Payments contract first draft

[aarshkshah1992]

This is the first draft for the payments contract MVP. It has the following features:

• ERC-20 deposits
• ERC-20 withdrawals
• rail creation
• operator approvals
• operator termination
• rail payment modification
• rail lockup modification
• lazy rail settlement
• proxy pattern for contract upgrade
• arbitration
• rate change queuing
• avoiding debt creation during lockup or rate modification

All rail modifications and creation respect the operator approval.

The following features which will be added in a subsequent PR:

1. Escrow
2. Payment Fees

[Stebalien]

Take a look at the "Lockup can be settled..." part of: https://www.notion.so/filecoindev/Payments-Design-Iteration-17ddc41950c180468806c7e0097c2e14?pvs=4#185dc41950c1805da8d4ce567e343307

lockupStart is probably misnamed. Really, it means "the last time we settled lockup". I.e., it's when the lockup rate starts applying.

My point is, I don't think we need hasLockupStarted. We always adjust lockupStart.

[Stebalien]

Ah, I see you've implemented accumulateLockupRate. You don't need this code here, you just need to call accumulateLockupRate before changing the rate (e.g., at the very top of this function). The first time this is called, that will accumulate nothing because the rate will be 0, but it will initialize lockupStart.

[aarshkshah1992]

@Stebalien Yeah this makes sense. If totalLockupRate is 0, the lockupstart does not matter.

I'm fixing naming across this contract now for all state. I don't think these names accurately reflect what they're doing. lockupBase for eg dosen't reflect that it's doing three things:

1. Locking up a fixed security deposit
2. Locking up accrued payments for services already taken by the client but not yet settled by the provider
3. Locking up a portion of payments for future services that have yet to be provided to provide some sort of "guarantee" to the provider.

[Stebalien]

I've updated the design doc. I've named this "lockup current" because it covers funds that are actually locked, not the current target locked. I didn't use the word required because the actually locked funds may be less than the "target" (required).

[Stebalien]

We're going to need two features WRT account management:

1. A way to efficiently (ish) determine the status of an account. Total funds across all tokens, etc. so we can display it in some webui.
2. Ideally a way to efficiently change the owner address? That's complicated.

Even if we don't support (2), we'll need some top-level account abstraction to support (1).

[aarshkshah1992]

@Stebalien

Can't we implement those getters as view functions that can be invoked off-chain on RPC providers ? We can add some state to the contract that makes those view/getter functions slightly less compute intensive but IMO making it a view function that can be invoked off-chain means we can offload the worrying about efficiency to client <> RPC provider relationships without having to add too much state to the contract.

[Stebalien]

Ok, we can solve (1) by:

1. Adding a mapping(address => address[]) of account owners to tokens.
2. Optionally: changing token => owner => Account to owner => token => Account. This isn't strictly necessary, but it mirrors the mapping in (1).

As discussed, we can drop (2) and let the user handle indirection through smart contracts.

[Stebalien]

Actually, maybe we want a single owner => Account mapping where Account contains:

1. The client's operator approvals (map of operator => Approval).
2. An array of approved client operators.
3. An array of client rail IDs.
4. etc...

[Stebalien]

Resolution: we're still exploring the API, let's build that first then figure out what these data structures should look at.

[Stebalien]

Are you sure we want to approve a specific arbiter? I can see the appeal but, in that case... I think we can just let the client decide if they're ok with an arbiter on a per-rail basis.

[aarshkshah1992]

@Stebalien You mean the client creates the rail OR that a client has to approve a rail that has been created by an operator ? Both have different UX implications.

[aarshkshah1992]

See my comment at https://github.com/FilOzone/payments/pull/1/files#r1961082248.

[aarshkshah1992]

An operator can have many different arbitrers for different rails.

[aarshkshah1992]

So remove this.

[aarshkshah1992]

The answer here is to trust the operator.

[Stebalien]

They don't need funds, do they?

[aarshkshah1992]

@Stebalien I mean not strictly speaking. We can get rid of this yeah.

[Stebalien]

Technically, the sender doesn't need any funds either.

[aarshkshah1992]

@Stebalien Technically no but I'd like to keep this so that rails are only created with clients who have interacted with the contract before. Just think it's better that way.

