Squashed commit of the following:

commit 9686b07
Author: Amir Y <amirylm.dev@gmail.com>
Date:   Fri May 3 20:06:44 2024 +0300

    Make plugin robust against outcome manipulation (#799)

    ## Motivation

    The OCR plugin fails to deduplicate the values of slices in each
    oracle’s reported observation. This allows a single node to introduce
    duplicate values in its observation slices, causing the plugin to
    erroneously trust that certain values are the consensus among the DON.

    ## Solution

    Extending observation validation to include deduplication validation.

commit c8385ba
Author: Amir Y <amirylm.dev@gmail.com>
Date:   Fri May 3 18:48:11 2024 +0300

    Change code owners of liquidity manger (#805)

commit 9152f0b
Author: Ryan Hall <RyanRHall@users.noreply.github.com>
Date:   Fri May 3 11:29:26 2024 -0400

    Add withdrawNative function to Rebalancer contract (#776)

    ## Motivation
    We want the ability to withdraw native funds from the LM contract in
    case we want to migrate those funds to future LM versions

    ## Solution
    add a `withdrawNative()` function that only the owner can call

commit 91d1e90
Author: Rens Rooimans <github@rensrooimans.nl>
Date:   Fri May 3 17:09:29 2024 +0200

    share change in onramp to multi onramp (#804)

    Fix ci by applying a change in single-ramp to the multi-ramp

commit 7c08043
Author: Amir Y <amirylm.dev@gmail.com>
Date:   Fri May 3 17:47:12 2024 +0300

    Median liquidity per chain fault tolerance validation (#797)

    ## Motivation

    Currently, we don’t count values of the reported liquidity in each
    observation to ensure we have at least f+1 values for each chain, which
    means that we fail the case of empty values (e.g. an oracle that fails
    to get the values).

    ## Solution

    Count liquidities reported for each chain and ensure the count exceeds
    the minimum fault tolerance threshold (f+1).

commit 73c50c6
Author: Rens Rooimans <github@rensrooimans.nl>
Date:   Fri May 3 16:17:11 2024 +0200

    add isChainSupported to admin registry, reduce permissions of admin (#803)

commit 71ae754
Author: Ryan <80392855+RayXpub@users.noreply.github.com>
Date:   Fri May 3 14:57:00 2024 +0400

    Create multi chain copies for on/off ramps, ARL & commit store (#772)

    ## Motivation

    Create multi chain copies for the below contracts:
    - `EVM2EVMOffRamp` -> `EVM2EVMMultiOffRamp`
    - `EVM2EVMOnRamp` -> `EVM2EVMMultiOnRamp`
    - `AggregateRateLimiter` -> `MultiAggregateRateLimiter`
    - `CommitStore` -> `MultiCommitStore`

    ## Solution

    New contracts are exact copies of the single chain ones.

    Some minor changes for CI purposes:
    - Removed some unused imports
    - Increased solhint max warnings

    ---------

    Co-authored-by: Evaldas Latoskinas <evaldas.latoskinas@smartcontract.com>

commit 07337eb
Author: Anindita Ghosh <88458927+AnieeG@users.noreply.github.com>
Date:   Fri May 3 15:48:24 2024 +0530

    fix internal ips in crib (#800)

    ## Motivation

    ## Solution

.changeset/beige-tables-visit.md

@@ -0,0 +1,5 @@
+---
+"ccip": patch
+---
+
+Validate bft (f+1) for observed liquidity per chain

.changeset/ten-adults-try.md

@@ -0,0 +1,5 @@
+---
+"ccip": patch
+---
+
+Extending observation validation to include deduplication validation, in order to avoid from observation manipulation

.changeset/wild-falcons-speak.md

@@ -0,0 +1,5 @@
+---
+"ccip": patch
+---
+
+add isChainSupported to admin registry, reduce permissions of admin

.github/workflows/solidity-foundry.yml

@@ -161,7 +161,7 @@ jobs:
         with:
           update-comment: true
           coverage-files: lcov.info.pruned
-          minimum-coverage: 98.6
+          minimum-coverage: 98.5
           artifact-name: code-coverage-report
           working-directory: ./contracts
           github-token: ${{ secrets.GITHUB_TOKEN }}

