docs: document contract architecture and failure scenarios#430
Open
docs: document contract architecture and failure scenarios#430
Conversation
docs: document contract architecture and failure scenarios
fix: align edges of diagram correctly
chore: add links to USDFC token/contracts
BigLep
reviewed
Feb 26, 2026
Contributor
BigLep
left a comment
BigLep
left a comment
There was a problem hiding this comment.
Generally seems good to me. I'll give it a shipit once its clear that we're talking about "StateView" correctly.
SPEC.md
Outdated
|
|
||
| ### Upgrade Mechanism | ||
|
|
||
| FWSS, PDPVerifier, and ServiceProviderRegistry each implement the same **two-step announce-then-upgrade** pattern. The owner first calls `announcePlannedUpgrade(PlannedUpgrade)` with the address of the new implementation and a future block number. The upgrade cannot execute until that block number is reached. When `upgradeToAndCall` is later invoked, the internal `_authorizeUpgrade` guard verifies the implementation matches the announcement and the delay has elapsed: |
Contributor
There was a problem hiding this comment.
Suggested change
| FWSS, PDPVerifier, and ServiceProviderRegistry each implement the same **two-step announce-then-upgrade** pattern. The owner first calls `announcePlannedUpgrade(PlannedUpgrade)` with the address of the new implementation and a future block number. The upgrade cannot execute until that block number is reached. When `upgradeToAndCall` is later invoked, the internal `_authorizeUpgrade` guard verifies the implementation matches the announcement and the delay has elapsed: | |
| FWSS, PDPVerifier, and ServiceProviderRegistry each implement the same home-grown **two-step announce-then-upgrade** pattern. The owner first calls `announcePlannedUpgrade(PlannedUpgrade)` with the address of the new implementation (`PlannedUpgrade.nextImplementation`) and a future block number (`PlannedUpgrade.afterEpoch`). The upgrade cannot execute until that block number is reached. The minimum delay is at least 1 block. When [`upgradeToAndCall`](https://docs.openzeppelin.com/contracts/5.x/api/proxy#UUPSUpgradeable-upgradeToAndCall-address-bytes-) is later invoked, the internal `_authorizeUpgrade` guard verifies the implementation matches the announcement and the delay has elapsed: |
I used "home grown" to make it clear that we aren't following an EIP here (but it is good/prudent to do). Maybe @wjmelements can point to industry best practice that we're modeling after.
|
|
||
| See [`FilecoinWarmStorageService.sol:429-441`](https://github.com/FilOzone/filecoin-services/blob/main/service_contracts/src/FilecoinWarmStorageService.sol#L429-L441). The minimum code-length check (`code.length > 3000`) prevents accidental upgrades to empty or trivially small implementations. The `afterEpoch` delay gives users time to review the announced implementation before it takes effect. | ||
|
|
||
| ### Immutable Reference Coupling |
Contributor
There was a problem hiding this comment.
Should we also talk about FWSS' reference to StateView. I see it stores one per https://github.com/FilOzone/filecoin-services/blob/main/service_contracts/src/FilecoinWarmStorageService.sol#L459-L496
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Steve Loeppky <biglep@filoz.org>
docs: document storage layout violations and backwards incompatibility
docs: move UUPS explenation into `Upgrade Mechanism` section
docs: change from ASCII to mermaid charts
rvagg
reviewed
Feb 26, 2026
SPEC.md
Outdated
| Caller->>FilecoinPayV1: settleRail(railId) | ||
| FilecoinPayV1->>FWSS: validatePayment(railId, fromEpoch, toEpoch) | ||
| Note over FWSS: find proven periods in range | ||
| FWSS-->>FilecoinPayV1: provenEpochCount, finalSettlementEpoch |
Collaborator
There was a problem hiding this comment.
Not quite, see ValidationResult in FP. It doesn't care about proven epoch, it cares about modifiedAmount (<= the max settlement amount) and settleUpto (which epoch did we settle up to—in FWSS's case this'll usually come up to the end of the last proving period if you're trying to settle up to the current period)
rvagg
reviewed
Feb 26, 2026
rvagg
reviewed
Feb 26, 2026
rvagg
reviewed
Feb 26, 2026
rvagg
reviewed
Feb 26, 2026
Co-authored-by: Rod Vagg <rod@vagg.org>
Document StateView's architecture, failure impact, and remediation in the contract architecture spec. Add FWSS's StateView storage variable reference to the Immutable Reference Coupling section. Fix settlement sequence diagram to return ValidationResult (modifiedAmount, settleUpto) instead of incorrect fields. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix data flow diagram callers and add schedule deletions
Add flow 6 (Next Proving Period) showing SP calling PDPVerifier.nextProvingPeriod, which triggers FWSS to process scheduled deletions and recalculate the payment rate. Clean up Schedule Deletions flow to only show the queuing step. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reframe FilecoinPayV1 failure response by severity
docs: clarify StateView mutability and additive deploy behavior
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Towards: #361
Addressing/trying to answer Done criterias 1 and 2: