feat(evm): OT-RFC-50 V8→V10 admin-push stake migration

[branarakic]

Implements the OT-RFC-50 V8→V10 "pool & allocate" stake migration, admin-push model. Spec: OriginTrail/dkgv10-spec PR #131 (rev 4).

Model

The protocol/admin drains every delegator's V8 stake into their in-protocol migration credit; users only allocate that credit into V10 conviction positions. There is no self-service drain — startMigration is removed.

Contracts (packages/evm-module)

• DKGStakingConvictionNFT: adminDrainBatch(address[] delegators, uint72[] identityIds) — primary bulk drain; flattened (delegator, node) pairs (even per-tx gas), skips zero-drain pairs (no revert → idempotent / re-run-safe). adminMigrateToCredit (single-delegator re-sweep). allocate(targetNode, amount, lockTier) (user spends credit). Both drains are onlyOwnerOrMultiSigOwner and require V8MigrationEligibility.frozen().
• StakingV10: drainV8ToCredit worker (zeroes the V8 slot, moves TRAC SS→CSS, credits the delegator, tags the eligible portion) + allocateFromCredit (mints the conviction position). Tier 0 is exempt from the active-tier gate so the recover-to-wallet path is owner-independent.
• ConvictionStakingStorage: Option-B credit ledger (migrationCredit / eligibleCredit, deploy-time convictionCreditSeconds).
• V8MigrationEligibility: frozen registry gating the tier-6/12 conviction lock-credit.

Safety

• Always recoverable: force-drained funds can be returned to the wallet in two txs — allocate(node, amount, 0) → withdraw — and tier 0 cannot be gated off by the owner.
• Collateralization: every drain moves TRAC SS→CSS exactly; allocate moves no TRAC; credit is never withdrawable as credit.
• Idempotent drains make the chunked off-chain sweep re-run-safe.

Tests & review

• 22 migration tests green (test/v10-pool-migration.test.ts): drain accounting + eligible tagging, adminDrainBatch (skip-zero / idempotent / length-mismatch / gating), allocate (credit gate, partial/clamp, reverts), collateralization, tier-0 recovery + recovery-after-tier-0-deactivation, setConvictionCreditSeconds.
• Adversarial multi-agent review: 2 LOW findings fixed (tier-0 gate, stale exported ABI); a HIGH stakeRewardIndexed finding was refuted (dead/legacy field; the release-gate aggregate _totalStake is independent of it).

Deploy / cutover

• Deploy onto each chain's V8-stake-holding Hub (Base freeze 0x99Aa… / Gnosis 0x882D…), not a fresh Hub.
• The off-chain sweep driver (enumerate DelegatorsInfo.getDelegators → chunked adminDrainBatch → until getTotalStake()==0 per chain) is a separate ops deliverable.
• Cutover gate: assert StakingStorage.getTotalStake() == 0 per chain before unregistering the V8 Staking contract.
• Includes testnet rehearsal tooling under packages/evm-module/scripts/ (mirror-mainnet-delegator, migrate-as-wallet, fork-rehearsal, create-profile + RFC50-TESTNET-REHEARSAL.md).

🤖 Generated with Claude Code

[github-actions]

🔴 Bug: This PR changes the public staking-migration ABI, but the snapshot ABIs under packages/chain/abi/ are still on the old selfMigrateV8 / adminMigrateV8 / ConvertedFromV8 surface. packages/chain/src/evm-adapter-abi.ts prefers those local snapshots, so downstream SDK callers and custom-error decoding will keep using stale interfaces until those copies are regenerated too.

[github-actions]

🟡 Issue: The new pool-migration suite no longer covers the D8 pending withdrawal branch that drainV8ToCredit() still migrates. The deleted regression used to prove stakeBase + pending was transferred SS→CSS; without a replacement test here, a regression would silently under-credit users or re-open the collateralization bug. Please add a case that seeds createDelegatorWithdrawalRequest(...) and asserts both credited amount and vault transfer include pending.

[branarakic]

Addressed the review findings in 46d57d7:

🔴 Stale chain ABI snapshots (codex) — fixed. Regenerated packages/chain/abi/{DKGStakingConvictionNFT,StakingV10,ConvictionStakingStorage}.json to the current migration surface. Since packages/chain/src/evm-adapter-abi.ts prefers these package-local snapshots over the evm-module export, downstream SDK callers were resolving the stale selfMigrateV8/startMigration interface; they now match (adminDrainBatch present, startMigration/selfMigrateV8 gone).

🟡 Missing D8 pending-withdrawal coverage (codex) — fixed. Added a regression in the collateralization block: seeds createDelegatorWithdrawalRequest(...), then asserts the admin drain credits stakeBase + pending and moves the full base + pending SS→CSS (and clears both V8 slots). Suite now 23 green.

