Governance

This document is better viewed at https://docs.openzeppelin.com/contracts/api/governance

This directory includes primitives for on-chain governance.

Governor

This modular system of Governor contracts allows the deployment on-chain voting protocols similar to Compound’s Governor Alpha & Bravo and beyond, through the ability to easily customize multiple aspects of the protocol.

For a guided experience, set up your Governor contract using Contracts Wizard.

For a written walkthrough, check out our guide on How to set up on-chain governance.

  • Governor: The core contract that contains all the logic and primitives. It is abstract and requires choosing one of each of the modules below, or custom ones.

Votes modules determine the source of voting power, and sometimes quorum number.

Counting modules determine valid voting options.

  • GovernorCountingSimple: Simple voting mechanism with 3 voting options: Against, For and Abstain.

  • GovernorCountingFractional: A more modular voting system that allows a user to vote with only part of its voting power, and to split that weight arbitrarily between the 3 different options (Against, For and Abstain).

Timelock extensions add a delay for governance decisions to be executed. The workflow is extended to require a queue step before execution. With these modules, proposals are executed by the external timelock contract, thus it is the timelock that has to hold the assets that are being governed.

Other extensions can customize the behavior or interface in multiple ways.

  • GovernorStorage: Stores the proposal details onchain and provides enumerability of the proposals. This can be useful for some L2 chains where storage is cheap compared to calldata.

  • GovernorSettings: Manages some of the settings (voting delay, voting period duration, and proposal threshold) in a way that can be updated through a governance proposal, without requiring an upgrade.

  • GovernorPreventLateQuorum: Ensures there is a minimum voting period after quorum is reached as a security protection against large voters.

In addition to modules and extensions, the core contract requires a few virtual functions to be implemented to your particular specifications:

  • votingDelay(): Delay (in ERC-6372 clock) since the proposal is submitted until voting power is fixed and voting starts. This can be used to enforce a delay after a proposal is published for users to buy tokens, or delegate their votes.

  • votingPeriod(): Delay (in ERC-6372 clock) since the proposal starts until voting ends.

  • quorum(uint256 timepoint): Quorum required for a proposal to be successful. This function includes a timepoint argument (see ERC-6372) so the quorum can adapt through time, for example, to follow a token’s totalSupply.

Functions of the Governor contract do not include access control. If you want to restrict access, you should add these checks by overloading the particular functions. Among these, Governor._cancel is internal by default, and you will have to expose it (with the right access control mechanism) yourself if this function is needed.

Core

IGovernor

import "@openzeppelin/contracts/governance/IGovernor.sol";

Interface of the Governor core.

Event parameters lack the indexed keyword for compatibility with GovernorBravo events. Making event parameters indexed affects how events are decoded, potentially breaking existing indexers.

name() → string external

Name of the governor instance (used in building the EIP-712 domain separator).

version() → string external

Version of the governor instance (used in building the EIP-712 domain separator). Default: "1"

COUNTING_MODE() → string external

A description of the possible support values for castVote and the way these votes are counted, meant to be consumed by UIs to show correct vote options and interpret the results. The string is a URL-encoded sequence of key-value pairs that each describe one aspect, for example support=bravo&quorum=for,abstain.

There are 2 standard keys: support and quorum.

  • support=bravo refers to the vote options 0 = Against, 1 = For, 2 = Abstain, as in GovernorBravo.

  • quorum=bravo means that only For votes are counted towards quorum.

  • quorum=for,abstain means that both For and Abstain votes are counted towards quorum.

If a counting module makes use of encoded params, it should include this under a params key with a unique name that describes the behavior. For example:

  • params=fractional might refer to a scheme where votes are divided fractionally between for/against/abstain.

  • params=erc721 might refer to a scheme where specific NFTs are delegated to vote.

The string can be decoded by the standard URLSearchParams JavaScript class.

hashProposal(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 external

Hashing function used to (re)build the proposal id from the proposal details..

state(uint256 proposalId) → enum IGovernor.ProposalState external

Current state of a proposal, following Compound’s convention

proposalThreshold() → uint256 external

The number of votes required in order for a voter to become a proposer.

proposalSnapshot(uint256 proposalId) → uint256 external

Timepoint used to retrieve user’s votes and quorum. If using block number (as per Compound’s Comp), the snapshot is performed at the end of this block. Hence, voting for this proposal starts at the beginning of the following block.

proposalDeadline(uint256 proposalId) → uint256 external

Timepoint at which votes close. If using block number, votes close at the end of this block, so it is possible to cast a vote during this block.

proposalProposer(uint256 proposalId) → address external

The account that created a proposal.

proposalEta(uint256 proposalId) → uint256 external

The time when a queued proposal becomes executable ("ETA"). Unlike proposalSnapshot and proposalDeadline, this doesn’t use the governor clock, and instead relies on the executor’s clock which may be different. In most cases this will be a timestamp.

proposalNeedsQueuing(uint256 proposalId) → bool external

Whether a proposal needs to be queued before execution.

votingDelay() → uint256 external

Delay, between the proposal is created and the vote starts. The unit this duration is expressed in depends on the clock (see ERC-6372) this contract uses.

This can be increased to leave time for users to buy voting power, or delegate it, before the voting of a proposal starts.

While this interface returns a uint256, timepoints are stored as uint48 following the ERC-6372 clock type. Consequently this value must fit in a uint48 (when added to the current clock). See IERC6372.clock.

votingPeriod() → uint256 external

Delay between the vote start and vote end. The unit this duration is expressed in depends on the clock (see ERC-6372) this contract uses.

The votingDelay can delay the start of the vote. This must be considered when setting the voting duration compared to the voting delay.
This value is stored when the proposal is submitted so that possible changes to the value do not affect proposals that have already been submitted. The type used to save it is a uint32. Consequently, while this interface returns a uint256, the value it returns should fit in a uint32.

quorum(uint256 timepoint) → uint256 external

Minimum number of cast voted required for a proposal to be successful.

The timepoint parameter corresponds to the snapshot used for counting vote. This allows to scale the quorum depending on values such as the totalSupply of a token at this timepoint (see ERC20Votes).

getVotes(address account, uint256 timepoint) → uint256 external

Voting power of an account at a specific timepoint.

Note: this can be implemented in a number of ways, for example by reading the delegated balance from one (or multiple), ERC20Votes tokens.

getVotesWithParams(address account, uint256 timepoint, bytes params) → uint256 external

Voting power of an account at a specific timepoint given additional encoded parameters.

hasVoted(uint256 proposalId, address account) → bool external

Returns whether account has cast a vote on proposalId.

propose(address[] targets, uint256[] values, bytes[] calldatas, string description) → uint256 proposalId external

Create a new proposal. Vote start after a delay specified by IGovernor.votingDelay and lasts for a duration specified by IGovernor.votingPeriod.

Emits a ProposalCreated event.

