Custom Upgrade Policies
Protecting the ability to upgrade a package on chain using a single key can pose a security risk for several reasons:
- The entity owning that key might make changes that are in their own interests but not the interests of the broader community.
- Upgrades might happen without enough time for package users to consult on the change or stop using the package if they disagree.
- The key might get lost.
To address the security risk of single-key upgrade ownership poses while still providing the opportunity to upgrade live packages, Sui offers custom upgrade policies. These policies protect UpgradeCap
access and issue UpgradeTicket
objects that authorize upgrades on a case-by-case basis.
Compatibility
Sui comes with a set of built-in package compatibility policies, listed here from most to least strict:
Policy | Description |
---|---|
Immutable | No one can upgrade the package. |
Dependency-only | You can modify the dependencies of the package only. |
Additive | You can add new functionality to the package (e.g., new public functions or structs) but you can't change any of the existing functionality (e.g., the code in existing public functions cannot change). |
Compatible | The most relaxed policy. In addition to what the more restrictive policies allow, in an upgraded version of the package:
|
Each of these policies, in the order listed, is a superset of the previous one in the type of changes allowed in the upgraded package.
When you publish a package, by default it adopts the most relaxed, compatible policy. You can publish a package as part of a transaction that can change the policy before the transaction successfully completes, making the package available on chain for the first time at the desired policy level, rather than at the default one.
You can change the current policy by calling one of the functions in sui::package
(only_additive_upgrades
, only_dep_upgrades
, make_immutable
) on the package's UpgradeCap
and a policy can become only more restrictive. For example, after you call sui::package::only_dep_upgrades
to restrict the policy to become additive, calling sui::package::only_additive_upgrades
on the UpgradeCap
of the same package results in an error.
Upgrade overview
Package upgrades must occur end-to-end in a single transaction and are composed of three commands:
- Authorization: Get permission from the
UpgradeCap
to perform the upgrade, creating anUpgradeTicket
. - Execution: Consume the
UpgradeTicket
and verify the package bytecode and compatibility against the previous version, and create the on-chain object representing the upgraded package. Return anUpgradeReceipt
as a result on success. - Commit: Update the
UpgradeCap
with information about the newly created package.
While step 2 is a built-in command, steps 1 and 3 are implemented as Move functions. The Sui framework provides their most basic implementation:
public fun authorize_upgrade(cap: &mut UpgradeCap, policy: u8, digest: vector<u8>): UpgradeTicket {
let id_zero = @0x0.to_id();
assert!(cap.package != id_zero, EAlreadyAuthorized);
assert!(policy >= cap.policy, ETooPermissive);
let package = cap.package;
cap.package = id_zero;
UpgradeTicket {
cap: object::id(cap),
package,
policy,
digest,
}
}
public fun commit_upgrade(cap: &mut UpgradeCap, receipt: UpgradeReceipt) {
let UpgradeReceipt { cap: cap_id, package } = receipt;
assert!(object::id(cap) == cap_id, EWrongUpgradeCap);
assert!(cap.package.to_address() == @0x0, ENotAuthorized);
cap.package = package;
cap.version = cap.version + 1;
}
These are the functions that sui client upgrade
calls for authorization and commit. Custom upgrade policies work by guarding
access to a package UpgradeCap
(and therefore to calls of these functions) behind extra conditions that are specific to that policy
(such as voting, governance, permission lists, timelocks, and so on).
Any pair of functions that produces an UpgradeTicket
from an UpgradeCap
and consumes an UpgradeReceipt
to update an
UpgradeCap
constitutes a custom upgrade policy.
UpgradeCap
The UpgradeCap
is the central type responsible for coordinating package upgrades.
public struct UpgradeCap has key, store {
id: UID,
package: ID,
version: u64,
policy: u8,
}
Publishing a package creates the UpgradeCap
object and upgrading the package updates that object. The owner of this object has permission to:
- Change the compatibility requirements for future upgrades.
- Authorize future upgrades.
- Make the package immutable (not upgradeable).