CODEOWNERS

@@ -143,7 +143,7 @@ flake.lock @smartcontractkit/prodsec-public
 # CCIP override
 /core/ @smartcontractkit/ccip
 /contracts/ @rensr @matyang @makramkd
-/core/services/ocr2/plugins/liquiditymanager @rensr @dimkouv @makramkd
+/core/services/ocr2/plugins/liquiditymanager @amirylm @ryanrhall @infiloop2 @makramkd
 
 # CCIP ARM
 /contracts/src/v0.8/ccip/ARM.sol @gtklocker @kaleofduty

charts/ccip-scripts/templates/ccip-scripts-cm.yaml

@@ -14,7 +14,7 @@ data:
           "URL": "http://{{$.Release.Name}}-{{.name}}.{{$.Release.Namespace}}.svc.cluster.local:{{$.Values.chainlink.web_port}}",
           "Email": "notreal@fakeemail.ch",
           "Password": "fj293fbBnlQ!f9vNs",
-          "InternalIP": "{{$.Release.Name}}-{{.name}}",
+          "InternalIP": "{{$.Release.Name}}-{{.name}}.{{$.Release.Namespace}}.svc.cluster.local",
           {{- end}}
           "HTTPTimeout": null
         },
@@ -26,7 +26,7 @@ data:
       "URL": "http://{{$.Release.Name}}-{{$cfg.name}}.{{$.Release.Namespace}}.svc.cluster.local:{{$.Values.chainlink.web_port}}",
       "Email": "notreal@fakeemail.ch",
       "Password": "fj293fbBnlQ!f9vNs",
-      "InternalIP": "{{$.Release.Name}}-{{$cfg.name}}",
+      "InternalIP": "{{$.Release.Name}}-{{$cfg.name}}.{{$.Release.Namespace}}.svc.cluster.local",
       "HTTPTimeout": null
     }
             {{- end}}

contracts/.changeset/beige-birds-run.md

@@ -0,0 +1,5 @@
+---
+"@chainlink/contracts-ccip": patch
+---
+
+fix ci

contracts/.changeset/curly-cobras-grow.md

@@ -0,0 +1,5 @@
+---
+"@chainlink/contracts-ccip": patch
+---
+
+add withdraw function to LM

contracts/.changeset/seven-taxis-vanish.md

@@ -0,0 +1,5 @@
+---
+"@chainlink/contracts-ccip": patch
+---
+
+add isChainSupported to admin registry, reduce permissions of admin

contracts/.changeset/yellow-ears-cheer.md

@@ -0,0 +1,5 @@
+---
+"@chainlink/contracts-ccip": patch
+---
+
+add withdrawNative() function to rebalancer