[Stebalien]

Well, this goes back to who can create a rail. IMO, the answer is: the client.

It would be nice if a client can go through the entire signup flow without having to deposit any funds until they actually start using the service.

[aarshkshah1992]

We agree that neither from or to needs funds.

[Stebalien]

TBD: need to discuss approved operators and who, precisely, is allowed to call createRail.

[Stebalien]

OT: Ethereum's "everything exists, it just defaults to zero" gets me every time. It's kind of cool but also really disconcerting.

[aarshkshah1992]

@Stebalien What's "OT" ?

[Stebalien]

"Off topic". I.e., "nothing to do with my review, ignore this, I just wanted to say it."

[Stebalien]

Why not just ignore all of /broadcast?

[Stebalien]

We should consider adding an arbitrary "note" field. Could be useful to explain why the full amount isn't approved.

[aarshkshah1992]

Added this and also now returning this to the caller of settleRail

[Stebalien]

Do we need approved? IMO, we should just revert if we're not approving anything, but I'm not really a solidity expert.

[aarshkshah1992]

@Stebalien This is for the Arbitrer contract to gracefully let us know that it is/is not rejecting the payment.

The Payment contract does revert the settlement if it sees a disapproval from the Arbitrer but doing it this way lets us decide what we wanna do when we see a rejection from the Arbitrer.

We can change this so that the Arbitrer reverts rather than returning this approved flag and then handle the revert in the Payment contract as follows:

// Low-level call with error handling
(bool success, bytes memory returnData) = IArbitrer(Y).call(....);
if (!success) {
    // Handle the error
}

but we need to write some additional encoding/decoding code here for serialisation.

No opinion either way. Wdyt ?

[aarshkshah1992]

The other option is to not gracefully handle any reverts from the Arbitrer contract at all and simply revert right away (in Solidity, when contract X calls contract Y and contract Y reverts -> the call to X reverts right away unless you handle it as above).

The way we've implemented it here -> any revert from Arbitrer will bubble up right away and the settlement will revert but atleast for payment refusals -> we get to handle it gracefully and do more stuff if we want to before we revert.

[aarshkshah1992]

The Arbitrer MUST revert if it wants to reject payment.

[aarshkshah1992]

if arbitrer wants to reject and NOT revert, you can just set settleUpto to the start epoch.

[Stebalien]

Hm. Now that I see this, I wonder if we should call this "settledUpTo" instead of "lastSettledAt".

[aarshkshah1992]

Also renamed the corresponding ArbitrationResult field to settledUpTo

[Stebalien]

Do we need this field?

[aarshkshah1992]

@Stebalien Yeah it's the easiest way to track the fact that an operator has been disapproved. Solidity HashMap/Array deletes aren't clean/gas cheap to do.

[Stebalien]

Also, if operators create rails, it makes sense to:

1. Approve the operator with no allowance.
2. Let the operator create rails.
3. Then give them allowance.

(IMO)

[Stebalien]

Do we need this field either? Isn't it implicit?

[aarshkshah1992]

@Stebalien My idea was to have the client have a say in who gets to be an arbitrer.

[Stebalien]

Make this a free function?

[Stebalien]

Suggested change

	}
	function _settleWithRateChanges(
	}
	function _settleWithRateChanges(

[Stebalien]

Suggested change

	// assert that operator allownace is respected
	// assert that operator allowance is respected

[Stebalien]

We need to validate that:

1. arbResult.settledUntil <= settledUntil.
2. arbResult.modifiedAmount <= rate * (arbResult.settledUntil - segmentStart).

[aarshkshah1992]

For 1, it should be arbResult.settledUntil <=segmentEnd, right ? Yeah making this change.

[aarshkshah1992]

Done.

[Stebalien]

Need to check that untilEpoch is at or before the current epoch.

[aarshkshah1992]

Done.

[Stebalien]

I've spent a lot of time staring at this code and I'm still not sure if it's right. Let's talk through it tomorrow.

[aarshkshah1992]

I agree. It is involved.

[aarshkshah1992]

Let me try to simplify it more today before we sync up.

