Mainnet deployment

.env.example

@@ -1,15 +1,59 @@
-HOLESKY_ETH_NODE_URL=
-HOLESKY_OWNER_PRIVATE_KEY=
-MAINNET_ETH_NODE_URL=
-MAINNET_OWNER_PRIVATE_KEY=
-GAS_PRICE=
-GAS=
+# ── RPC endpoints ──
+MAINNET_RPC_URL=
+HOODI_RPC_URL=
+
+# ── Signer private keys ──
+# Must match the on-chain owner for live upgrades.
+MAINNET_PRIVATE_KEY=
+HOODI_PRIVATE_KEY=
+
+# ── Optional SSV token address overrides for Hardhat network config ──
+MAINNET_SSVTOKEN_ADDRESS=
+HOODI_SSVTOKEN_ADDRESS=
+
+# ── Block explorer verification ──
 ETHERSCAN_KEY=
-NODE_PROVIDER_KEY=
-MINIMUM_BLOCKS_BEFORE_LIQUIDATION=100800
-MINIMUM_LIQUIDATION_COLLATERAL=200000000
-OPERATOR_MAX_FEE_INCREASE=3
-DECLARE_OPERATOR_FEE_PERIOD=259200 # 3 days
-EXECUTE_OPERATOR_FEE_PERIOD=345600 # 4 days
-VALIDATORS_PER_OPERATOR_LIMIT=500
-SSVTOKEN_ADDRESS=
+
+# ── Fork test configuration ──
+# These are ONLY used when running fork tests manually (npx hardhat test --network hardhat_forked).
+# When using `just test-fork <env>`, all values are loaded from deployments/<env>/config.json
+# and these .env values are ignored.
+
+# Fork infrastructure (addresses, block, network)
+FORK_BLOCK_NUMBER=
+FORK_TEST_NETWORK=hardhat_forked
+FORK_CONFIG_PATH=
+FORK_SSV_NETWORK_ADDRESS=
+FORK_SSV_NETWORK_VIEWS=
+FORK_SSV_TOKEN=
+FORK_CSSV_TOKEN=
+FORK_DAO_ADDRESS=
+
+# Fork test behavior flags
+FORK_USE_DEPLOYED_STATE=true
+FORK_STRICT_DEPLOYED_STATE=false
+FORK_ALLOW_DEPLOYED_FALLBACK=true
+
+# Fork protocol parameter overrides (manual runs only)
+# For deployments and upgrades, the source of truth is deployments/<env>/config.json.
+FORK_NETWORK_FEE_ETH=3550900000
+FORK_NETWORK_FEE_SSV=
+FORK_MIN_OPERATOR_ETH_FEE=1065200000
+FORK_MAX_OPERATOR_ETH_FEE=5326300000
+FORK_OPERATOR_MAX_FEE_INCREASE=1000
+FORK_DECLARE_OPERATOR_FEE_PERIOD=604800
+FORK_EXECUTE_OPERATOR_FEE_PERIOD=604800
+FORK_MIN_LIQ_COLLATERAL=940000000000000
+FORK_VALIDATORS_PER_OPERATOR_LIMIT=3000
+FORK_DEFAULT_ORACLE_IDS=1,2,3,4
+FORK_DEFAULT_UNSTAKE_COOLDOWN=604800
+
+# ── Test and gas-report toggles ──
+RUN_FORK=
+NO_GAS_ENFORCE=
+REPORT_GAS=
+GAS_REPORT_DIR=.
+BASELINE_TAG=v1.2.0
+CURRENT_LABEL=current
+GAS_COMPARE_OUTPUT=gas-compare.txt
+COVERAGE=

.github/renovate.json

@@ -0,0 +1,5 @@
+{
+  "extends": [
+    "github>ssvlabs/shared-configs//renovate/renovate.json"
+  ]
+}

.github/workflows/code-coverage.yaml

@@ -8,10 +8,13 @@ jobs:
     name: Solidity code coverage
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: '20.x'
+          node-version: '22.x'
       - run: npm ci
         env:
           GH_TOKEN: ${{ secrets.github_token }}
-      - run: SOLIDITY_COVERAGE=true NO_GAS_ENFORCE=1 npx hardhat coverage
+      - run: npx hardhat test --coverage
+        env:
+          NO_GAS_ENFORCE: '1'
+          COVERAGE: 'true'