The state of the Governor and targets may change between the proposal creation and its execution. This may be the result of third party actions on the targeted contracts, or other governor proposals. For example, the balance of this contract could be updated or its access control permissions may be modified, possibly compromising the proposal’s ability to execute successfully (e.g. the governor doesn’t have enough value to cover a proposal with multiple transfers).

queue(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 proposalId external

Queue a proposal. Some governors require this step to be performed before execution can happen. If queuing is not necessary, this function may revert. Queuing a proposal requires the quorum to be reached, the vote to be successful, and the deadline to be reached.

Emits a ProposalQueued event.

execute(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 proposalId external

Execute a successful proposal. This requires the quorum to be reached, the vote to be successful, and the deadline to be reached. Depending on the governor it might also be required that the proposal was queued and that some delay passed.

Emits a ProposalExecuted event.

Some modules can modify the requirements for execution, for example by adding an additional timelock.

cancel(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 proposalId external

Cancel a proposal. A proposal is cancellable by the proposer, but only while it is Pending state, i.e. before the vote starts.

Emits a ProposalCanceled event.

castVote(uint256 proposalId, uint8 support) → uint256 balance external

Cast a vote

Emits a VoteCast event.

castVoteWithReason(uint256 proposalId, uint8 support, string reason) → uint256 balance external

Cast a vote with a reason

Emits a VoteCast event.

castVoteWithReasonAndParams(uint256 proposalId, uint8 support, string reason, bytes params) → uint256 balance external

Cast a vote with a reason and additional encoded parameters

Emits a VoteCast or VoteCastWithParams event depending on the length of params.

castVoteBySig(uint256 proposalId, uint8 support, address voter, bytes signature) → uint256 balance external

Cast a vote using the voter’s signature, including ERC-1271 signature support.

Emits a VoteCast event.

castVoteWithReasonAndParamsBySig(uint256 proposalId, uint8 support, address voter, string reason, bytes params, bytes signature) → uint256 balance external

Cast a vote with a reason and additional encoded parameters using the voter’s signature, including ERC-1271 signature support.

Emits a VoteCast or VoteCastWithParams event depending on the length of params.

ProposalCreated(uint256 proposalId, address proposer, address[] targets, uint256[] values, string[] signatures, bytes[] calldatas, uint256 voteStart, uint256 voteEnd, string description) event

Emitted when a proposal is created.

ProposalQueued(uint256 proposalId, uint256 etaSeconds) event

Emitted when a proposal is queued.

ProposalExecuted(uint256 proposalId) event

Emitted when a proposal is executed.

ProposalCanceled(uint256 proposalId) event

Emitted when a proposal is canceled.

VoteCast(address indexed voter, uint256 proposalId, uint8 support, uint256 weight, string reason) event

Emitted when a vote is cast without params.

Note: support values should be seen as buckets. Their interpretation depends on the voting module used.

VoteCastWithParams(address indexed voter, uint256 proposalId, uint8 support, uint256 weight, string reason, bytes params) event

Emitted when a vote is cast with params.

Note: support values should be seen as buckets. Their interpretation depends on the voting module used. params are additional encoded parameters. Their interpretation also depends on the voting module used.

GovernorInvalidProposalLength(uint256 targets, uint256 calldatas, uint256 values) error

Empty proposal or a mismatch between the parameters length for a proposal call.

GovernorAlreadyCastVote(address voter) error

The vote was already cast.

GovernorDisabledDeposit() error

Token deposits are disabled in this contract.

GovernorOnlyProposer(address account) error

The account is not a proposer.

GovernorOnlyExecutor(address account) error

The account is not the governance executor.

GovernorNonexistentProposal(uint256 proposalId) error

The proposalId doesn’t exist.

GovernorUnexpectedProposalState(uint256 proposalId, enum IGovernor.ProposalState current, bytes32 expectedStates) error

The current state of a proposal is not the required for performing an operation. The expectedStates is a bitmap with the bits enabled for each ProposalState enum position counting from right to left.

If expectedState is bytes32(0), the proposal is expected to not be in any state (i.e. not exist). This is the case when a proposal that is expected to be unset is already initiated (the proposal is duplicated).

GovernorInvalidVotingPeriod(uint256 votingPeriod) error

The voting period set is not a valid period.

GovernorInsufficientProposerVotes(address proposer, uint256 votes, uint256 threshold) error

The proposer does not have the required votes to create a proposal.

GovernorRestrictedProposer(address proposer) error

The proposer is not allowed to create a proposal.

GovernorInvalidVoteType() error

The vote type used is not valid for the corresponding counting module.

GovernorInvalidVoteParams() error

The provided params buffer is not supported by the counting module.

GovernorQueueNotImplemented() error

Queue operation is not implemented for this governor. Execute should be called directly.

GovernorNotQueuedProposal(uint256 proposalId) error

The proposal hasn’t been queued yet.

GovernorAlreadyQueuedProposal(uint256 proposalId) error

The proposal has already been queued.

GovernorInvalidSignature(address voter) error

The provided signature is not valid for the expected voter. If the voter is a contract, the signature is not valid using IERC1271.isValidSignature.

Governor

import "@openzeppelin/contracts/governance/Governor.sol";

Core of the governance system, designed to be extended through various modules.

This contract is abstract and requires several functions to be implemented in various modules:

Modifiers
Functions

onlyGovernance() modifier

Restricts a function so it can only be executed through governance proposals. For example, governance parameter setters in GovernorSettings are protected using this modifier.

The governance executing address may be different from the Governor’s own address, for example it could be a timelock. This can be customized by modules by overriding _executor. The executor is only able to invoke these functions during the execution of the governor’s execute function, and not under any other circumstances. Thus, for example, additional timelock proposers are not able to change governance parameters without going through the governance protocol (since v4.6).

constructor(string name_) internal

Sets the value for name and version

receive() external

Function to receive ETH that will be handled by the governor (disabled if executor is a third party contract)

supportsInterface(bytes4 interfaceId) → bool public

name() → string public

version() → string public

hashProposal(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 public

The proposal id is produced by hashing the ABI encoded targets array, the values array, the calldatas array and the descriptionHash (bytes32 which itself is the keccak256 hash of the description string). This proposal id can be produced from the proposal data which is part of the ProposalCreated event. It can even be computed in advance, before the proposal is submitted.

Note that the chainId and the governor address are not part of the proposal id computation. Consequently, the same proposal (with same operation and same description) will have the same id if submitted on multiple governors across multiple networks. This also means that in order to execute the same operation twice (on the same governor) the proposer will have to change the description in order to avoid proposal id conflicts.

state(uint256 proposalId) → enum IGovernor.ProposalState public

proposalThreshold() → uint256 public

proposalSnapshot(uint256 proposalId) → uint256 public

proposalDeadline(uint256 proposalId) → uint256 public

proposalProposer(uint256 proposalId) → address public

proposalEta(uint256 proposalId) → uint256 public

proposalNeedsQueuing(uint256) → bool public

_checkGovernance() internal

Reverts if the msg.sender is not the executor. In case the executor is not this contract itself, the function reverts if msg.data is not whitelisted as a result of an execute operation. See onlyGovernance.