contracts/gas-snapshots/liquiditymanager.gas-snapshot

@@ -1,3 +1,25 @@
+LiquidityManager__report:test_EmptyReportReverts() (gas: 11161)
+LiquidityManager_addLiquidity:test_addLiquiditySuccess() (gas: 284740)
+LiquidityManager_rebalanceLiquidity:test_InsufficientLiquidityReverts() (gas: 19585)
+LiquidityManager_rebalanceLiquidity:test_InvalidRemoteChainReverts() (gas: 197560)
+LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPoolsSuccess() (gas: 8766133)
+LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPoolsSuccess_AlreadyFinalized() (gas: 8575758)
+LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPools_MultiStageFinalization() (gas: 8570966)
+LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPools_NativeRewrap() (gas: 8488731)
+LiquidityManager_rebalanceLiquidity:test_rebalanceLiquiditySuccess() (gas: 384964)
+LiquidityManager_removeLiquidity:test_InsufficientLiquidityReverts() (gas: 191737)
+LiquidityManager_removeLiquidity:test_OnlyOwnerReverts() (gas: 10967)
+LiquidityManager_removeLiquidity:test_removeLiquiditySuccess() (gas: 243303)
+LiquidityManager_setCrossChainRebalancer:test_OnlyOwnerReverts() (gas: 17027)
+LiquidityManager_setCrossChainRebalancer:test_ZeroAddressReverts() (gas: 21630)
+LiquidityManager_setCrossChainRebalancer:test_ZeroChainSelectorReverts() (gas: 13105)
+LiquidityManager_setCrossChainRebalancer:test_setCrossChainRebalancerSuccess() (gas: 162333)
+LiquidityManager_setLocalLiquidityContainer:test_OnlyOwnerReverts() (gas: 11008)
+LiquidityManager_setLocalLiquidityContainer:test_setLocalLiquidityContainerSuccess() (gas: 3288832)
+LiquidityManager_setMinimumLiquidity:test_OnlyOwnerReverts() (gas: 10925)
+LiquidityManager_setMinimumLiquidity:test_setMinimumLiquiditySuccess() (gas: 36434)
+LiquidityManager_withdrawNative:test_OnlyOwnerReverts() (gas: 13115)
+LiquidityManager_withdrawNative:test_withdrawNative_success() (gas: 51041)
 OCR3Base_setOCR3Config:testFMustBePositiveReverts() (gas: 12245)
 OCR3Base_setOCR3Config:testFTooHighReverts() (gas: 12429)
 OCR3Base_setOCR3Config:testOracleOutOfRegisterReverts() (gas: 14847)
@@ -17,24 +39,4 @@ OCR3Base_transmit:testUnauthorizedSignerReverts() (gas: 44736)
 OCR3Base_transmit:testWrongNumberOfSignaturesReverts() (gas: 25655)
 OptimismL1BridgeAdapter_finalizeWithdrawERC20:testFinalizeWithdrawERC20Reverts() (gas: 12932)
 OptimismL1BridgeAdapter_finalizeWithdrawERC20:testfinalizeWithdrawERC20FinalizeSuccess() (gas: 16972)
-OptimismL1BridgeAdapter_finalizeWithdrawERC20:testfinalizeWithdrawERC20proveWithdrawalSuccess() (gas: 20758)
-Rebalancer__report:test_EmptyReportReverts() (gas: 11183)
-Rebalancer_addLiquidity:test_addLiquiditySuccess() (gas: 284740)
-Rebalancer_rebalanceLiquidity:test_InsufficientLiquidityReverts() (gas: 19585)
-Rebalancer_rebalanceLiquidity:test_InvalidRemoteChainReverts() (gas: 197560)
-Rebalancer_rebalanceLiquidity:test_rebalanceBetweenPoolsSuccess() (gas: 8631373)
-Rebalancer_rebalanceLiquidity:test_rebalanceBetweenPoolsSuccess_AlreadyFinalized() (gas: 8508327)
-Rebalancer_rebalanceLiquidity:test_rebalanceBetweenPools_MultiStageFinalization() (gas: 8503535)
-Rebalancer_rebalanceLiquidity:test_rebalanceBetweenPools_NativeRewrap() (gas: 8421300)
-Rebalancer_rebalanceLiquidity:test_rebalanceLiquiditySuccess() (gas: 384928)
-Rebalancer_removeLiquidity:test_InsufficientLiquidityReverts() (gas: 191702)
-Rebalancer_removeLiquidity:test_OnlyOwnerReverts() (gas: 10923)
-Rebalancer_removeLiquidity:test_removeLiquiditySuccess() (gas: 243268)
-Rebalancer_setCrossChainRebalancer:test_OnlyOwnerReverts() (gas: 16982)
-Rebalancer_setCrossChainRebalancer:test_ZeroAddressReverts() (gas: 21630)
-Rebalancer_setCrossChainRebalancer:test_ZeroChainSelectorReverts() (gas: 13105)
-Rebalancer_setCrossChainRebalancer:test_setCrossChainRebalancerSuccess() (gas: 162288)
-Rebalancer_setLocalLiquidityContainer:test_OnlyOwnerReverts() (gas: 11008)
-Rebalancer_setLocalLiquidityContainer:test_setLocalLiquidityContainerSuccess() (gas: 3288767)
-Rebalancer_setMinimumLiquidity:test_OnlyOwnerReverts() (gas: 10925)
-Rebalancer_setMinimumLiquidity:test_setMinimumLiquiditySuccess() (gas: 36389)
+OptimismL1BridgeAdapter_finalizeWithdrawERC20:testfinalizeWithdrawERC20proveWithdrawalSuccess() (gas: 20758)

contracts/src/v0.8/ccip/interfaces/IPool.sol

@@ -22,4 +22,9 @@ interface IPool is IERC165 {
   function releaseOrMint(Pool.ReleaseOrMintInV1 calldata releaseOrMintIn)
     external
     returns (Pool.ReleaseOrMintOutV1 memory);
+
+  /// @notice Checks whether a remote chain is supported in the token pool.
+  /// @param remoteChainSelector The selector of the remote chain.
+  /// @return true if the given chain is a permissioned remote chain.
+  function isSupportedChain(uint64 remoteChainSelector) external view returns (bool);
 }

contracts/src/v0.8/ccip/interfaces/ITokenAdminRegistry.sol

@@ -5,9 +5,6 @@ interface ITokenAdminRegistry {
   /// @notice Returns the pool for the given token.
   function getPool(address token) external view returns (address);
 
