Part of the sequenced cleanup tracked in
d-bis/proxmox#1.
Scaffolding only. No broadcast. No secret values committed.
The Chain 138 deployer EOA 0x4A666F96...01C8 is in proxmox master in
plaintext and must be rotated off as owner/admin on all contracts it
controls. Because the key is an EOA (not a multisig), rotation is
transfer-then-revoke (not revoke-first) per
docs/runbooks/MULTI_CHAIN_EXECUTION_KEY_ROTATION.md.
- script/rotation/RotateChain138Admin.s.sol
- RotateStage1 (signed by OLD): transferOwnership + grantRole
DEFAULT_ADMIN_ROLE on cUSDT, cUSDC, DODOPMMIntegration; additionally
POOL_MANAGER_ROLE + SWAP_OPERATOR_ROLE on DODOPMMIntegration.
Preflight asserts OLD still holds each role and NEW does not.
- RotateStage2 (signed by NEW): revokeRole on OLD for each of the
above. Preflight asserts Stage 1 landed (NEW holds roles, OLD still
holds roles).
- VerifyChain138RotationComplete: read-only end-state check; reverts
with a specific message if any contract still names OLD as owner or
admin.
- Default addresses are the canonical Chain 138 cUSDT / cUSDC /
DODOPMMIntegration from docs/11-references/ADDRESS_MATRIX_AND_STATUS.md
and .cursor/rules/chain138-tokens-and-pmm.mdc. Overridable via env.
- script/rotation/README.md: index + follow-up PR table for the other
chains (mainnet, Cronos, Polygon, Base, OP, BSC, AVAX, Arbitrum,
Wemix).
- scripts/rotation/chain138-rotation-runbook.md: authoritative operator
runbook with simulate/broadcast cast sequences, Stage-1/Stage-2
verification steps, rollback path (only possible between stages), and
a per-chain template for the follow-up PRs.
Forge build passes (one mixed-case-variable lint note on field names
matching the contract names; not an error).
This PR does not cover other chains or execute the rotation — those
are explicit operator steps gated on per-tx approval.
Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>