_quorumReached(uint256 proposalId) → bool internal

Amount of votes already cast passes the threshold limit.

_voteSucceeded(uint256 proposalId) → bool internal

Is the proposal successful or not.

_getVotes(address account, uint256 timepoint, bytes params) → uint256 internal

Get the voting weight of account at a specific timepoint, for a vote as described by params.

_countVote(uint256 proposalId, address account, uint8 support, uint256 totalWeight, bytes params) → uint256 internal

Register a vote for proposalId by account with a given support, voting weight and voting params.

Note: Support is generic and can represent various things depending on the voting system used.

_defaultParams() → bytes internal

Default additional encoded parameters used by castVote methods that don’t include them

Note: Should be overridden by specific implementations to use an appropriate value, the meaning of the additional params, in the context of that implementation

propose(address[] targets, uint256[] values, bytes[] calldatas, string description) → uint256 public

See IGovernor.propose. This function has opt-in frontrunning protection, described in _isValidDescriptionForProposer.

_propose(address[] targets, uint256[] values, bytes[] calldatas, string description, address proposer) → uint256 proposalId internal

Internal propose mechanism. Can be overridden to add more logic on proposal creation.

Emits a IGovernor.ProposalCreated event.

queue(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 public

_queueOperations(uint256, address[], uint256[], bytes[], bytes32) → uint48 internal

Internal queuing mechanism. Can be overridden (without a super call) to modify the way queuing is performed (for example adding a vault/timelock).

This is empty by default, and must be overridden to implement queuing.

This function returns a timestamp that describes the expected ETA for execution. If the returned value is 0 (which is the default value), the core will consider queueing did not succeed, and the public queue function will revert.

Calling this function directly will NOT check the current state of the proposal, or emit the ProposalQueued event. Queuing a proposal should be done using queue.

execute(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 public

_executeOperations(uint256, address[] targets, uint256[] values, bytes[] calldatas, bytes32) internal

Internal execution mechanism. Can be overridden (without a super call) to modify the way execution is performed (for example adding a vault/timelock).

Calling this function directly will NOT check the current state of the proposal, set the executed flag to true or emit the ProposalExecuted event. Executing a proposal should be done using execute or {_execute}.

cancel(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 public

_cancel(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 internal

Internal cancel mechanism with minimal restrictions. A proposal can be cancelled in any state other than Canceled, Expired, or Executed. Once cancelled a proposal can’t be re-submitted.

getVotes(address account, uint256 timepoint) → uint256 public

getVotesWithParams(address account, uint256 timepoint, bytes params) → uint256 public

castVote(uint256 proposalId, uint8 support) → uint256 public

castVoteWithReason(uint256 proposalId, uint8 support, string reason) → uint256 public

castVoteWithReasonAndParams(uint256 proposalId, uint8 support, string reason, bytes params) → uint256 public

castVoteBySig(uint256 proposalId, uint8 support, address voter, bytes signature) → uint256 public

castVoteWithReasonAndParamsBySig(uint256 proposalId, uint8 support, address voter, string reason, bytes params, bytes signature) → uint256 public

_castVote(uint256 proposalId, address account, uint8 support, string reason) → uint256 internal

Internal vote casting mechanism: Check that the vote is pending, that it has not been cast yet, retrieve voting weight using IGovernor.getVotes and call the _countVote internal function. Uses the _defaultParams().

Emits a IGovernor.VoteCast event.

_castVote(uint256 proposalId, address account, uint8 support, string reason, bytes params) → uint256 internal

Internal vote casting mechanism: Check that the vote is pending, that it has not been cast yet, retrieve voting weight using IGovernor.getVotes and call the _countVote internal function.

Emits a IGovernor.VoteCast event.

relay(address target, uint256 value, bytes data) external

Relays a transaction or function call to an arbitrary target. In cases where the governance executor is some contract other than the governor itself, like when using a timelock, this function can be invoked in a governance proposal to recover tokens or Ether that was sent to the governor contract by mistake. Note that if the executor is simply the governor itself, use of relay is redundant.

_executor() → address internal

Address through which the governor executes action. Will be overloaded by module that execute actions through another contract such as a timelock.

onERC721Received(address, address, uint256, bytes) → bytes4 public

See IERC721Receiver.onERC721Received. Receiving tokens is disabled if the governance executor is other than the governor itself (eg. when using with a timelock).

onERC1155Received(address, address, uint256, uint256, bytes) → bytes4 public

See IERC1155Receiver.onERC1155Received. Receiving tokens is disabled if the governance executor is other than the governor itself (eg. when using with a timelock).

onERC1155BatchReceived(address, address, uint256[], uint256[], bytes) → bytes4 public

See IERC1155Receiver.onERC1155BatchReceived. Receiving tokens is disabled if the governance executor is other than the governor itself (eg. when using with a timelock).

_encodeStateBitmap(enum IGovernor.ProposalState proposalState) → bytes32 internal

Encodes a ProposalState into a bytes32 representation where each bit enabled corresponds to the underlying position in the ProposalState enum. For example:

0x000…​10000 ^^------ …​ ^----- Succeeded ^---- Defeated ^--- Canceled ^-- Active ^- Pending

_isValidDescriptionForProposer(address proposer, string description) → bool internal

clock() → uint48 public

Clock used for flagging checkpoints. Can be overridden to implement timestamp based checkpoints (and voting).

CLOCK_MODE() → string public

Description of the clock

votingDelay() → uint256 public

Delay, between the proposal is created and the vote starts. The unit this duration is expressed in depends on the clock (see ERC-6372) this contract uses.

This can be increased to leave time for users to buy voting power, or delegate it, before the voting of a proposal starts.

While this interface returns a uint256, timepoints are stored as uint48 following the ERC-6372 clock type. Consequently this value must fit in a uint48 (when added to the current clock). See IERC6372.clock.

votingPeriod() → uint256 public

Delay between the vote start and vote end. The unit this duration is expressed in depends on the clock (see ERC-6372) this contract uses.

The votingDelay can delay the start of the vote. This must be considered when setting the voting duration compared to the voting delay.
This value is stored when the proposal is submitted so that possible changes to the value do not affect proposals that have already been submitted. The type used to save it is a uint32. Consequently, while this interface returns a uint256, the value it returns should fit in a uint32.

quorum(uint256 timepoint) → uint256 public

Minimum number of cast voted required for a proposal to be successful.

The timepoint parameter corresponds to the snapshot used for counting vote. This allows to scale the quorum depending on values such as the totalSupply of a token at this timepoint (see ERC20Votes).

BALLOT_TYPEHASH() → bytes32 public

EXTENDED_BALLOT_TYPEHASH() → bytes32 public

Modules

GovernorCountingSimple

import "@openzeppelin/contracts/governance/extensions/GovernorCountingSimple.sol";

Extension of Governor for simple, 3 options, vote counting.