.github/workflows/echidna.yaml

@@ -0,0 +1,80 @@
+name: Echidna Fuzzing
+
+on:
+  push:
+    paths:
+      - 'contracts/**'
+      - 'test/echidna/**'
+      - 'foundry.toml'
+      - '.github/workflows/echidna.yaml'
+  workflow_dispatch:
+
+jobs:
+  discover-contracts:
+    runs-on: ubuntu-latest
+    outputs:
+      contracts: ${{ steps.discover.outputs.contracts }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Discover Echidna harnesses
+        id: discover
+        run: |
+          python3 - <<'PY' >> "$GITHUB_OUTPUT"
+          import json
+          from pathlib import Path
+
+          contracts = sorted(path.stem for path in Path("test/echidna").glob("*Echidna.sol"))
+          if not contracts:
+              raise SystemExit("No Echidna harnesses found under test/echidna")
+
+          print(f"contracts={json.dumps(contracts)}")
+          PY
+
+  echidna:
+    needs: discover-contracts
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        contract: ${{ fromJSON(needs.discover-contracts.outputs.contracts) }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.x'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+        env:
+          GH_TOKEN: ${{ secrets.github_token }}
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+
+      - name: Run Echidna
+        uses: crytic/echidna-action@v2
+        with:
+          files: test/echidna/${{ matrix.contract }}.sol
+          contract: ${{ matrix.contract }}
+          config: test/echidna/echidna-ci.yaml
+          crytic-args: --compile-force-framework foundry
+          test-mode: property
+
+      - name: Upload corpus
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: echidna-corpus-${{ matrix.contract }}
+          path: crytic-export/
+          retention-days: 7

.github/workflows/linter.yaml

@@ -9,10 +9,10 @@ jobs:
     name: Solidity linter
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: '20.x'
+          node-version: '22.x'
       - run: npm ci
         env:
           GH_TOKEN: ${{ secrets.github_token }}
-      - run: npx hardhat check
+      - run: npx solhint 'contracts/**/*.sol' --ignore-path .solhintignore

.github/workflows/publish.yaml

@@ -10,9 +10,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22.x'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies

.github/workflows/slither.yaml

@@ -7,10 +7,23 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.x'
+
+      - name: Install dependencies
+        run: npm ci
+        env:
+          GH_TOKEN: ${{ secrets.github_token }}
+
+      - name: Compile contracts (Hardhat)
+        run: npx hardhat compile --force
+
       - name: Run Slither
         uses: crytic/slither-action@v0.3.2
         id: slither
         with:
-          node-version: 20
           fail-on: high
-          slither-args: --exclude controlled-delegatecall,incorrect-return
+          target: .
+          slither-args: --hardhat-ignore-compile --exclude controlled-delegatecall,incorrect-return --filter-paths "contracts/test/" --exclude-informational --exclude-dependencies

.github/workflows/tests-forked.yaml

@@ -1,20 +1,39 @@
 name: Run tests
 
-on: [push]
+on: [push, pull_request]
 
 jobs:
   ci:
     runs-on: ubuntu-latest
-    name: Hardhat unit test (forked network)
-    env: # Set environment variables for all steps in this job
-      FORK_TESTING_ENABLED: true
+    name: Hardhat fork tests
+    env:
       GH_TOKEN: ${{ secrets.github_token }}
-      MAINNET_ETH_NODE_URL: ${{ secrets.mainnet_eth_node_url }}
-      NODE_PROVIDER_KEY: ${{ secrets.node_provider_key }}
+      FORK_BLOCK_NUMBER: ${{ secrets.fork_block_number }}
+      HOODI_RPC_URL: ${{ secrets.hoodi_rpc_url }}
+      MAINNET_RPC_URL: ${{ secrets.mainnet_rpc_url }}
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '20.x'
+          node-version: '22.x'
+          cache: 'npm'
+
       - run: npm ci
-      - run: npx hardhat test test-forked/*.ts
+        env:
+          GH_TOKEN: ${{ secrets.github_token }}
+
+      - name: Compile contracts
+        run: npx hardhat compile
+        env:
+          FORK_BLOCK_NUMBER: ${{ secrets.fork_block_number }}
+          HOODI_RPC_URL: ${{ secrets.hoodi_rpc_url }}
+
+      - name: Run fork tests
+        run: npx hardhat test test/test-forked/v2.0.0/fullIntegrationForked.test.ts
+        env:
+          REPORT_GAS: 'true'
+          NO_GAS_ENFORCE: '1'
+          FORK_BLOCK_NUMBER: ${{ secrets.fork_block_number }}
+          HOODI_RPC_URL: ${{ secrets.hoodi_rpc_url }}
+          MAINNET_RPC_URL: ${{ secrets.mainnet_rpc_url }}