[aarshkshah1992]

Can leave a note if successful too. For better UX, it's a catch all field for arbitrer to send us info.

[aarshkshah1992]

Do we really need this ?

[aarshkshah1992]

we don't need this as the msg.sender will/should ALWAYS be the operator.

[aarshkshah1992]

who calls this ?

answer: always the client.

[aarshkshah1992]

@Stebalien Please can you review this function ?

[aarshkshah1992]

Write down all the getter APIs. That will determine state design.

[aarshkshah1992]

Try to make it as easy as possible to access basic state without an Indexer.

[aarshkshah1992]

Strike a balance between on-chain state and off-chain compute than an RPC provider needs to do to serve Getter requests.

[aarshkshah1992]

Storing the keys of a Hasmap in an a set if you need iteration. Do it only when needed.

[aarshkshah1992]

An operator can always do this by setting everything to 0.

[aarshkshah1992]

If a client wants to terminate a rail -> they go the operator and get them to modify the rates and lockups for the rail to 0.

[aarshkshah1992]

We need this to track rail termination !

[aarshkshah1992]

Does the solidity compiler optimise this so we only lookup the map once ?

[aarshkshah1992]

can read payer.lockupLastSettledAt from return value.

[aarshkshah1992]

We can put the railRateChangeQueues in the Rail itself.

[Stebalien]

Need to support settling nothing to handle partial settlements. E.g., we're going through the queue settling segment by segment and then we hit a segment where we can settle nothing. We need to accept that and settle everything so far without reverting.

[aarshkshah1992]

this is the current rail rate. fix naming.

[aarshkshah1992]

currentEpoch < targetEpoch is what we need here. if it is equal, we are done and we should exit the loop.

[Stebalien]

This second condition won't be true if I'm trying to settle up to some historical epoch in the past.

[aarshkshah1992]

We need to remove this assert.

[Stebalien]

It would be kind of nice to somehow join these notes together when non-empty, but that isn't critical. We mostly care about the last note anyways.

[Stebalien]

How would this not be the case?

[aarshkshah1992]

if the queue is non-empty AND next element has expired -> until epoch is in the past or < targetEpoch -> pop.

[aarshkshah1992]

actually -> we can JUST dequeue if we reach here.

[aarshkshah1992]

min(next, target)

[aarshkshah1992]

nextBoundary = min(nextBoundary, target)

[Stebalien]

pass min(nextBoundary, targetEpoch)

[Stebalien]

fix comparison.

[aarshkshah1992]

mark the function as nonReEntrant.

[aarshkshah1992]

Infact all functions that modify rail state should have a per-rail lock.

[aarshkshah1992]

Audit and REALLY think through it.

[aarshkshah1992]

rentrancy

[aarshkshah1992]

per-rail settlement lock

[aarshkshah1992]

move this to the Rail struct.

[Stebalien]

The re-entency issue:

We discussed a few approaches:

1. Lock everything preventing both read and write access to the entire contract while settling a rail. This would restrict access to important information, e.g., information about the rail.
2. Lock the rail only. Unfortunately, if we lock read access, we'd still be restricting information about the rail. Furthermore, if we don't adjust payee/payer funds while settling and still allow, e.g., the arbiter to see those fields, the arbiter won't see the "full" effects of the last section of payment it arbitrated.

We settled on:

1. Locking modifications (preventing settling, changing lockup, etc.) to the rail while settling.
2. Updating the rail, the payee, and the payer after each call to the arbiter such that the arbiter always sees the payment contract in the correct state. Effectively, we move most of the rail settlement logic into the "settle segment" function.

Thinking on this more, there are a few more solutions (which I don't like but I figured I'd mention for completeness).

1. We could not lock anything, record important state before calling the arbiter, call the arbiter, then revert if "something has changed". This "works" but is strictly more brittle and doesn't provide any benefit.
2. We could allow payment/lockup changes as long as we're really careful as those changes can only affect future time periods. But I don't think it's worth it and re-entrant modifications are likely always bugs.

[Stebalien]

We also discussed how this relates to withdrawal. IMO, the difference between this and withdrawal is that all the "withdraw" call can do is revert. It can't cause us to change our minds and withdraw less than we initially intended so there are no funky intermediate states.