Functions
Governor

COUNTING_MODE() → string public

hasVoted(uint256 proposalId, address account) → bool public

proposalVotes(uint256 proposalId) → uint256 againstVotes, uint256 forVotes, uint256 abstainVotes public

Accessor to the internal vote counts.

_quorumReached(uint256 proposalId) → bool internal

_voteSucceeded(uint256 proposalId) → bool internal

See Governor._voteSucceeded. In this module, the forVotes must be strictly over the againstVotes.

_countVote(uint256 proposalId, address account, uint8 support, uint256 totalWeight, bytes) → uint256 internal

See Governor._countVote. In this module, the support follows the VoteType enum (from Governor Bravo).

GovernorCountingFractional

import "@openzeppelin/contracts/governance/extensions/GovernorCountingFractional.sol";

Extension of Governor for fractional voting.

Similar to GovernorCountingSimple, this contract is a votes counting module for Governor that supports 3 options: Against, For, Abstain. Additionally, it includes a fourth option: Fractional, which allows voters to split their voting power amongst the other 3 options.

Votes cast with the Fractional support must be accompanied by a params argument that is three packed uint128 values representing the weight the delegate assigns to Against, For, and Abstain respectively. For those votes cast for the other 3 options, the params argument must be empty.

This is mostly useful when the delegate is a contract that implements its own rules for voting. These delegate-contracts can cast fractional votes according to the preferences of multiple entities delegating their voting power.

Some example use cases include:

  • Voting from tokens that are held by a DeFi pool

  • Voting from an L2 with tokens held by a bridge

  • Voting privately from a shielded pool using zero knowledge proofs.

Available since v5.1.

Functions
Governor

COUNTING_MODE() → string public

hasVoted(uint256 proposalId, address account) → bool public

usedVotes(uint256 proposalId, address account) → uint256 public

Get the number of votes already cast by account for a proposal with proposalId. Useful for integrations that allow delegates to cast rolling, partial votes.

proposalVotes(uint256 proposalId) → uint256 againstVotes, uint256 forVotes, uint256 abstainVotes public

Get current distribution of votes for a given proposal.

_quorumReached(uint256 proposalId) → bool internal

_voteSucceeded(uint256 proposalId) → bool internal

See Governor._voteSucceeded. In this module, forVotes must be > againstVotes.

_countVote(uint256 proposalId, address account, uint8 support, uint256 totalWeight, bytes params) → uint256 internal

See Governor._countVote. Function that records the delegate’s votes.

Executing this function consumes (part of) the delegate’s weight on the proposal. This weight can be distributed amongst the 3 options (Against, For, Abstain) by specifying a fractional support.

This counting module supports two vote casting modes: nominal and fractional.

  • Nominal: A nominal vote is cast by setting support to one of the 3 bravo options (Against, For, Abstain).

  • Fractional: A fractional vote is cast by setting support to type(uint8).max (255).

Casting a nominal vote requires params to be empty and consumes the delegate’s full remaining weight on the proposal for the specified support option. This is similar to the GovernorCountingSimple module and follows the VoteType enum from Governor Bravo. As a consequence, no vote weight remains unspent so no further voting is possible (for this proposalId and this account).

Casting a fractional vote consumes a fraction of the delegate’s remaining weight on the proposal according to the weights the delegate assigns to each support option (Against, For, Abstain respectively). The sum total of the three decoded vote weights must be less than or equal to the delegate’s remaining weight on the proposal (i.e. their checkpointed total weight minus votes already cast on the proposal). This format can be produced using:

abi.encodePacked(uint128(againstVotes), uint128(forVotes), uint128(abstainVotes))

Consider that fractional voting restricts the number of casted vote (in each category) to 128 bits. Depending on how many decimals the underlying token has, a single voter may require to split their vote into multiple vote operations. For precision higher than ~30 decimals, large token holders may require an potentially large number of calls to cast all their votes. The voter has the possibility to cast all the remaining votes in a single operation using the traditional "bravo" vote.

GovernorExceedRemainingWeight(address voter, uint256 usedVotes, uint256 remainingWeight) error

A fractional vote params uses more votes than are available for that user.

uint8 VOTE_TYPE_FRACTIONAL internal constant

GovernorVotes

import "@openzeppelin/contracts/governance/extensions/GovernorVotes.sol";

Extension of Governor for voting weight extraction from an ERC20Votes token, or since v4.5 an ERC721Votes token.

Functions
Governor

constructor(contract IVotes tokenAddress) internal

token() → contract IERC5805 public

The token that voting power is sourced from.

clock() → uint48 public

Clock (as specified in ERC-6372) is set to match the token’s clock. Fallback to block numbers if the token does not implement ERC-6372.

CLOCK_MODE() → string public

Machine-readable description of the clock as specified in ERC-6372.

_getVotes(address account, uint256 timepoint, bytes) → uint256 internal

GovernorVotesQuorumFraction

import "@openzeppelin/contracts/governance/extensions/GovernorVotesQuorumFraction.sol";

Extension of Governor for voting weight extraction from an ERC20Votes token and a quorum expressed as a fraction of the total supply.

Functions
Governor

constructor(uint256 quorumNumeratorValue) internal

Initialize quorum as a fraction of the token’s total supply.

The fraction is specified as numerator / denominator. By default the denominator is 100, so quorum is specified as a percent: a numerator of 10 corresponds to quorum being 10% of total supply. The denominator can be customized by overriding quorumDenominator.

quorumNumerator() → uint256 public

Returns the current quorum numerator. See quorumDenominator.

quorumNumerator(uint256 timepoint) → uint256 public

Returns the quorum numerator at a specific timepoint. See quorumDenominator.

quorumDenominator() → uint256 public

Returns the quorum denominator. Defaults to 100, but may be overridden.

quorum(uint256 timepoint) → uint256 public

Returns the quorum for a timepoint, in terms of number of votes: supply * numerator / denominator.

updateQuorumNumerator(uint256 newQuorumNumerator) external

Changes the quorum numerator.

Emits a QuorumNumeratorUpdated event.

Requirements:

  • Must be called through a governance proposal.

  • New numerator must be smaller or equal to the denominator.

_updateQuorumNumerator(uint256 newQuorumNumerator) internal

Changes the quorum numerator.

Emits a QuorumNumeratorUpdated event.

Requirements:

  • New numerator must be smaller or equal to the denominator.

QuorumNumeratorUpdated(uint256 oldQuorumNumerator, uint256 newQuorumNumerator) event

GovernorInvalidQuorumFraction(uint256 quorumNumerator, uint256 quorumDenominator) error

The quorum set is not a valid fraction.

Extensions

GovernorTimelockAccess

import "@openzeppelin/contracts/governance/extensions/GovernorTimelockAccess.sol";

This module connects a Governor instance to an accessManager instance, allowing the governor to make calls that are delay-restricted by the manager using the normal queue workflow. An optional base delay is applied to operations that are not delayed externally by the manager. Execution of a proposal will be delayed as much as necessary to meet the required delays of all of its operations.

