evm: per chain transceivers

[bruce-riley]

This PR implements the NttManagerWithPerChainTransceivers contract which inherits from NttManagerNoRateLimiting and allows configuring different transceivers and thresholds for each chain. You can configure a different set of send and receive transceivers for each chain. If you don't specifically enable any transceivers for a chain, then all transceivers will be used.

This new contract has to inherit from the no-rate-limiting due to the contract size limit.

[bruce-riley]

Contract sizes before this feature:

| NttManager                            |   23,615 |        961 |
| NttManagerNoRateLimiting              |   18,169 |      6,407 |

Contract sizes with this feature:

| NttManager                                  |   23,651 |        925 |
| NttManagerNoRateLimiting                    |   18,205 |      6,371 |
| NttManagerWithPerChainTransceivers          |   22,804 |      1,772 |

[bruce-riley]

Would like to have a longer look at this next week, the bitmap and threshold stuff was a source of some pain in the original audit.

One general comment is I feel like it becomes a lot easier to misconfig with these changes. For example, in a 2 transceiver, threshold of 2 global setup, if only 1 transceiver is enabled for receiving from a given chain, but the deployer forgets to set the perChainThreshold for that chain, then messages won't get delivered. Maybe in enableRecvTransceiverForChain we need to check that perChainThreshold is <= set bits in the joint enabledTransceiverBitmap & enabledTransceiversForChain bitmap?

That would require them to set the per-chain threshold before enabling anything, right? Is that acceptable?

[djb15]

Would like to have a longer look at this next week, the bitmap and threshold stuff was a source of some pain in the original audit.
One general comment is I feel like it becomes a lot easier to misconfig with these changes. For example, in a 2 transceiver, threshold of 2 global setup, if only 1 transceiver is enabled for receiving from a given chain, but the deployer forgets to set the perChainThreshold for that chain, then messages won't get delivered. Maybe in enableRecvTransceiverForChain we need to check that perChainThreshold is <= set bits in the joint enabledTransceiverBitmap & enabledTransceiversForChain bitmap?

That would require them to set the per-chain threshold before enabling anything, right? Is that acceptable?

I was thinking we could write perChainThreshold to 1 when we add the first per chain transceiver? I think we do something similar in the existing transceiver registry

[banescusebi]

I will continue looking a bit into the test files, but wanted to submit the comments so far.

[bruce-riley]

We've decided to not support falling back to the global defaults, and also switch to functions to get / set the bitmaps per chain, rather than doing enable/disable.

I'm converting this back to draft while I do the rework.

[djb15]

• Should setThreshold be overridden and revert?
• More generally to the above bullet point, we should try to minimise unintended side effects of enabling/disabling transceivers globally/per-chain and also setting global/per-chain thresholds (global thresholds appear to be unused now, but worth being explicit)

[banescusebi]

Overall looks pretty solid this way. Just a few nits and questions from my side.

[banescusebi]

Genera question regarding this 64 transceiver limit: as more and more chains pop-up and are added to WH, will 64 bits be sufficient in the future?

[banescusebi]

Why this small change here?

[djb15]

This was me! != needs 2 opcodes vs > just needs 1, so we save (a small amount of) gas here. Plus it matches how we do it elsewhere in the codebase

[banescusebi]

The _checkTransceiversInvariants() ensures that you can't remove a transceiver globally, when it's enabled for a chain. Therefore enabledTransceiversForChain is a subset of enabledTransceiverBitmap.

[banescusebi]

This _checkTransceiversInvariants() seems quite heavy. Would it be worth doing an analysis at how many chains and how many transceivers per chain do the calling functions hit the block gas limit?

[banescusebi]

Love this test.

[banescusebi]

Something that might be worth adding to the README.md:

Even when only using per chain transceivers, one needs to register each transceiver using the setTransceiver() method inherited from ManagerBase. Note that this only allows registering up to 64 transceivers in total (to be used as send and/or receive transceivers).

[evan-gray]

Closing this PR given the following:

• the implementation has become increasingly complex to make safe for upgrading NttManagers while maintaining the config and method identifiers
• these changes push the contract over the size limit
• we expect to rework the transceiver configuration in a future, breaking version

Therefore, despite the much appreciated effort and reviews, I do not recommend proceeding.