feat(RewardsStreamerMP): introduce emergency mode and ability to leave

[0x-r4bbit]

This adds a new emergency mode that can be enabled by the owner of the system.
When in emergency mode, stakers or StakeVaults can leave the system immediately.

This also applies when there was a malicious upgrade and a call to
emergencyModeEnabled() panics.

To have this in a fully secure manner, we still have to add the counter
part of "leaving" the system. This will allow users that don't agree
with a (malicious) upgrade to get their funds out of the vaults
regardless.

Closes #66

Checklist

Ensure you completed all of the steps below before submitting your pull request:

• Added natspec comments?
• Ran pnpm adorno?
• Ran pnpm verify?

[3esmit]

The ideal logic would be:

Stake Manager contains a flag which is read by Stake Vault. When this flag is true, Stake Vault just allows withdraw and Stake Manager wont accept any iteractions anymore.

[0x-r4bbit]

@3esmit So, the reason I've done it this way (StakeManager sets flag, and reverts accordingly in functions where necessary), is because the logic for preventing interaction with the manager should stay the same no matter what stakevault you interact with.

For example, if we upgrade StakeVault to a different version, we'd otherwise have to ensure that it reverts in functions where it should revert.

If we keep the revert logic in the StakeManager, that's one thing less to keep in mind.

--

Are there any other good reasons to have StakeVault explicitly check emergency mode first, before interacting?

Happy to make the necessary changes in that case, but right now I don't see how that would improve the state.

[0x-r4bbit]

I've updated this PR with a certora rule that ensures only view functions, ownable functions, trusted codehash functions and leave() are callable when in emergency mode

[3esmit]

emergency mode should not have any complex logic. what happens if there is a problem, such as underflow, inside of _updateGlobalState() or _updateAccountMP()?

Emergency exit suppousedly should not process any storage or anything, just allow withdraws.

[3esmit]

To properly test emergency mode, cause the code to make a division by zero in the logic, or whatever unexpected fail.

There would be no reason in having an emergency mode for expected cases, that wouldnt be called emergency mode.

[0x-r4bbit]

So this is now testing the "benign" exit mode case, where the owner enables it, allowing users to exit.

[3esmit]

In contrast with emergency exits on real world, they are usually used when there is a fire in the building. In that case, you don't go grab all your stuff before leave, you just run for your life directly to the exit.

[3esmit]

Why need to update global state if its not going being used anymore?

[0x-r4bbit]

@3esmit @gravityblast I've updated this PR according to the discussion with had with @3esmit

In summary:

1. Emergency exit != leaving
2. Emergency exit allows for leaving the system without any state changes, however vaults still have to check if emergency mode is enabled
3. If reading emergency mode panics due to malicious upgrade, users will be able to leave using leave() which I'll provide in a separate PR

Please give this another review

[0x-r4bbit]

I had to introduce vaultBalance here so we can differentiate between accountInfo.stakedBalance and balanceOf(vault)