-  /// @notice Returns every token that has been configured through a permissoned method.
-  function getPermissionedTokens() external view returns (address[] memory);
-
   /// @notice Registers an administrator for the given token.
   /// @param localToken The token to register the administrator for.
   /// @param administrator The administrator to register.

contracts/src/v0.8/ccip/offRamp/EVM2EVMMultiOffRamp.sol

@@ -28,7 +28,7 @@ import {ERC165Checker} from "../../vendor/openzeppelin-solidity/v4.8.3/contracts
 /// @dev OCR2BaseNoChecks is used to save gas, signatures are not required as the offramp can only execute
 /// messages which are committed in the commitStore. We still make use of OCR2 as an executor whitelist
 /// and turn-taking mechanism.
-contract EVM2EVMOffRamp is IAny2EVMOffRamp, AggregateRateLimiter, ITypeAndVersion, OCR2BaseNoChecks {
+contract EVM2EVMMultiOffRamp is IAny2EVMOffRamp, AggregateRateLimiter, ITypeAndVersion, OCR2BaseNoChecks {
   using ERC165Checker for address;
   using EnumerableMapAddresses for EnumerableMapAddresses.AddressToAddressMap;
 
@@ -97,7 +97,7 @@ contract EVM2EVMOffRamp is IAny2EVMOffRamp, AggregateRateLimiter, ITypeAndVersio
   }
 
   // STATIC CONFIG
-  string public constant override typeAndVersion = "EVM2EVMOffRamp 1.5.0-dev";
+  string public constant override typeAndVersion = "EVM2EVMMultiOffRamp 1.6.0-dev";
 
   /// @dev Commit store address on the destination chain
   address internal immutable i_commitStore;

contracts/src/v0.8/ccip/onRamp/EVM2EVMMultiOnRamp.sol

@@ -25,7 +25,7 @@ import {EnumerableMap} from "../../vendor/openzeppelin-solidity/v4.8.3/contracts
 /// bridgeable token support.
 /// @dev The EVM2EVMOnRamp, CommitStore and EVM2EVMOffRamp form an xchain upgradeable unit. Any change to one of them
 /// results an onchain upgrade of all 3.
-contract EVM2EVMOnRamp is IEVM2AnyOnRamp, ILinkAvailable, AggregateRateLimiter, ITypeAndVersion {
+contract EVM2EVMMultiOnRamp is IEVM2AnyOnRamp, ILinkAvailable, AggregateRateLimiter, ITypeAndVersion {
   using SafeERC20 for IERC20;
   using EnumerableMap for EnumerableMap.AddressToUintMap;
   using USDPriceWith18Decimals for uint224;
@@ -54,7 +54,7 @@ contract EVM2EVMOnRamp is IEVM2AnyOnRamp, ILinkAvailable, AggregateRateLimiter,
   error CannotSendZeroTokens();
   error SourceTokenDataTooLarge(address token);
   error InvalidChainSelector(uint64 chainSelector);
-  error GetSupportedTokensFunctionalityRemoved();
+  error GetSupportedTokensFunctionalityRemovedCheckAdminRegistry();
 
   event ConfigSet(StaticConfig staticConfig, DynamicConfig dynamicConfig);
   event NopPaid(address indexed nop, uint256 amount);
@@ -145,7 +145,7 @@ contract EVM2EVMOnRamp is IEVM2AnyOnRamp, ILinkAvailable, AggregateRateLimiter,
   }
 
   // STATIC CONFIG
-  string public constant override typeAndVersion = "EVM2EVMOnRamp 1.5.0-dev";
+  string public constant override typeAndVersion = "EVM2EVMMultiOnRamp 1.6.0-dev";
   /// @dev metadataHash is a lane-specific prefix for a message hash preimage which ensures global uniqueness
   /// Ensures that 2 identical messages sent to 2 different lanes will have a distinct hash.
   /// Must match the metadataHash used in computing leaf hashes offchain for the root committed in
@@ -457,7 +457,7 @@ contract EVM2EVMOnRamp is IEVM2AnyOnRamp, ILinkAvailable, AggregateRateLimiter,
 
