feat: pause mechanism and operator-triggered claimRedeem (#252)

* feat: add pause mechanism and operator-triggered claimRedeem

- Add `paused` state with `pause()` (operator or owner) and `unpause()` (owner)
- Gate `deposit()` and `requestRedeem()` with `whenNotPaused`
- Let the operator call `claimRedeem()` on behalf of a user; funds and
  the `RedeemClaimed` event still go to the original withdrawer
- Declare the previously missing `Paused`/`Unpaused` events
- Add unit tests for pause/unpause and operator-claim
- Update fork tests for the new "Not requester or operator" message
- Add script 028 upgrading LidoARM, EtherFiARM, EthenaARM and OETH ARM
  implementations (LidoARM and OETH ARM via governance proposal)

* refactor: remove OriginARM from upgrade script and update governance proposal description

* feat: update governance proposal to include EtherFiARM upgrade and refine comments

Author: clement-ux

script/deploy/mainnet/028_UpgradeARMsPauseScript.s.sol

@@ -0,0 +1,87 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.23;
+
+// Contracts
+import {Proxy} from "contracts/Proxy.sol";
+import {Mainnet} from "contracts/utils/Addresses.sol";
+import {LidoARM} from "contracts/LidoARM.sol";
+import {EthenaARM} from "contracts/EthenaARM.sol";
+import {EtherFiARM} from "contracts/EtherFiARM.sol";
+
+// Deployment
+import {AbstractDeployScript} from "script/deploy/helpers/AbstractDeployScript.s.sol";
+import {GovHelper, GovProposal} from "script/deploy/helpers/GovHelper.sol";
+
+/// @notice Upgrades LidoARM, EtherFiARM, EthenaARM and OETH (Origin) ARM
+/// to the new AbstractARM implementation that adds the pause mechanism
+/// (pause/unpause + whenNotPaused on deposit/requestRedeem) and lets
+/// the operator claim withdrawal requests on behalf of users.
+contract $028_UpgradeARMsPauseScript is AbstractDeployScript("028_UpgradeARMsPauseScript") {
+    using GovHelper for GovProposal;
+
+    LidoARM public lidoARMImpl;
+    EtherFiARM public etherFiARMImpl;
+    EthenaARM public ethenaARMImpl;
+
+    function _execute() internal override {
+        uint256 claimDelay = 10 minutes;
+
+        // 1. LidoARM
+        lidoARMImpl = new LidoARM(
+            Mainnet.STETH,
+            Mainnet.WETH,
+            Mainnet.LIDO_WITHDRAWAL,
+            claimDelay,
+            1e7, // minSharesToRedeem
+            1e18 // allocateThreshold
+        );
+        _recordDeployment("LIDO_ARM_IMPL", address(lidoARMImpl));
+
+        // 2. EtherFiARM
+        etherFiARMImpl = new EtherFiARM(
+            Mainnet.EETH,
+            Mainnet.WETH,
+            Mainnet.ETHERFI_WITHDRAWAL,
+            claimDelay,
+            1e7, // minSharesToRedeem
+            1e18, // allocateThreshold
+            Mainnet.ETHERFI_WITHDRAWAL_NFT
+        );
+        _recordDeployment("ETHERFI_ARM_IMPL", address(etherFiARMImpl));
+
+        // 3. EthenaARM
+        ethenaARMImpl = new EthenaARM(
+            Mainnet.USDE,
+            Mainnet.SUSDE,
+            claimDelay,
+            1e18, // minSharesToRedeem
+            100e18 // allocateThreshold
+        );
+        _recordDeployment("ETHENA_ARM_IMPL", address(ethenaARMImpl));
+    }
+
+    function _buildGovernanceProposal() internal override {
+        govProposal.setDescription("Upgrade LidoARM and EtherFiARM to add pause mechanism and operator-claim");
+
+        govProposal.action(
+            resolver.resolve("LIDO_ARM"), "upgradeTo(address)", abi.encode(resolver.resolve("LIDO_ARM_IMPL"))
+        );
+
+        govProposal.action(
+            resolver.resolve("ETHER_FI_ARM"), "upgradeTo(address)", abi.encode(resolver.resolve("ETHERFI_ARM_IMPL"))
+        );
+    }
+
+    /// @notice EthenaARM is owned by the multisig directly, so we upgrade it
+    /// via a prank in fork simulation. On real deployment, the multisig will execute the upgrade.
+    function _fork() internal override {
+        // EthenaARM
+        Proxy ethenaProxy = Proxy(payable(resolver.resolve("ETHENA_ARM")));
+        address ethenaImpl = resolver.resolve("ETHENA_ARM_IMPL");
+        if (ethenaProxy.implementation() != ethenaImpl) {
+            vm.startPrank(ethenaProxy.owner());
+            ethenaProxy.upgradeTo(ethenaImpl);
+            vm.stopPrank();
+        }
+    }
+}