And its API guarantees the following properties:
- Only the latest version of a package can be upgraded (a linear history is guaranteed).
- Only one upgrade can be in-flight at any time (cannot authorize multiple concurrent upgrades).
- An upgrade can only be authorized for the extent of a single transaction; no one can
store
theUpgradeTicket
that proves authorization. - Compatibility requirements for a package can be made only more restrictive over time.
UpgradeTicket
public struct UpgradeTicket {
cap: ID,
package: ID,
policy: u8,
digest: vector<u8>,
}
An UpgradeTicket
is proof that an upgrade has been authorized. This authorization is specific to:
- A particular
package: ID
to upgrade from, which must be the latest package in the family identified by theUpgradeCap
atcap: ID
. - A particular
policy: u8
that attests to the kind of compatibility guarantees that the upgrade expects to adhere to. - A particular
digest: vector<u8>
that identifies the contents of the package after the upgrade.
When you attempt to run the upgrade, the validator checks that the upgrade it is about to perform matches the upgrade that was authorized along all those lines, and does not perform the upgrade if any of these criteria are not met.
After creating an UpgradeTicket
, you must use it within that transaction (you cannot store it for later, drop it, or burn it), or the transaction fails.
Package digest
The UpgradeTicket
digest
field comes from the digest
parameter to authorize_upgrade
, which the caller must supply. While
authorize_upgrade
does not process the digest
, custom policies can use it to authorize only upgrades that it has seen the
bytecode or source code for ahead of time. Sui calculates the digest as follows:
- Take the bytecode for each module, represented as an array of bytes.
- Append the list of the package's transitive dependencies, each represented as an array of bytes.
- Sort this list of byte-arrays lexicographically.
- Feed each element in the sorted list, in order, into a
Blake2B
hasher. - Compute the digest from this hash state.
Refer to the implementation for digest calculation for more information, but in most cases, you can rely on the Move toolchain to output the digest as part of the build, when passing the --dump-bytecode-as-base64
flag:
$ sui move build --dump-bytecode-as-base64
FETCHING GIT DEPENDENCY https://github.com/MystenLabs/sui.git
INCLUDING DEPENDENCY Sui
INCLUDING DEPENDENCY MoveStdlib
BUILDING test
{"modules":[<MODULE-BYTES-BASE64>],"dependencies":[<DEPENDENCY-IDS>],"digest":[59,43,173,195,216,88,176,182,18,8,24,200,200,192,196,197,248,35,118,184,207,205,33,59,228,109,184,230,50,31,235,201]}
UpgradeReceipt
public struct UpgradeReceipt {
cap: ID,
package: ID,
}
The UpgradeReceipt
is proof that the Upgrade
command ran successfully, and Sui added the new package to the set of created
objects for the transaction. It is used to update its UpgradeCap
(identified by cap: ID
) with the ID of the latest package in its
family (package: ID
).
After Sui creates an UpgradeReceipt
, you must use it to update its UpgradeCap
within the same transaction (you cannot store it for later, drop it, or burn it), or the transaction fails.
Isolating policies
When writing custom upgrade policies, prefer:
- separating them into their own package (not co-located with the code they govern the upgradeability of),
- making that package immutable (not upgradeable), and
- locking in the policy of the
UpgradeCap
, so that the policy cannot be made less restrictive later.
These best practices help uphold informed user consent and bounded risk by making it clear what a package's upgrade policy is at the moment a user locks value into it, and ensuring that the policy does not evolve to be more permissive with time, without the package user realizing and choosing to accept the new terms.
Example: "Day of the Week" upgrade policy
Time to put everything into practice by writing a toy upgrade policy that only authorizes upgrades on a particular day of the week (of the package creator's choosing).
Creating an upgrade policy
Start by creating a new Move package for the upgrade policy:
$ sui move new policy
The command creates a policy
directory with a sources
folder and Move.toml
manifest.
