A Review of Smart Contract Upgrades Since 0.6
In the year since Aragon 0.6 was released to Ethereum Mainnet, the underlying smart contracts powering Aragon organizations have continued to improve. Both Aragon 0.7 and 0.8 were launched with contract changes relevant for all Aragon users.
From day one, aragonOS was designed with the assumption that software will not only be imperfect but also deployed to a constantly changing environment. It's why the framework emphasized smart contract upgradeability as well as the governance mechanisms behind upgrades—ultimately, whoever has the ability to upgrade software will be in control of that software.
2019 validated our assumptions. Whilst we weren't able to fix everything with an upgrade, as immutability must exist somewhere for applications built on top of Ethereum, our smart contracts and their users did have to contend with, and overcome, several issues found or introduced after their deployment:
- One serious but difficult-to-exploit bug in the Voting app, luckily affecting no one,
- Mitigating issues from broken tokens, and
- Hard forks, and particularly EIP-1884's inclusion in Istanbul
All other code changes could be described as new features or quality of life improvements, including:
- More efficient gas usage
- Code logic simplifications to lower future chances of introducing bugs, or
- Fixes to small, un-exploitable bugs, primarily with small memory leaks
Both the 0.7 and 0.8 smart contract releases were accompanied with re-audits of the codebase. 0.7's changes were audited in tandem by Authio and ConsenSys Diligence, as part of AGP-18. 0.8 and its new templates were audited by ConsenSys Diligence, commissioned with processes deriving from AGP-43.
If you're interested in auditing these deployments yourself, we've logged every on-chain deployment to Mainnet, as well as other test networks, in our deployments log. An ongoing bug bounty is also available for all Mainnet-deployed smart contracts, including unreported bugs in older versions.
Aragon 0.7
The 0.7 release in April 2019 marked the first time, to my knowledge, that end users of an upgradeable smart contract—which they themselves owned!—were able to opt into an upgrade. Each individual default application—Finance, Tokens, Vault, and Voting—was available for upgrade.
This is a powerful feature baked into the design of aragonOS and is the underlying bedrock that enables our vision of a flourishing app ecosystem on the Aragon client. To date, over 100 organizations, or one-fifth of those eligible and most of the currently active organizations, have chosen to upgrade. This includes the Aragon Governance organization, which did so only after polling the entire Aragon community.
Upgrade highlights from each app:
- Finance, Vault: handle ERC20 tokens that did not provide return values in critical functions. These tokens did not implement the ERC20 token specification correctly, and the list includes high-profile tokens such as OMG.
- Finance: simplify external interface for individual and recurring payments.
- Tokens: add additional sanity checks to prevent nonsensical actions and improve gas efficiency.
- Voting: important bug fix, see security disclosure.
Small additional changes were released to the core contracts powering organizations, however, these are not available for upgrade in older organizations. Only organizations created after April 17, 2019 received these changes:
- Kernel: log an additional event during an organization's creation to act as the root of a full provenance chain of installed Kernel code in an organization's history. This allows off-chain tools to prove and verify that an organization had not previously installed untrusted code.
- EVMScripts: quality-of-life changes to reduce possibility of future bugs.
New organization templates, automatically selected during the Aragon client's organization onboarding flow, were deployed to facilitate the release of these core changes. These templates were otherwise functionally the same as 0.6's templates.
Changelog
For the full changelog and code diffs between 0.6 and 0.7, you may refer to the following resources.
aragonOS:
- v4.2.0 (up from v4.0.0)
- Full code diff
- Release notes
- Deployed contracts
- DAOFactory
- Address: 0xc29f0599df12eb4cbe1a34354c4bac6d944071d1
- Code diff from 0.6 (see revision tab)
- EVMScriptRegistry
- Address: 0x1630b381219984eb3a1206261b4add2ccef4de5c
- Code diff from 0.6 (see revision tab)
DAO templates:
- Full code diff
- DemocracyKit
- MultisigKit
- Deployed contracts
- DemocracyKit
- Address: 0x7f3ed10366826a1227025445D4f4e3e14BBfc91d
- Code diff from 0.6 (see revision tab)
- MultisigKit
- Address: 0x87aa2980dde7d2D4e57191f16BB57cF80bf6E5A6
- Code diff from 0.6 (see revision tab)
Finance:
- Base contract address: 0x836835289A2E81B66AE5d95b7c8dBC0480dCf9da
- Git history
- Code diff from 0.6 (see revision tab)
Tokens:
- Base contract address: 0xde3A93028F2283cc28756B3674BD657eaFB992f4
- Git history
- Code diff from 0.6 (see revision tab)
Vault:
- Base contract address: 0x03AD07802BBA1b6FA293E593a42845E6569A7470
- Git history
- Code diff from 0.6 (see revision tab)
Voting:
- Base contract address: 0xb935C3D80229d5D92f3761b17Cd81dC2610e3a45
- Git history
- Code diff from 0.6 (see revision tab)
Worth mentioning
Since the 0.7 release, we have lost the ability to upgrade the frontends of these older app versions. This is working as designed by our on-chain package manager, which prohibits automatic upgrades for upgrades involving smart contract changes.