   /// @inheritdoc IEVM2AnyOnRampClient
   function getSupportedTokens(uint64 /*destChainSelector*/ ) external view returns (address[] memory) {
-    return ITokenAdminRegistry(s_dynamicConfig.tokenAdminRegistry).getPermissionedTokens();
+    revert GetSupportedTokensFunctionalityRemovedCheckAdminRegistry();
   }
 
   // ================================================================

contracts/src/v0.8/ccip/onRamp/EVM2EVMOnRamp.sol

@@ -54,7 +54,7 @@ contract EVM2EVMOnRamp is IEVM2AnyOnRamp, ILinkAvailable, AggregateRateLimiter,
   error CannotSendZeroTokens();
   error SourceTokenDataTooLarge(address token);
   error InvalidChainSelector(uint64 chainSelector);
-  error GetSupportedTokensFunctionalityRemoved();
+  error GetSupportedTokensFunctionalityRemovedCheckAdminRegistry();
 
   event ConfigSet(StaticConfig staticConfig, DynamicConfig dynamicConfig);
   event NopPaid(address indexed nop, uint256 amount);
@@ -456,8 +456,8 @@ contract EVM2EVMOnRamp is IEVM2AnyOnRamp, ILinkAvailable, AggregateRateLimiter,
   }
 
   /// @inheritdoc IEVM2AnyOnRampClient
-  function getSupportedTokens(uint64 /*destChainSelector*/ ) external view returns (address[] memory) {
-    return ITokenAdminRegistry(s_dynamicConfig.tokenAdminRegistry).getPermissionedTokens();
+  function getSupportedTokens(uint64) external pure returns (address[] memory) {
+    revert GetSupportedTokensFunctionalityRemovedCheckAdminRegistry();
   }
 
   // ================================================================

contracts/src/v0.8/ccip/pools/TokenPool.sol

@@ -161,8 +161,7 @@ abstract contract TokenPool is IPool, OwnerIsCreator {
     emit RemotePoolSet(remoteChainSelector, prevAddress, remotePoolAddress);
   }
 
-  /// @notice Checks whether a chain selector is permissioned on this contract.
-  /// @return true if the given chain selector is a permissioned remote chain.
+  /// @inheritdoc IPool
   function isSupportedChain(uint64 remoteChainSelector) public view returns (bool) {
     return s_remoteChainSelectors.contains(remoteChainSelector);
   }

contracts/src/v0.8/ccip/test/onRamp/EVM2EVMOnRamp.t.sol

@@ -899,15 +899,9 @@ contract EVM2EVMOnRamp_getDataAvailabilityCost is EVM2EVMOnRamp_getFeeSetup {
 }
 
 contract EVM2EVMOnRamp_getSupportedTokens is EVM2EVMOnRampSetup {
-  function test_GetSupportedTokens_Success() public view {
-    address[] memory tokens = s_onRamp.getSupportedTokens(DEST_CHAIN_SELECTOR);
-
-    address[] memory expected = new address[](4);
-    expected[0] = s_sourceTokens[0];
-    expected[1] = s_sourceTokens[1];
-    expected[2] = s_destTokens[0];
-    expected[3] = s_destTokens[1];
-    assertEq(expected, tokens);
+  function test_GetSupportedTokens_Revert() public {
+    vm.expectRevert(EVM2EVMOnRamp.GetSupportedTokensFunctionalityRemovedCheckAdminRegistry.selector);
+    s_onRamp.getSupportedTokens(DEST_CHAIN_SELECTOR);
   }
 }
 

contracts/src/v0.8/ccip/test/router/Router.t.sol

@@ -684,15 +684,9 @@ contract Router_setWrappedNative is EVM2EVMOnRampSetup {
 
 /// @notice #getSupportedTokens
 contract Router_getSupportedTokens is EVM2EVMOnRampSetup {
-  function test_GetSupportedTokens_Success() public view {
-    address[] memory tokens = s_sourceRouter.getSupportedTokens(DEST_CHAIN_SELECTOR);
-
-    address[] memory expected = new address[](4);
-    expected[0] = s_sourceTokens[0];
-    expected[1] = s_sourceTokens[1];
-    expected[2] = s_destTokens[0];
-    expected[3] = s_destTokens[1];
-    assertEq(expected, tokens);
+  function test_GetSupportedTokens_Revert() public {
+    vm.expectRevert(EVM2EVMOnRamp.GetSupportedTokensFunctionalityRemovedCheckAdminRegistry.selector);
+    s_onRamp.getSupportedTokens(DEST_CHAIN_SELECTOR);
   }
 }