In the sources
folder, create a source file named day_of_week.move
. Copy and paste the following code into the file:
module policy::day_of_week {
use sui::object::{Self, UID};
use sui::package;
use sui::tx_context::TxContext;
struct UpgradeCap has key, store {
id: UID,
cap: package::UpgradeCap,
day: u8,
}
/// Day is not a week day (number in range 0 <= day < 7).
const ENotWeekDay: u64 = 1;
public fun new_policy(
cap: package::UpgradeCap,
day: u8,
ctx: &mut TxContext,
): UpgradeCap {
assert!(day < 7, ENotWeekDay);
UpgradeCap { id: object::new(ctx), cap, day }
}
}
This code includes a constructor and defines the object type for the custom upgrade policy.
You then need to add a function to authorize an upgrade, if on the correct day of the week. First, define a couple of constants, one for the error code that identifies an attempted upgrade on a day the policy doesn't allow, and another to define the number of milliseconds in a day (to be used shortly). Add these definitions directly under the current ENotWeekDay
one.
// Request to authorize upgrade on the wrong day of the week.
const ENotAllowedDay: u64 = 2;
const MS_IN_DAY: u64 = 24 * 60 * 60 * 1000;
After the new_policy
function, add a week_day
function to get the current weekday. As promised, the function uses the MS_IN_DAY
constant you defined earlier.
fun week_day(ctx: &TxContext): u8 {
let days_since_unix_epoch =
tx_context::epoch_timestamp_ms(ctx) / MS_IN_DAY;
// The unix epoch (1st Jan 1970) was a Thursday so shift days
// since the epoch by 3 so that 0 = Monday.
((days_since_unix_epoch + 3) % 7 as u8)
}
This function uses the epoch timestamp from TxContext
rather than Clock
because it needs only daily granularity, which means the upgrade transactions don't require consensus.
Next, add an authorize_upgrade
function that calls the previous function to get the current day of the week, then checks whether that value violates the policy, returning the ENotAllowedDay
error value if it does.
public fun authorize_upgrade(
cap: &mut UpgradeCap,
policy: u8,
digest: vector<u8>,
ctx: &TxContext,
): package::UpgradeTicket {
assert!(week_day(ctx) == cap.day, ENotAllowedDay);
package::authorize_upgrade(&mut cap.cap, policy, digest)
}
The signature of a custom authorize_upgrade
can be different from the signature of sui::package::authorize_upgrade
as long as it returns an UpgradeTicket
.
Finally, provide implementations of commit_upgrade
and make_immutable
that delegate to their respective functions in sui::package
:
public fun commit_upgrade(
cap: &mut UpgradeCap,
receipt: package::UpgradeReceipt,
) {
package::commit_upgrade(&mut cap.cap, receipt)
}
public fun make_immutable(cap: UpgradeCap) {
let UpgradeCap { id, cap, day: _ } = cap;
object::delete(id);
package::make_immutable(cap);
}
The final code in your day_of_week.move
file should resemble the following:
module policy::day_of_week {
use sui::object::{Self, UID};
use sui::package;
use sui::tx_context::TxContext;
struct UpgradeCap has key, store {
id: UID,
cap: package::UpgradeCap,
day: u8,
}
// Day is not a week day (number in range 0 <= day < 7).
const ENotWeekDay: u64 = 1;
const ENotAllowedDay: u64 = 2;
const MS_IN_DAY: u64 = 24 * 60 * 60 * 1000;
public fun new_policy(
cap: package::UpgradeCap,
day: u8,
ctx: &mut TxContext,
): UpgradeCap {
assert!(day < 7, ENotWeekDay);
UpgradeCap { id: object::new(ctx), cap, day }
}
fun week_day(ctx: &TxContext): u8 {
let days_since_unix_epoch =
sui::tx_context::epoch_timestamp_ms(ctx) / MS_IN_DAY;
// The unix epoch (1st Jan 1970) was a Thursday so shift days
// since the epoch by 3 so that 0 = Monday.