src/contracts/AbstractARM.sol

@@ -129,7 +129,16 @@ abstract contract AbstractARM is OwnableOperable, ERC20Upgradeable {
     /// @notice Percentage of available liquid assets to keep in the ARM. 100% = 1e18.
     uint256 public armBuffer;
 
-    uint256[38] private _gap;
+    /// @notice True when user-facing ARM actions are paused.
+    bool public paused;
+
+    uint256[37] private _gap;
+
+    ////////////////////////////////////////////////////
+    ///                 Errors
+    ////////////////////////////////////////////////////
+
+    error ContractPaused(); // 0xab35696f
 
     ////////////////////////////////////////////////////
     ///                 Events
@@ -151,6 +160,21 @@ abstract contract AbstractARM is OwnableOperable, ERC20Upgradeable {
     event MarketRemoved(address indexed market);
     event ARMBufferUpdated(uint256 armBuffer);
     event Allocated(address indexed market, int256 targetLiquidityDelta, int256 actualLiquidityDelta);
+    event Paused(address indexed account);
+    event Unpaused(address indexed account);
+
+    ////////////////////////////////////////////////////
+    ///                 Modifiers
+    ////////////////////////////////////////////////////
+
+    modifier whenNotPaused() {
+        if (paused) revert ContractPaused();
+        _;
+    }
+
+    ////////////////////////////////////////////////////
+    ///                 Constructor
+    ////////////////////////////////////////////////////
 
     constructor(
         address _token0,
@@ -535,7 +559,7 @@ abstract contract AbstractARM is OwnableOperable, ERC20Upgradeable {
     /// The caller needs to have approved the contract to transfer the assets.
     /// @param assets The amount of liquidity assets to deposit
     /// @return shares The amount of shares that were minted
-    function deposit(uint256 assets) external returns (uint256 shares) {
+    function deposit(uint256 assets) external whenNotPaused returns (uint256 shares) {
         shares = _deposit(assets, msg.sender);
     }
 
@@ -544,7 +568,7 @@ abstract contract AbstractARM is OwnableOperable, ERC20Upgradeable {
     /// @param assets The amount of liquidity assets to deposit
     /// @param receiver The address that will receive shares.
     /// @return shares The amount of shares that were minted
-    function deposit(uint256 assets, address receiver) external returns (uint256 shares) {
+    function deposit(uint256 assets, address receiver) external whenNotPaused returns (uint256 shares) {
         shares = _deposit(assets, receiver);
     }
 
@@ -587,7 +611,7 @@ abstract contract AbstractARM is OwnableOperable, ERC20Upgradeable {
     /// @return assets The max amount of liquidity assets that will be claimable by the redeemer.
     /// The amount can be less at claim time if ARM's assets per share has decreased. This can happen
     /// from a significant slashing event on the base asset, eg stETH.
-    function requestRedeem(uint256 shares) external returns (uint256 requestId, uint256 assets) {
+    function requestRedeem(uint256 shares) external whenNotPaused returns (uint256 requestId, uint256 assets) {
         // Calculate the amount of assets to transfer to the redeemer
         assets = convertToAssets(shares);
 
@@ -634,7 +658,7 @@ abstract contract AbstractARM is OwnableOperable, ERC20Upgradeable {
         require(request.claimTimestamp <= block.timestamp, "Claim delay not met");
         // Is there enough liquidity in the ARM and lending market to claim this request?
         require(request.queued <= claimable(), "Queue pending liquidity");
-        require(request.withdrawer == msg.sender, "Not requester");
+        require(request.withdrawer == msg.sender || msg.sender == operator, "Not requester or operator");
         require(request.claimed == false, "Already claimed");
 