This extension allows the governor to hold and use its own assets and permissions, unlike GovernorTimelockControl and GovernorTimelockCompound, where the timelock is a separate contract that must be the one to hold assets and permissions. Operations that are delay-restricted by the manager, however, will be executed through the AccessManager.execute function.

Security Considerations

Some operations may be cancelable in the AccessManager by the admin or a set of guardians, depending on the restricted function being invoked. Since proposals are atomic, the cancellation by a guardian of a single operation in a proposal will cause all of the proposal to become unable to execute. Consider proposing cancellable operations separately.

By default, function calls will be routed through the associated AccessManager whenever it claims the target function to be restricted by it. However, admins may configure the manager to make that claim for functions that a governor would want to call directly (e.g., token transfers) in an attempt to deny it access to those functions. To mitigate this attack vector, the governor is able to ignore the restrictions claimed by the AccessManager using setAccessManagerIgnored. While permanent denial of service is mitigated, temporary DoS may still be technically possible. All of the governor’s own functions (e.g., setBaseDelaySeconds) ignore the AccessManager by default.

AccessManager does not support scheduling more than one operation with the same target and calldata at the same time. See AccessManager.schedule for a workaround.
Functions

constructor(address manager, uint32 initialBaseDelay) internal

Initialize the governor with an accessManager and initial base delay.

accessManager() → contract IAccessManager public

Returns the accessManager instance associated to this governor.

baseDelaySeconds() → uint32 public

Base delay that will be applied to all function calls. Some may be further delayed by their associated AccessManager authority; in this case the final delay will be the maximum of the base delay and the one demanded by the authority.

Execution delays are processed by the AccessManager contracts, and according to that contract are expressed in seconds. Therefore, the base delay is also in seconds, regardless of the governor’s clock mode.

setBaseDelaySeconds(uint32 newBaseDelay) public

Change the value of baseDelaySeconds. This operation can only be invoked through a governance proposal.

_setBaseDelaySeconds(uint32 newBaseDelay) internal

Change the value of baseDelaySeconds. Internal function without access control.

isAccessManagerIgnored(address target, bytes4 selector) → bool public

Check if restrictions from the associated accessManager are ignored for a target function. Returns true when the target function will be invoked directly regardless of AccessManager settings for the function. See setAccessManagerIgnored and Security Considerations above.

setAccessManagerIgnored(address target, bytes4[] selectors, bool ignored) public

Configure whether restrictions from the associated accessManager are ignored for a target function. See Security Considerations above.

_setAccessManagerIgnored(address target, bytes4 selector, bool ignored) internal

Internal version of setAccessManagerIgnored without access restriction.

proposalExecutionPlan(uint256 proposalId) → uint32 delay, bool[] indirect, bool[] withDelay public

Public accessor to check the execution plan, including the number of seconds that the proposal will be delayed since queuing, an array indicating which of the proposal actions will be executed indirectly through the associated accessManager, and another indicating which will be scheduled in queue. Note that those that must be scheduled are cancellable by AccessManager guardians.

proposalNeedsQueuing(uint256 proposalId) → bool public

propose(address[] targets, uint256[] values, bytes[] calldatas, string description) → uint256 public

_queueOperations(uint256 proposalId, address[] targets, uint256[], bytes[] calldatas, bytes32) → uint48 internal

Mechanism to queue a proposal, potentially scheduling some of its operations in the AccessManager.

The execution delay is chosen based on the delay information retrieved in propose. This value may be off if the delay was updated since proposal creation. In this case, the proposal needs to be recreated.

_executeOperations(uint256 proposalId, address[] targets, uint256[] values, bytes[] calldatas, bytes32) internal

Mechanism to execute a proposal, potentially going through AccessManager.execute for delayed operations.

_cancel(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 internal

See {IGovernor-_cancel}

BaseDelaySet(uint32 oldBaseDelaySeconds, uint32 newBaseDelaySeconds) event

AccessManagerIgnoredSet(address target, bytes4 selector, bool ignored) event

GovernorUnmetDelay(uint256 proposalId, uint256 neededTimestamp) error

GovernorMismatchedNonce(uint256 proposalId, uint256 expectedNonce, uint256 actualNonce) error

GovernorLockedIgnore() error

GovernorTimelockControl

import "@openzeppelin/contracts/governance/extensions/GovernorTimelockControl.sol";

Extension of Governor that binds the execution process to an instance of TimelockController. This adds a delay, enforced by the TimelockController to all successful proposal (in addition to the voting duration). The Governor needs the proposer (and ideally the executor and canceller) roles for the Governor to work properly.

Using this model means the proposal will be operated by the TimelockController and not by the Governor. Thus, the assets and permissions must be attached to the TimelockController. Any asset sent to the Governor will be inaccessible from a proposal, unless executed via Governor.relay.

Setting up the TimelockController to have additional proposers or cancellers besides the governor is very risky, as it grants them the ability to: 1) execute operations as the timelock, and thus possibly performing operations or accessing funds that are expected to only be accessible through a vote, and 2) block governance proposals that have been approved by the voters, effectively executing a Denial of Service attack.
Functions

constructor(contract TimelockController timelockAddress) internal

Set the timelock.

state(uint256 proposalId) → enum IGovernor.ProposalState public

Overridden version of the Governor.state function that considers the status reported by the timelock.

timelock() → address public

Public accessor to check the address of the timelock

proposalNeedsQueuing(uint256) → bool public

_queueOperations(uint256 proposalId, address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint48 internal

Function to queue a proposal to the timelock.

_executeOperations(uint256 proposalId, address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) internal

Overridden version of the Governor._executeOperations function that runs the already queued proposal through the timelock.

_cancel(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 internal

Overridden version of the Governor._cancel function to cancel the timelocked proposal if it has already been queued.

_executor() → address internal

Address through which the governor executes action. In this case, the timelock.

updateTimelock(contract TimelockController newTimelock) external

Public endpoint to update the underlying timelock instance. Restricted to the timelock itself, so updates must be proposed, scheduled, and executed through governance proposals.

It is not recommended to change the timelock while there are other queued governance proposals.

TimelockChange(address oldTimelock, address newTimelock) event

Emitted when the timelock controller used for proposal execution is modified.

GovernorTimelockCompound

import "@openzeppelin/contracts/governance/extensions/GovernorTimelockCompound.sol";

Extension of Governor that binds the execution process to a Compound Timelock. This adds a delay, enforced by the external timelock to all successful proposal (in addition to the voting duration). The Governor needs to be the admin of the timelock for any operation to be performed. A public, unrestricted, GovernorTimelockCompound.acceptAdmin is available to accept ownership of the timelock.

Using this model means the proposal will be operated by the TimelockController and not by the Governor. Thus, the assets and permissions must be attached to the TimelockController. Any asset sent to the Governor will be inaccessible from a proposal, unless executed via Governor.relay.

Functions

constructor(contract ICompoundTimelock timelockAddress) internal

Set the timelock.

state(uint256 proposalId) → enum IGovernor.ProposalState public

Overridden version of the Governor.state function with added support for the Expired state.

timelock() → address public

Public accessor to check the address of the timelock

proposalNeedsQueuing(uint256) → bool public

_queueOperations(uint256 proposalId, address[] targets, uint256[] values, bytes[] calldatas, bytes32) → uint48 internal

Function to queue a proposal to the timelock.

_executeOperations(uint256 proposalId, address[] targets, uint256[] values, bytes[] calldatas, bytes32) internal

Overridden version of the Governor._executeOperations function that run the already queued proposal through the timelock.

_cancel(address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash) → uint256 internal

Overridden version of the Governor._cancel function to cancel the timelocked proposal if it has already been queued.

_executor() → address internal

Address through which the governor executes action. In this case, the timelock.

__acceptAdmin() public

Accept admin right over the timelock.

updateTimelock(contract ICompoundTimelock newTimelock) external

Public endpoint to update the underlying timelock instance. Restricted to the timelock itself, so updates must be proposed, scheduled, and executed through governance proposals.

For security reasons, the timelock must be handed over to another admin before setting up a new one. The two operations (hand over the timelock) and do the update can be batched in a single proposal.

Note that if the timelock admin has been handed over in a previous operation, we refuse updates made through the timelock if admin of the timelock has already been accepted and the operation is executed outside the scope of governance.

It is not recommended to change the timelock while there are other queued governance proposals.

TimelockChange(address oldTimelock, address newTimelock) event

Emitted when the timelock controller used for proposal execution is modified.

GovernorSettings

import "@openzeppelin/contracts/governance/extensions/GovernorSettings.sol";

Extension of Governor for settings updatable through governance.

Functions
Governor

constructor(uint48 initialVotingDelay, uint32 initialVotingPeriod, uint256 initialProposalThreshold) internal

Initialize the governance parameters.

votingDelay() → uint256 public

votingPeriod() → uint256 public

proposalThreshold() → uint256 public

setVotingDelay(uint48 newVotingDelay) public

Update the voting delay. This operation can only be performed through a governance proposal.

Emits a VotingDelaySet event.

setVotingPeriod(uint32 newVotingPeriod) public

Update the voting period. This operation can only be performed through a governance proposal.

Emits a VotingPeriodSet event.

setProposalThreshold(uint256 newProposalThreshold) public

Update the proposal threshold. This operation can only be performed through a governance proposal.

Emits a ProposalThresholdSet event.

_setVotingDelay(uint48 newVotingDelay) internal

Internal setter for the voting delay.

Emits a VotingDelaySet event.

_setVotingPeriod(uint32 newVotingPeriod) internal

Internal setter for the voting period.

Emits a VotingPeriodSet event.

_setProposalThreshold(uint256 newProposalThreshold) internal

Internal setter for the proposal threshold.

Emits a ProposalThresholdSet event.

VotingDelaySet(uint256 oldVotingDelay, uint256 newVotingDelay) event

VotingPeriodSet(uint256 oldVotingPeriod, uint256 newVotingPeriod) event

ProposalThresholdSet(uint256 oldProposalThreshold, uint256 newProposalThreshold) event

GovernorPreventLateQuorum

import "@openzeppelin/contracts/governance/extensions/GovernorPreventLateQuorum.sol";

A module that ensures there is a minimum voting period after quorum is reached. This prevents a large voter from swaying a vote and triggering quorum at the last minute, by ensuring there is always time for other voters to react and try to oppose the decision.

If a vote causes quorum to be reached, the proposal’s voting period may be extended so that it does not end before at least a specified time has passed (the "vote extension" parameter). This parameter can be set through a governance proposal.

Functions
Governor

constructor(uint48 initialVoteExtension) internal

Initializes the vote extension parameter: the time in either number of blocks or seconds (depending on the governor clock mode) that is required to pass since the moment a proposal reaches quorum until its voting period ends. If necessary the voting period will be extended beyond the one set during proposal creation.

proposalDeadline(uint256 proposalId) → uint256 public

Returns the proposal deadline, which may have been extended beyond that set at proposal creation, if the proposal reached quorum late in the voting period. See Governor.proposalDeadline.

_castVote(uint256 proposalId, address account, uint8 support, string reason, bytes params) → uint256 internal

Casts a vote and detects if it caused quorum to be reached, potentially extending the voting period. See Governor._castVote.

May emit a ProposalExtended event.

lateQuorumVoteExtension() → uint48 public

Returns the current value of the vote extension parameter: the number of blocks that are required to pass from the time a proposal reaches quorum until its voting period ends.

setLateQuorumVoteExtension(uint48 newVoteExtension) public

Changes the lateQuorumVoteExtension. This operation can only be performed by the governance executor, generally through a governance proposal.

_setLateQuorumVoteExtension(uint48 newVoteExtension) internal

Changes the lateQuorumVoteExtension. This is an internal function that can be exposed in a public function like setLateQuorumVoteExtension if another access control mechanism is needed.

ProposalExtended(uint256 indexed proposalId, uint64 extendedDeadline) event

Emitted when a proposal deadline is pushed back due to reaching quorum late in its voting period.

LateQuorumVoteExtensionSet(uint64 oldVoteExtension, uint64 newVoteExtension) event

Emitted when the lateQuorumVoteExtension parameter is changed.

GovernorStorage

import "@openzeppelin/contracts/governance/extensions/GovernorStorage.sol";

Extension of Governor that implements storage of proposal details. This modules also provides primitives for the enumerability of proposals.

Use cases for this module include: - UIs that explore the proposal state without relying on event indexing. - Using only the proposalId as an argument in the Governor.queue and Governor.execute functions for L2 chains where storage is cheap compared to calldata.

Functions
Governor

_propose(address[] targets, uint256[] values, bytes[] calldatas, string description, address proposer) → uint256 internal

Hook into the proposing mechanism

queue(uint256 proposalId) public

Version of {IGovernorTimelock-queue} with only proposalId as an argument.

execute(uint256 proposalId) public

Version of IGovernor.execute with only proposalId as an argument.

cancel(uint256 proposalId) public

ProposalId version of IGovernor.cancel.

proposalCount() → uint256 public

Returns the number of stored proposals.

proposalDetails(uint256 proposalId) → address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash public

Returns the details of a proposalId. Reverts if proposalId is not a known proposal.

proposalDetailsAt(uint256 index) → uint256 proposalId, address[] targets, uint256[] values, bytes[] calldatas, bytes32 descriptionHash public

Returns the details (including the proposalId) of a proposal given its sequential index.

Utils

Votes

import "@openzeppelin/contracts/governance/utils/Votes.sol";

This is a base abstract contract that tracks voting units, which are a measure of voting power that can be transferred, and provides a system of vote delegation, where an account can delegate its voting units to a sort of "representative" that will pool delegated voting units from different accounts and can then use it to vote in decisions. In fact, voting units must be delegated in order to count as actual votes, and an account has to delegate those votes to itself if it wishes to participate in decisions and does not have a trusted representative.

This contract is often combined with a token contract such that voting units correspond to token units. For an example, see ERC721Votes.

The full history of delegate votes is tracked on-chain so that governance protocols can consider votes as distributed at a particular block number to protect against flash loans and double voting. The opt-in delegate system makes the cost of this history tracking optional.

When using this module the derived contract must implement _getVotingUnits (for example, make it return ERC721.balanceOf), and can use _transferVotingUnits to track a change in the distribution of those units (in the previous example, it would be included in ERC721._update).

clock() → uint48 public

Clock used for flagging checkpoints. Can be overridden to implement timestamp based checkpoints (and voting), in which case CLOCK_MODE should be overridden as well to match.

CLOCK_MODE() → string public

Machine-readable description of the clock as specified in ERC-6372.

getVotes(address account) → uint256 public

Returns the current amount of votes that account has.

getPastVotes(address account, uint256 timepoint) → uint256 public

Returns the amount of votes that account had at a specific moment in the past. If the clock() is configured to use block numbers, this will return the value at the end of the corresponding block.

Requirements:

  • timepoint must be in the past. If operating using block numbers, the block must be already mined.

getPastTotalSupply(uint256 timepoint) → uint256 public

Returns the total supply of votes available at a specific moment in the past. If the clock() is configured to use block numbers, this will return the value at the end of the corresponding block.

This value is the sum of all available votes, which is not necessarily the sum of all delegated votes. Votes that have not been delegated are still part of total supply, even though they would not participate in a vote.

Requirements:

  • timepoint must be in the past. If operating using block numbers, the block must be already mined.

_getTotalSupply() → uint256 internal

Returns the current total supply of votes.

delegates(address account) → address public

Returns the delegate that account has chosen.

delegate(address delegatee) public

Delegates votes from the sender to delegatee.

delegateBySig(address delegatee, uint256 nonce, uint256 expiry, uint8 v, bytes32 r, bytes32 s) public

Delegates votes from signer to delegatee.

_delegate(address account, address delegatee) internal

Delegate all of account’s voting units to `delegatee.

_transferVotingUnits(address from, address to, uint256 amount) internal

Transfers, mints, or burns voting units. To register a mint, from should be zero. To register a burn, to should be zero. Total supply of voting units will be adjusted with mints and burns.

_moveDelegateVotes(address from, address to, uint256 amount) internal

Moves delegated votes from one delegate to another.

_numCheckpoints(address account) → uint32 internal

Get number of checkpoints for account.

_checkpoints(address account, uint32 pos) → struct Checkpoints.Checkpoint208 internal

Get the pos-th checkpoint for account.

_getVotingUnits(address) → uint256 internal

Must return the voting units held by an account.

ERC6372InconsistentClock() error

The clock was incorrectly modified.

ERC5805FutureLookup(uint256 timepoint, uint48 clock) error

Lookup to future votes is not available.

Timelock

In a governance system, the TimelockController contract is in charge of introducing a delay between a proposal and its execution. It can be used with or without a Governor.

TimelockController

import "@openzeppelin/contracts/governance/TimelockController.sol";

Contract module which acts as a timelocked controller. When set as the owner of an Ownable smart contract, it enforces a timelock on all onlyOwner maintenance operations. This gives time for users of the controlled contract to exit before a potentially dangerous maintenance operation is applied.

By default, this contract is self administered, meaning administration tasks have to go through the timelock process. The proposer (resp executor) role is in charge of proposing (resp executing) operations. A common use case is to position this TimelockController as the owner of a smart contract, with a multisig or a DAO as the sole proposer.

onlyRoleOrOpenRole(bytes32 role) modifier

Modifier to make a function callable only by a certain role. In addition to checking the sender’s role, address(0) 's role is also considered. Granting a role to address(0) is equivalent to enabling this role for everyone.

constructor(uint256 minDelay, address[] proposers, address[] executors, address admin) public

Initializes the contract with the following parameters:

  • minDelay: initial minimum delay in seconds for operations

  • proposers: accounts to be granted proposer and canceller roles

  • executors: accounts to be granted executor role

  • admin: optional account to be granted admin role; disable with zero address

The optional admin can aid with initial configuration of roles after deployment without being subject to delay, but this role should be subsequently renounced in favor of administration through timelocked proposals. Previous versions of this contract would assign this admin to the deployer automatically and should be renounced as well.

receive() external

Contract might receive/hold ETH as part of the maintenance process.

supportsInterface(bytes4 interfaceId) → bool public

isOperation(bytes32 id) → bool public

Returns whether an id corresponds to a registered operation. This includes both Waiting, Ready, and Done operations.

isOperationPending(bytes32 id) → bool public

Returns whether an operation is pending or not. Note that a "pending" operation may also be "ready".

isOperationReady(bytes32 id) → bool public

Returns whether an operation is ready for execution. Note that a "ready" operation is also "pending".

isOperationDone(bytes32 id) → bool public

Returns whether an operation is done or not.

getTimestamp(bytes32 id) → uint256 public

Returns the timestamp at which an operation becomes ready (0 for unset operations, 1 for done operations).

getOperationState(bytes32 id) → enum TimelockController.OperationState public

Returns operation state.

getMinDelay() → uint256 public

Returns the minimum delay in seconds for an operation to become valid.

This value can be changed by executing an operation that calls updateDelay.

hashOperation(address target, uint256 value, bytes data, bytes32 predecessor, bytes32 salt) → bytes32 public

Returns the identifier of an operation containing a single transaction.

hashOperationBatch(address[] targets, uint256[] values, bytes[] payloads, bytes32 predecessor, bytes32 salt) → bytes32 public

Returns the identifier of an operation containing a batch of transactions.

schedule(address target, uint256 value, bytes data, bytes32 predecessor, bytes32 salt, uint256 delay) public

Schedule an operation containing a single transaction.

Emits CallSalt if salt is nonzero, and CallScheduled.

Requirements:

  • the caller must have the 'proposer' role.

scheduleBatch(address[] targets, uint256[] values, bytes[] payloads, bytes32 predecessor, bytes32 salt, uint256 delay) public

Schedule an operation containing a batch of transactions.

Emits CallSalt if salt is nonzero, and one CallScheduled event per transaction in the batch.

Requirements:

  • the caller must have the 'proposer' role.

cancel(bytes32 id) public

Cancel an operation.

Requirements:

  • the caller must have the 'canceller' role.

execute(address target, uint256 value, bytes payload, bytes32 predecessor, bytes32 salt) public

Execute an (ready) operation containing a single transaction.

Emits a CallExecuted event.

Requirements:

  • the caller must have the 'executor' role.

executeBatch(address[] targets, uint256[] values, bytes[] payloads, bytes32 predecessor, bytes32 salt) public

Execute an (ready) operation containing a batch of transactions.

Emits one CallExecuted event per transaction in the batch.

Requirements:

  • the caller must have the 'executor' role.

_execute(address target, uint256 value, bytes data) internal

Execute an operation’s call.

updateDelay(uint256 newDelay) external

Changes the minimum timelock duration for future operations.

Emits a MinDelayChange event.

Requirements:

  • the caller must be the timelock itself. This can only be achieved by scheduling and later executing an operation where the timelock is the target and the data is the ABI-encoded call to this function.

_encodeStateBitmap(enum TimelockController.OperationState operationState) → bytes32 internal

Encodes a OperationState into a bytes32 representation where each bit enabled corresponds to the underlying position in the OperationState enum. For example:

0x000…​1000 ^^----- …​ ^---- Done ^--- Ready ^-- Waiting ^- Unset

PROPOSER_ROLE() → bytes32 public

EXECUTOR_ROLE() → bytes32 public

CANCELLER_ROLE() → bytes32 public

CallScheduled(bytes32 indexed id, uint256 indexed index, address target, uint256 value, bytes data, bytes32 predecessor, uint256 delay) event

Emitted when a call is scheduled as part of operation id.

CallExecuted(bytes32 indexed id, uint256 indexed index, address target, uint256 value, bytes data) event

Emitted when a call is performed as part of operation id.

CallSalt(bytes32 indexed id, bytes32 salt) event

Emitted when new proposal is scheduled with non-zero salt.

Cancelled(bytes32 indexed id) event

Emitted when operation id is cancelled.

MinDelayChange(uint256 oldDuration, uint256 newDuration) event

Emitted when the minimum delay for future operations is modified.

TimelockInvalidOperationLength(uint256 targets, uint256 payloads, uint256 values) error

Mismatch between the parameters length for an operation call.

TimelockInsufficientDelay(uint256 delay, uint256 minDelay) error

The schedule operation doesn’t meet the minimum delay.

TimelockUnexpectedOperationState(bytes32 operationId, bytes32 expectedStates) error

The current state of an operation is not as required. The expectedStates is a bitmap with the bits enabled for each OperationState enum position counting from right to left.

TimelockUnexecutedPredecessor(bytes32 predecessorId) error

The predecessor to an operation not yet done.

TimelockUnauthorizedCaller(address caller) error

The caller account is not authorized.

uint256 _DONE_TIMESTAMP internal constant

Terminology

  • Operation: A transaction (or a set of transactions) that is the subject of the timelock. It has to be scheduled by a proposer and executed by an executor. The timelock enforces a minimum delay between the proposition and the execution (see operation lifecycle). If the operation contains multiple transactions (batch mode), they are executed atomically. Operations are identified by the hash of their content.

  • Operation status:

    • Unset: An operation that is not part of the timelock mechanism.

    • Waiting: An operation that has been scheduled, before the timer expires.

    • Ready: An operation that has been scheduled, after the timer expires.

    • Pending: An operation that is either waiting or ready.

    • Done: An operation that has been executed.

  • Predecessor: An (optional) dependency between operations. An operation can depend on another operation (its predecessor), forcing the execution order of these two operations.

  • Role:

    • Admin: An address (smart contract or EOA) that is in charge of granting the roles of Proposer and Executor.

    • Proposer: An address (smart contract or EOA) that is in charge of scheduling (and cancelling) operations.

    • Executor: An address (smart contract or EOA) that is in charge of executing operations once the timelock has expired. This role can be given to the zero address to allow anyone to execute operations.

Operation structure

Operation executed by the TimelockController can contain one or multiple subsequent calls. Depending on whether you need to multiple calls to be executed atomically, you can either use simple or batched operations.

Both operations contain:

  • Target, the address of the smart contract that the timelock should operate on.

  • Value, in wei, that should be sent with the transaction. Most of the time this will be 0. Ether can be deposited before-end or passed along when executing the transaction.

  • Data, containing the encoded function selector and parameters of the call. This can be produced using a number of tools. For example, a maintenance operation granting role ROLE to ACCOUNT can be encoded using web3js as follows:

const data = timelock.contract.methods.grantRole(ROLE, ACCOUNT).encodeABI()
  • Predecessor, that specifies a dependency between operations. This dependency is optional. Use bytes32(0) if the operation does not have any dependency.

  • Salt, used to disambiguate two otherwise identical operations. This can be any random value.

In the case of batched operations, target, value and data are specified as arrays, which must be of the same length.

Operation lifecycle

Timelocked operations are identified by a unique id (their hash) and follow a specific lifecycle:

UnsetPendingPending + ReadyDone

  • By calling schedule (or scheduleBatch), a proposer moves the operation from the Unset to the Pending state. This starts a timer that must be longer than the minimum delay. The timer expires at a timestamp accessible through the getTimestamp method.

  • Once the timer expires, the operation automatically gets the Ready state. At this point, it can be executed.

  • By calling execute (or executeBatch), an executor triggers the operation’s underlying transactions and moves it to the Done state. If the operation has a predecessor, it has to be in the Done state for this transition to succeed.

  • cancel allows proposers to cancel any Pending operation. This resets the operation to the Unset state. It is thus possible for a proposer to re-schedule an operation that has been cancelled. In this case, the timer restarts when the operation is rescheduled.

Operations status can be queried using the functions:

Roles

Admin

The admins are in charge of managing proposers and executors. For the timelock to be self-governed, this role should only be given to the timelock itself. Upon deployment, the admin role can be granted to any address (in addition to the timelock itself). After further configuration and testing, this optional admin should renounce its role such that all further maintenance operations have to go through the timelock process.

Proposer

The proposers are in charge of scheduling (and cancelling) operations. This is a critical role, that should be given to governing entities. This could be an EOA, a multisig, or a DAO.

Proposer fight: Having multiple proposers, while providing redundancy in case one becomes unavailable, can be dangerous. As proposer have their say on all operations, they could cancel operations they disagree with, including operations to remove them for the proposers.

This role is identified by the PROPOSER_ROLE value: 0xb09aa5aeb3702cfd50b6b62bc4532604938f21248a27a1d5ca736082b6819cc1

Executor

The executors are in charge of executing the operations scheduled by the proposers once the timelock expires. Logic dictates that multisig or DAO that are proposers should also be executors in order to guarantee operations that have been scheduled will eventually be executed. However, having additional executors can reduce the cost (the executing transaction does not require validation by the multisig or DAO that proposed it), while ensuring whoever is in charge of execution cannot trigger actions that have not been scheduled by the proposers. Alternatively, it is possible to allow any address to execute a proposal once the timelock has expired by granting the executor role to the zero address.

This role is identified by the EXECUTOR_ROLE value: 0xd8aa0f3194971a2a116679f7c2090f6939c8d4e01a2a8d7e41d55e5351469e63

A live contract without at least one proposer and one executor is locked. Make sure these roles are filled by reliable entities before the deployer renounces its administrative rights in favour of the timelock contract itself. See the AccessControl documentation to learn more about role management.