Slither reentrancy-events / calls-in-loop (adminMigrateToCredit, adminDrainBatch) — reviewed, benign, no change:

• Both entrypoints are onlyOwnerOrMultiSigOwner; the only external call is to StakingV10.drainV8ToCredit, which is onlyConvictionNFT (callable solely by this wrapper) and touches only trusted protocol storage.
• The sole token movement is StakingStorage.transferStake of TRAC — a standard ERC20 with no transfer callback (no ERC777-style hook), so no re-entrancy vector.
• The drain is idempotent (a re-entered/re-run pair reads a zeroed slot and contributes 0), so even hypothetical re-entry cannot double-credit. The flagged class is reentrancy-events (informational), and the event must follow the call because it reports the drained amount.
• nonReentrant is not used on the analogous allocate/stake/withdraw paths in these contracts, so adding a guard here would be inconsistent. The loop in adminDrainBatch is the intended, documented, re-run-safe batch shape (the off-chain driver packs uniform chunks).

[github-actions]

🔴 Bug: draining V8 stake into credit never re-evaluates the source node's sharding-table membership or recomputes the Ask active set. Under OT-RFC-50 the source node can lose stake immediately while the user allocates later or to a different node, so a node that was above minimumStake only because of V8 stake can remain incorrectly active after the drain. After mutating SS/CSS here, remove the source node when its canonical post-drain stake is sub-threshold and trigger an active-set refresh (batched if you want to avoid per-pair recalcs).

[github-actions]

🟡 Issue: this helper claims to mirror a real delegator position, but it silently drops any pending V8 withdrawal requests. For delegators with pending > 0, the seeded state, admin-drain credit and collateralization rehearsal will all be wrong. Either seed the pending request + vault top-up here, or fail fast when any source position has a non-zero pending amount.

[github-actions]

🟡 Issue: this assertion assumes credited == stakeBase, but adminMigrateToCredit drains stakeBase + pendingWithdrawal. If DELEGATOR is overridden to one with a pending request, the rehearsal will report a failure even though the contract behaved correctly; the next totalBefore - totalAfter assertion has the same problem because totalStake excludes pending. Include pending in the baseline or assert up front that the chosen delegator has no pending withdrawal.

[github-actions]

🟡 Issue: receipt.logs[0].topics[1] assumes the first emitted log is always the profile-created event. That's brittle and can silently print the wrong identityId if createProfile starts emitting another event first. Parse the receipt by event signature/name (or read the created id from contract state) instead of indexing raw logs.

[branarakic]

Round 2 — addressed in 48a301e:

🔴 "drain leaves the source node incorrectly active" — false positive, no change. The premise (a node stays active off un-migrated V8 stake) doesn't hold in this codebase: the V10 active set and sharding table rank nodes by ConvictionStakingStorage.getNodeStakeV10 — Ask.recalculateActiveSet (Ask.sol:35) and ShardingTable (ShardingTable.sol:238), the latter's own comment noting the V8 getNodeStake "is not a faithful read" post-migration. drainV8ToCredit produces unallocated migration credit and never touches nodeStakeV10, so a node's V10 membership is unaffected by the drain — un-migrated V8 stake never made a node active in V10 to begin with. nodeStakeV10 (and therefore the active set) changes only in allocate, which already does insertNode + recalculateActiveSet. So no drain-side recalc is needed (and none is correct).

🟡 three tooling fixes (rehearsal scripts only):

• create-profile.ts — parse the ProfileCreated event by name rather than receipt.logs[0].topics[1] (the call also emits identity/wallet events).
• fork-rehearsal.ts — read the delegator's pending withdrawal; assert credited == base + pending and that totalStake drops by base only (pending is excluded from totalStake), so a DELEGATOR override with a pending request no longer reports a false failure.
• mirror-mainnet-delegator.ts — seed a real pending V8 withdrawal faithfully (fund the vault for base + pending + createDelegatorWithdrawalRequest) instead of silently dropping it.

CI Tornado: Solidity [1/4] / [4/4] — unrelated, not introduced here. Both fail on the CI's ContextGraphs typechain sanity check (createContextGraph binding), and they were already failing on this branch's first commit. This branch changes no ContextGraphs/typechain/config files, and typechain/contracts/ContextGraphs.ts (with createContextGraph) generates fine locally — so it's a pre-existing/base CI-environment issue, not a regression from this PR. The migration suite itself passes (23 green; the ABI freshness, Slither, Aderyn, CodeQL, and shards [2/4]/[3/4] checks are green).

[github-actions]

🔴 Bug: creditApplied can be true while convictionCreditSeconds() is still 0 if the owner freezes the eligibility registry before initializing the credit. Because setConvictionCreditSeconds is blocked after freeze, every eligible 6/12 allocation would then silently lose its promised lock shortening forever. Please fail loudly here (or gate freeze/drain) when eligible credit is being consumed but the credit duration was never configured.

[github-actions]

🔴 Bug: This replaces the public V8 migration surface instead of deprecating it. There are still in-repo callers/docs wired to selfMigrateV8 / adminMigrateV8* and ConvertedFromV8 (for example packages/evm-module/scripts/devnet-credit-smoke.ts and scripts/devnet-rc12-release-validation.sh), so publishing this ABI as-is will break those flows immediately. Either keep compatibility shims or update/remove every existing caller in the same PR.