         // In the scenario where the ARM has made a loss from after the redeem request, the asset value of
@@ -664,10 +688,10 @@ abstract contract AbstractARM is OwnableOperable, ERC20Upgradeable {
             }
         }
 
-        // transfer the liquidity asset to the withdrawer
-        IERC20(liquidityAsset).transfer(msg.sender, assets);
+        // transfer the liquidity asset to the original withdrawer
+        IERC20(liquidityAsset).transfer(request.withdrawer, assets);
 
-        emit RedeemClaimed(msg.sender, requestId, assets);
+        emit RedeemClaimed(request.withdrawer, requestId, assets);
     }
 
     /// @notice Used to work out if an ARM's withdrawal request can be claimed.
@@ -1051,4 +1075,16 @@ abstract contract AbstractARM is OwnableOperable, ERC20Upgradeable {
 
         emit ARMBufferUpdated(_armBuffer);
     }
+
+    /// @notice Pause user-facing ARM actions.
+    function pause() external onlyOperatorOrOwner {
+        paused = true;
+        emit Paused(msg.sender);
+    }
+
+    /// @notice Unpause user-facing ARM actions.
+    function unpause() external onlyOwner {
+        paused = false;
+        emit Unpaused(msg.sender);
+    }
 }

test/fork/LidoARM/ClaimRedeem.t.sol

@@ -89,7 +89,7 @@ contract Fork_Concrete_LidoARM_ClaimRedeem_Test_ is Fork_Shared_Test_ {
 
         // Expect revert
         vm.startPrank(vm.randomAddress());
-        vm.expectRevert("Not requester");
+        vm.expectRevert("Not requester or operator");
         lidoARM.claimRedeem(0);
     }
 

test/unit/OriginARM/ClaimRedeem.sol

@@ -33,16 +33,36 @@ contract Unit_Concrete_OriginARM_ClaimRedeem_Test_ is Unit_Shared_Test {
         originARM.claimRedeem(0);
     }
 
-    function test_RevertWhen_ClaimRedeem_Because_NotWithdrawer()
+    function test_RevertWhen_ClaimRedeem_Because_NotWithdrawerNorOperator()
         public
         requestRedeemAll(alice)
         timejump(CLAIM_DELAY)
-        asNot(alice)
     {
-        vm.expectRevert("Not requester");
+        // bob is neither the withdrawer (alice) nor the operator
+        vm.prank(bob);
+        vm.expectRevert("Not requester or operator");
         originARM.claimRedeem(0);
     }
 
+    function test_ClaimRedeem_AsOperator() public requestRedeemAll(alice) timejump(CLAIM_DELAY) {
+        uint256 aliceBalanceBefore = weth.balanceOf(alice);
+        uint256 operatorBalanceBefore = weth.balanceOf(operator);
+
+        // Operator (not the withdrawer) claims on Alice's behalf
+        vm.prank(operator);
+        vm.expectEmit(address(originARM));
+        // Event reports the actual withdrawer (alice), not the caller
+        emit AbstractARM.RedeemClaimed(alice, 0, DEFAULT_AMOUNT);
+        originARM.claimRedeem(0);
+
+        (, bool claimed,,,,) = originARM.withdrawalRequests(0);
+        assertEq(claimed, true, "Claimed should be true");
+        assertEq(originARM.withdrawsClaimed(), DEFAULT_AMOUNT, "Claimed amount should be DEFAULT_AMOUNT");
+        // Funds go to the original withdrawer (alice), even though the operator triggered the claim
+        assertEq(weth.balanceOf(alice), aliceBalanceBefore + DEFAULT_AMOUNT, "Alice should receive the WETH");
+        assertEq(weth.balanceOf(operator), operatorBalanceBefore, "Operator balance unchanged");
+    }
+
     function test_RevertWhen_ClaimRedeem_Because_AlreadyClaimed() public requestRedeemAll(alice) timejump(CLAIM_DELAY) {
         // Alice claims her redeem
         vm.prank(alice);