((days_since_unix_epoch + 3) % 7 as u8)
}
public fun authorize_upgrade(
cap: &mut UpgradeCap,
policy: u8,
digest: vector<u8>,
ctx: &TxContext,
): package::UpgradeTicket {
assert!(week_day(ctx) == cap.day, ENotAllowedDay);
package::authorize_upgrade(&mut cap.cap, policy, digest)
}
public fun commit_upgrade(
cap: &mut UpgradeCap,
receipt: package::UpgradeReceipt,
) {
package::commit_upgrade(&mut cap.cap, receipt)
}
public fun make_immutable(cap: UpgradeCap) {
let UpgradeCap { id, cap, day: _ } = cap;
object::delete(id);
package::make_immutable(cap);
}
}
Publishing an upgrade policy
Use the sui client publish
command to publish the policy.
Beginning with the Sui v1.24.1
release, the --gas-budget
flag is no longer required for CLI commands.
$ sui client publish
Console output
A successful publish returns the following:
UPDATING GIT DEPENDENCY https://github.com/MystenLabs/sui.git
INCLUDING DEPENDENCY Sui
INCLUDING DEPENDENCY MoveStdlib
BUILDING policy
Successfully verified dependencies on-chain against source.
Transaction Digest: 5BzYX5iV6GP2RaSkZ7JPBRmListD5cEVC7REoKsNoCYc
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Transaction Data │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Sender: 0x65437300e280695a40df8cf524c7bca6ad62574cac3a52d3b085ad628c797241 │
│ Gas Owner: 0x65437300e280695a40df8cf524c7bca6ad62574cac3a52d3b085ad628c797241 │
│ Gas Budget: 11773600 MIST │
│ Gas Price: 1000 MIST │
│ Gas Payment: │
│ ┌── │
│ │ ID: 0x057d71e1f7e8341c5f2b203ae5fcb33c024afcc7f1c8c264fe0fe74dddcd828c │
│ │ Version: 149516398 │
│ │ Digest: HRU5orvkMeouFUVf7MXUpJpXP6W7u8DBzhyMichbW8KP │
│ └── │
│ │
│ Transaction Kind: Programmable │
│ ╭──────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │
│ │ Input Objects │ │
│ ├──────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │
│ │ 0 Pure Arg: Type: address, Value: "0x65437300e280695a40df8cf524c7bca6ad62574cac3a52d3b085ad628c797241" │ │
│ ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────╯ │
│ ╭─────────────────────────────────────────────────────────────────────────╮ │
│ │ Commands │ │
│ ├─────────────────────────────────────────────────────────────────────────┤ │
│ │ 0 Publish: │ │
│ │ ┌ │ │
│ │ │ Dependencies: │ │
│ │ │ 0x0000000000000000000000000000000000000000000000000000000000000001 │ │
│ │ │ 0x0000000000000000000000000000000000000000000000000000000000000002 │ │
│ │ └ │ │
│ │ │ │
│ │ 1 TransferObjects: │ │
│ │ ┌ │ │
│ │ │ Arguments: │ │
│ │ │ Result 0 │ │
│ │ │ Address: Input 0 │ │
│ │ └ │ │
│ ╰─────────────────────────────────────────────────────────────────────────╯ │
│ │
│ Signatures: │
│ ijPCo4IFqacqAN64UAaJR+J5YhE3+IiEhXA5eEJiI0LZo1y3+byq1WHb3lgU8HLLJTgp+Cuv5GYHsBN5tofYAA== │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭───────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Transaction Effects │
├───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Digest: 5BzYX5iV6GP2RaSkZ7JPBRmListD5cEVC7REoKsNoCYc │
│ Status: Success │
│ Executed Epoch: 589 │
│ │
│ Created Objects: │
│ ┌── │
│ │ ID: 0x4de927a10f97520311239cadb7159d4b893275bc74ab4e0af1b16c41ba8275a0 │
│ │ Owner: Account Address ( 0x65437300e280695a40df8cf524c7bca6ad62574cac3a52d3b085ad628c797241 ) │
│ │ Version: 149516399 │
│ │ Digest: HLSLcEb3S8t3Zb4cjjSw8dsYhExLyLJ3ParJt2fnoZUu │
│ └── │
│ ┌── │