[github-actions]

🔴 Bug: Predicting tokenId with allocate.staticCall(...) is race-prone on a shared testnet. Another allocation can consume the next id before this transaction is mined, so the later ownerOf(tokenId) can report the wrong NFT or revert. Parse the minted token id from the mined Allocated/Transfer event instead of relying on a preflight static call.

[github-actions]

🔴 Bug: The "immutable after freeze" guarantee is only enforced in the NFT wrapper. This CSS entrypoint is still directly callable by any Hub-registered contract or hub.owner() via onlyContracts, so convictionCreditSeconds can be changed after the eligibility registry is frozen by bypassing the wrapper. Move the freeze check into CSS as well, or narrow this setter to the exact caller path that enforces the freeze invariant.

[github-actions]

🔴 Bug: This replaces the public selfMigrateV8 / adminMigrateV8* flow with a different ABI (adminMigrateToCredit + allocate) and also drops the old ConvertedFromV8 event, but the wrapper still reports version 10.0.2. That is a breaking contract/API change that existing clients and indexers cannot detect from version(). Either keep compatibility shims for the old surface or bump the wrapper version and rollout artifacts in this PR.

[github-actions]

🔴 Bug: Repointing only the Hub entries here is not enough for a realistic fork rehearsal. Ask, ShardingTable, and RandomSampling cache ConvictionStakingStorage in their own initialize() calls, so after this swap they still read the old CSS address. That means allocate()'s active-set/sharding path is exercised against stale stake data, and the rehearsal can pass while production would still be wired incorrectly. Reinitialize or redeploy every contract that caches CSS before using the new stack.

[github-actions]

🟡 Issue: The registry already frozen branch silently skips eligibility setup and still proceeds to drain later. If this helper is rerun for a different TARGET_DELEGATOR or node set after freeze, the wallet will be mirrored and drained as non-eligible with no way to correct it. Fail fast here unless the target (identityId, delegator) pairs are already present in the frozen registry and convictionCreditSeconds matches the expected value.

[github-actions]

Codex review skipped: filtered diff is 5743 lines (cap: 5,000). Please consider splitting this into smaller PRs for reviewability.

[github-actions]

Codex review skipped: filtered diff is 5737 lines (cap: 5,000). Please consider splitting this into smaller PRs for reviewability.

[github-actions]

Codex review skipped: filtered diff is 7871 lines (cap: 5,000). Please consider splitting this into smaller PRs for reviewability.

[zsculac]

The sweep runbook and driver should use the same cutover ordering. The driver currently requires the legacy V8 Staking entrypoint to be unregistered/frozen before a sweep runs, but the runbook text implies the unregister step happens after the sweep. I think the runbook should be updated so the sequence is explicit: freeze/unregister the V8 staking entrypoint first, then run plan, then execute the sweep, then verify. That avoids building and executing a sweep against balances that can still change while the migration is in progress.

[zsculac]

I do not see a V8 operator-fee migration path in this PR. The current drain path (StakingV10.drainV8ToCredit) reads only the delegator V8 stakeBase plus delegator pending withdrawal amount, transfers that total SS→CSS, and credits migrationCredit[delegator]. It does not read or transfer StakingStorage.getOperatorFeeBalance(identityId) or open operator-fee withdrawal requests into ConvictionStakingStorage.

The sweep driver also treats operator fees as residual vault funds that are explicitly not drained. That means V8 operator-fee balances must either be withdrawn/restaked by operators before V8 Staking is unregistered, or this PR needs an explicit operator-fee migration/rescue flow. Otherwise, once V8 Staking is no longer Hub-registered, the normal operator-fee request/finalize/restake functions may no longer be able to mutate StakingStorage, leaving those balances stranded in the old vault.

This is not just theoretical: current active-node V8 mainnet reads show nonzero operator-fee balances on NeuroWeb, Gnosis, and Base. Please either add a V8 operator-fee migration path, or make the cutover runbook explicitly require clearing/finalizing/restaking operator fees before shutdown and verify zero residual operator-fee balances/requests per chain.

[zsculac]

The sweep driver should hard-fail before submitting transactions when the pre-sweep vault decomposition shows an unresolved accounting gap.

Today the plan prints red warnings for cases such as ACTIVE-STAKE GAP or UNATTRIBUTED VAULT TRAC, but MODE=execute continues into chunk submission and only fails after the final verification. I think these should be preflight blockers: if activeGap > 0, unattributed > DUST_TOLERANCE, or the pending-only event scan was degraded/skipped, execution should stop before sending any adminDrainBatch transaction unless an explicit override is provided.

The reason is operational safety rather than reentrancy/token leakage: an unattributed vault balance means the driver cannot currently classify all TRAC in StakingStorage as active delegator stake, pending delegator withdrawals, or operator fees. Executing anyway can produce a partially completed sweep that still requires manual reconciliation afterward. A hard preflight stop makes the migration process easier to reason about and prevents a red plan from becoming a sent transaction by accident.