However, this also means that we cannot fix any unforeseen frontend issues due to later changes from browsers or the overall Ethereum environment. For example, the 0.6 Finance app now does not load on Firefox due to a backwards-incompatible change (or bug) made in Firefox after April.
Aragon 0.8
Although 0.8's release introduced many frontend improvements to the apps, including their conformance to aragonDS, the release itself included no contract upgrades for any app. This was an explicit choice made to minimize the friction and fragmentation imposed from such upgrades on the overall Aragon ecosystem. We are playing the long game—there is monitoring in place and we will consider decreasing the length of the upgrade cycle as more and more users get accustomed to and comfortable with these upgrades.
As this release involved no contract changes for any app, users of 0.7 were automatically upgraded to 0.8's frontend interfaces.
The contract changes from the 0.8 release were focused solely on the infrastructure supporting new organizations:
- Templates: What were previously called DAO kits are now named DAO templates. 0.8 deprecated the old, and often confusing, Democracy and Multisig templates, and introduced new and hopefully more approachable templates that are structured around their intended use cases.
- App Proxies: Each AppProxy contract, used by default when an organization installs an application, was optimized for gas efficiency. This was not done out of a desire to improve the user experience, but to mitigate the effects of EIP-1884. For more details on how EIP-1884 impacts Aragon organizations created before Sept. 11, 2019, please read our announcement.
Neither of these infrastructural changes are available for organizations created before Sept. 11, 2019. They are only in effect for new organizations.
In addition to the improved infrastructure, we also officially launched the Agent app after a six month beta. If you would like to take part in future beta programs for apps like Agent, please contact us!
🚨 EIP-1884, now live with the Istanbul hard fork, introduces complications for using the Agent app with organizations created before Sept. 11, 2019.
Our recommendation for affected organizations is to create a new organization from the Aragon client and migrate any users, token holders, and funds over to the new organization. Please contact support@aragon.org if you need help with this migration.
For more information, please read our announcement on the impacts of Istanbul for older organizations.
Change log
For the full changelog and code diffs between 0.7 and 0.8, you may refer to the following resources.
aragonOS:
- v4.3.0 (up from v4.2.0)
- Full code diff
- Release notes
- Deployed contracts
- DAOFactory
- Address: 0xb9da44c051c6cc9e04b7e0f95e95d69c6a6d8031
- Code diff from 0.7 (see revision tab)
DAO Templates:
- Deployed contracts
- CompanyTemplate
- Address: 0xd737632caC4d039C9B0EEcc94C12267407a271b5
- CompanyBoardTemplate
- Address: 0x4d1A892f42c947fa952b57bc6939b27A96215CfA
- MembershipTemplate
- Address: 0x67430642C0c3B5E6538049B9E9eE719f2a4BeE7c
- ReputationTemplate
- Address: 0x3a06A6544e48708142508D9042f94DDdA769d04F
Agent:
- Base contract address: 0x88aFC2Fbb10504865598Ac67Ef5A17A1C5EeBA4b
- Git history
- Code diff from beta release (see revision tab)
Current state and future plans
As mentioned earlier, we have held back from releasing new contract (raw functionality!) upgrades to the default suite of apps since 0.7. That does not mean we haven't been working on them, though!
The next major upgrade of the Aragon client, planned for Q2 2020, will include contract upgrades for most, if not all, existing apps. We have already implemented a number of improvements, with more lined up, so stay tuned!
In the meantime, huge new sets of installable functionality are coming online for organizations. Between last month and next month, apps like Open Enterprise from Autark, Aragon Fundraising, Dandelion from 1Hive, and Empower the DAO's applications, have either launched or are in the final phases ahead of a Mainnet launch. Exciting experiments, such as daonuts on Reddit, are also being rolled out, so take a moment and try them out! Or maybe, you'd like to build an app yourself and would find the developer documentation interesting.
Finally, as a hurrah to the state of the network of Aragon organizations live on Mainnet, I am pleased to announce that we have finally passed the flippening point of non-upgraded 0.6 organizations against new, 0.8 organizations. It took us almost six months since the contract upgrades were released, but our Scout dashboards are now showing that the majority of organizations are operating with the latest, and of course greatest, smart contracts.