Summary
Once an upgrade is executed there is no on-chain mechanism to propose and vote on reverting to a previous WASM hash. If a bug is discovered post-upgrade, rollback requires manually re-proposing the old hash without any rollback semantics or guards.
Proposed Change
- Add
propose_rollback(signer, target_proposal_id) that creates a rollback proposal pre-populated with the WASM hash and metadata from a previously executed proposal
- Rollback proposals require the same signer threshold as standard upgrades
- Emit a
UpgradeRollbackProposed { rollback_proposal_id, original_proposal_id, wasm_hash } event
- Add
max_rollback_age_ledgers config — rollback to proposals older than this is blocked
Acceptance Criteria
Summary
Once an upgrade is executed there is no on-chain mechanism to propose and vote on reverting to a previous WASM hash. If a bug is discovered post-upgrade, rollback requires manually re-proposing the old hash without any rollback semantics or guards.
Proposed Change
propose_rollback(signer, target_proposal_id)that creates a rollback proposal pre-populated with the WASM hash and metadata from a previously executed proposalUpgradeRollbackProposed { rollback_proposal_id, original_proposal_id, wasm_hash }eventmax_rollback_age_ledgersconfig — rollback to proposals older than this is blockedAcceptance Criteria