address(owner))) {
       approvals.push(owner);

package/assembly/libraries/Upgradeable.ts

@@ -39,11 +39,15 @@ export class Upgradeable {
   }
 
   /**
-   * @dev Returns true if the contract is locked
+   * @dev Returns true if the contract is still locked, i.e. the upgrade
+   * delay has not yet elapsed since the last proposal.
+   *
+   * The contract becomes unlocked (ready to upgrade) once
+   * `Context.timestamp() >= timelock + PERIOD`.
    */
   static islocked(): bool {
     return (
-      SafeMath.add(this.timelock(), bytesToU64(Storage.get(PERIOD))) <
+      SafeMath.add(this.timelock(), bytesToU64(Storage.get(PERIOD))) >
       Context.timestamp()
     );
   }

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@massalabs/multisig-contract",
-    "version": "0.0.2-dev.20260414091108",
+    "version": "0.1.0",
     "description": "",
     "scripts": {
         "test": "asp --summary",
@@ -11,6 +11,10 @@
         "get:multisig-parameters": "tsx src/get-multisig-parameters.ts",
         "list:proposals": "tsx src/list-proposals.ts",
         "propose:add-member": "tsx src/propose-add-member.ts",
+        "propose:replace-member": "tsx src/propose-replace-member.ts",
+        "propose:revoke-member": "tsx src/propose-revoke-member.ts",
+        "propose:threshold": "tsx src/propose-threshold.ts",
+        "propose:execution-delay": "tsx src/propose-execution-delay.ts",
         "prettier": "prettier assembly//**/*.ts --check",
         "prettier:fix": "prettier assembly//**/*.ts --write",
         "lint": "eslint .",
@@ -30,7 +34,7 @@
         "@massalabs/as-transformer": "^0.3.2",
         "@massalabs/as-types": "^2.1.0",
         "@massalabs/eslint-config": "^0.0.10",
-        "@massalabs/massa-as-sdk": "^3.0.2",
+        "@massalabs/massa-as-sdk": "^3.0.3-dev",
         "@massalabs/massa-sc-compiler": "^0.1.0",
         "@massalabs/massa-web3": "^5.3.0",
         "@massalabs/prettier-config-as": "^0.0.2",