cosmos · Zygimantass · Mar 11, 2025
@@ -24,6 +24,7 @@
   },
   "light_clients": {
     "0": {
+      "clientId": "client-0",
       "implementation": "0x1328ec28990dF0de8993F474d5735918397AbD67",
       "verifier": "0xbACD04656Fd51BA2f97878d91695327B372E35Ad",
       "counterpartyClientId": "test1",
@@ -37,6 +38,22 @@
       "membershipVkey": "0x0026906fe0778c42e576c204c400e4550aeed50e29a131d05d0e152cc37b55a0",
       "ucAndMembershipVkey": "0x00d4f07bc9752fec5872a600ad049e7bbc3a49eeef435b0d62239750a2a5e519",
       "misbehaviourVkey": "0x00d9cb031eaf179a5f39864bb660aadf2cd71196e4431cf1e9eeed72aa30bf84"
+    },
+    "1": {
+      "clientId": "client-1",
+      "implementation": "0xF39bCCE0F1368B7Cb7d8014009a6B7BD19C0B85e",
+      "verifier": "0x32e8B9113B3AD0fc9EBD1f7B8134518a47f6729c",
+      "counterpartyClientId": "08-wasm-254",
+      "merklePrefix": [
+        "ibc",
+        ""
+      ],
+      "trustedClientState": "000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000001200000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a5fdfd000000000000000000000000000000000000000000000000000000000012750000000000000000000000000000000000000000000000000000000000001baf8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000870726f7669646572000000000000000000000000000000000000000000000000",
+      "trustedConsensusState": "0000000000000000000000000000000000000000000000000000000067d050fa60351a5614aa2e59661f63f11f636ee4e0da31d8130d525e2439f566243894438483c3c3bde23159b4605842d5ce73691f7755a19654bd12d2ce96b79dca1084",
+      "updateClientVkey": "0x0091b7766cc8267041695229bc125c29a96a8d2ec016a57c6a87a4f1c52c088f",
+      "membershipVkey": "0x00bb87e99e31bb4e1d37e5b7bc270a28fa0d51f38d5064e7c40e253503715bfd",
+      "ucAndMembershipVkey": "0x00987cfc3ada54abcd8d7a0ff5299ba7acfa1d4e7cf1bba8054edaa1e4b1ee5c",
+      "misbehaviourVkey": "0x006ebe640f81926f9c51ccf622717a2fd53a1c7ed034818b99b0bbaacb98fe61"
     }
   }
 }
@@ -0,0 +1,46 @@
+## RUNBOOK - upgrading light client
+
+### Roles
+
+| Role         | Person |
+|--------------|--------|
+| Facilitator  |        |
+| Communicator |        |
+| Notekeeper   |        |
+| Signers      |        |
+
+### Runbook
+
+1. Create an operations report (copy of this document) in docs/security/operations 
+2. Facilitator determines the correct paramaters for the new light client
+    - These can be fetched and independently verified using the `operator` CLI tool.
+3. Facilitator creates a pull request in `solidity-ibc-eureka` to add the new light client
+4. Signers verify the parameters for the new light client
+5. The pull request is merged and the new light client should automatically be deployed using the CI pipeline
+    - If the GitHub or the CI pipeline is unavailable, the facilitator should opt to deploy the light client using `forge script DeploySP1TendermintLightClient.sol` script.
+6. The signers should independently verify that the Light Client parameters are correct on-chain
+    - This can be done by running `DEPLOYMENT_ENV=mainnet-prod forge script scripts/deployments/DeploySP1TendermintLightClient.sol --rpc-url <RPC>`. If the script runs successfully and the parameters are in the `deployments/mainnet-prod/<chain_id>.json` file, this means that the parameters are correct.
+7. The facilitator submits a transaction proposal to the Gnosis Safe.
+    - The transaction proposal should contain a transaction to the `TimelockController` calling `schedule(ICS26RouterAddress, 0, migrateClient(oldClientId, newClientId), 0, 0, 259200)`
+    - The `ICS26Router` can be verified in the deployment JSON files, as it should be calling the canonical one.
+    - The calldata to the timelock (field in the schedule call) can be generated by running `cast calldata "migrateClient(string calldata,string calldata) oldClientId newClientId" `
+    - The calldata to the timelock (field in the schedule call) can be verified by running `cast decode-calldata "migrateClient(string calldata,string calldata)" <calldata>`
+8. The signers independently verify that the transaction contents contain the expected call
+9.  The facilitator collects signatures from the signers on Gnosis Safe
+    - ** (!!) The signers should verify the Tenderly simulation from the Gnosis Safe UI. They should make sure that the domainHash matches what they are seeing in the blind-signing window on their hardware wallet**
+    - For additional security, the signers should also independently verify the transaction contents by using the [safe-tx-hashes-util](https://github.com/pcaversaccio/safe-tx-hashes-util) tool.
+10. The facilitator executes the time-locked transaction on-chain
+11. The facilitator executes the transaction in the time-lock on-chain
+
+### Checklist
+
+- [ ] The facilitator has determined the correct parameters for the new light client
+- [ ] The facilitator has created a pull request to add the new light client
+- [ ] The signers have independently verified that the new light client parameters are correct
+- [ ] The facilitator has merged the pull request and the new light client has been deployed on-chain
+- [ ] The signers and facilitator have independently verified that the new light client parameters are correct on-chain
+- [ ] The facilitator has submitted a time-locked transaction proposal to the Gnosis Safe to migrate light clients
+- [ ] The signers have independently verified that the transaction proposal is correct
+- [ ] The signers have signed the transaction proposal for the time-lock
+- [ ] The facilitator has executed the transaction proposal for the time-lock
+- [ ] The facilitator has executed the transaction on-chain