Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feeDistributor vat is not ugpradable #8729

Closed
warner opened this issue Jan 9, 2024 · 8 comments
Closed

feeDistributor vat is not ugpradable #8729

warner opened this issue Jan 9, 2024 · 8 comments
Labels
bug Something isn't working contract-upgrade Inter-protocol Overarching Inter Protocol

Comments

@warner
Copy link
Member

warner commented Jan 9, 2024

While looking at #8499 (comment) . and thinking about how v28-feeDistributor would react under upgrade, we noticed that v28-feeDistributor is not ugpradable.

v23-feeDistributor has code which talks to the timer service and creates a notifier during startDistributing. However this function is called only from makeFeeDistributor, which creates ephemeral creatorFacet and publicFacet objects (using Far()). So this contract instance is not upgradable: if we were to deploy any new version of v23-feeDistributor, these facets would be abandoned, making them unavailable for clients.

Since we can't upgrade v23-feeDistributor, we'll need to replace it, somehow, by convincing any clients to use a different vat, and then terminate the old one.

I didn't find any other tickets describing our plan to replace this code, so I figured I should start a new one.

cc @Chris-Hibbert
@warner warner added bug Something isn't working Inter-protocol Overarching Inter Protocol contract-upgrade labels Jan 9, 2024
@warner warner mentioned this issue Jan 9, 2024
Merged
@dckc
Copy link
Member

dckc commented Jan 9, 2024

Um... did we miss this one in the bulldozer planning somehow? No... we decided it was OK:

"cron job" with no important state. can terminated and replaced at will.
-- #5795

agoric-sdk/packages/builders/scripts/vats/restart-vats.js

Lines 7 to 9 in d3ddae6

// can be replaced instead of upgraded
'auctioneer',
'feeDistributor',

I think there are no clients.

@Chris-Hibbert
Copy link
Contributor

The feeDistributor may only be used by PSM and vat-bank.

@dckc
Copy link
Member

dckc commented May 15, 2024

feeDistributor collects from vaultFactory and sends to reserve; so it's a client of those 2.

agoric-sdk/packages/inter-protocol/src/proposals/econ-behaviors.js

Lines 500 to 502 in 1749514

const collectorKit = {
vaultFactory: E.get(vaultFactoryKit).creatorFacet,
};

PSM could generate fees, but it doesn't, so we didn't write it up, AFAICT.

feeDistributor 's only client is the time service, I think.

@Chris-Hibbert
Copy link
Contributor

The feeDistributor does all the work, and knows both the payers and payees. Neither of those has any knowledge of the feeDistributor.

The bootstrapSpace has creatorFacets for the payers, which have a makeCollectFeesInvitation() method. It also knows how to make depositFacets for the recipients of the funds.

To replace (not upgrade) the feeDistributor, just create a new one, and register it as the feeDistributor

  feeDistributorKit.resolve(
    harden({ ...instanceKit, label: 'feeDistributor' }),
  );
  feeDistributorP.resolve(instanceKit.instance);

The only current provider of fees is vaultFactory, and the recipients are current configured as

      keywordShares: {
        RewardDistributor: 0n,
        Reserve: 1n,
      }

This was referenced Nov 1, 2024
Open
Closed
@anilhelvaci anilhelvaci mentioned this issue Nov 12, 2024
Merged
mergify bot added a commit that referenced this issue Nov 13, 2024
@mergify
chore(replace-fee-dist): create upgrade-19 dir, test new feeDistribut…
ff9b882 
…or, stage in upgrade.go (#10453)

closes: #10393 
refs: #8730

## Description

There is an on going work for making sure all vats must either be upgradable or replaceable safely. In this PR we are focusing on `feeDistributor` for that. As per #8730, we also want to have tests for `feeDistributor` that checks it works properly after a `vat-timer` is upgraded.

### Security Considerations

I can' think of any threats that can come out of `feeDistributor` to cause any system level harm. As it's only job is to collect fees from `vaultFactory` and send it to `reserve`. 

### Scaling Considerations

Making sure the old `feeDistributor` is not collecting fees from the `vaultFactory` is important but I believe to free resources we need to terminate the old instance.

### Documentation Considerations

None.

### Testing Considerations

Here's the testing scenario implemented;
* Write a proposal code where `collectionInterval` is parameterized
* Have two scripts originating from the proposal created above. One for testing and one for staging
    * Test script’s collectionInterval = 5 seconds
    * Staging script’s collectionInterval = 1 hour
* Staging script is placed in `upgrade.go`
* Testing script is built as a submission in `p:upgrade-19`
     * In `TEST` phase of `p:upgrade-19`, this script will override whatever already exists in the bootstrap environment.
When testing new `feeDistributer`
     * Open a few vaults
     * Use syncTools to wait until `reserve` balance increases

#### Note
In the original test plan, there was this sentence: "Get the new instance’s terms from zoe and make sure its `collectionInterval` is correct"

Which I ended up not implementing because it's not possible to get `zoe` in `a3p` and trying to test this using a core-eval seemed like an anti-pattern. 

cc @Chris-Hibbert 

### Upgrade Considerations

`feeDistributor` is not upgradable. There are plans to make it upgradable in the future. See #8729.
@LuqiPan
Copy link
Contributor

LuqiPan commented Nov 14, 2024

@Chris-Hibbert, this looks to me a duplicate of #10393 and as such, should it be closed?

@Chris-Hibbert
Copy link
Contributor

Chris-Hibbert commented Nov 14, 2024
edited by anilhelvaci
Loading

@LuqiPan It has details that weren't reproduced in #10393

@anilhelvaci, PTAL at this and verify that it doesn't raise any issues that we might have missed in #10453.

@LuqiPan
Copy link
Contributor

LuqiPan commented Dec 10, 2024

@anilhelvaci ping on above comment/question

@anilhelvaci
Copy link
Collaborator

My understanding is that this issue is concerned about any clients of feeDistributor will lose their reference to feeDistributor once it is replaced. And asks "Are we covering this issue?".

I agree with @dckc 's comment here. With one caveat:

feeDistributor 's only client is the time service, I think.

I believe this should be the opposite. feeDistributor is a client of timerService since feeDistributor is the one requesting a notifier from timerService:

agoric-sdk/packages/inter-protocol/src/feeDistributor.js

Lines 94 to 97 in 3b478fb

const collectionNotifier = E(timerService).makeNotifier(
0n,
collectionInterval,
);

This brings us to the conclusion that feeDistributor has NO clients and it functions with the powers it receives from the bootstrap space. Our current test results comply with this. Here's the scenario we implement to test this:

  • Start a new feeDistributor with a shorter collectionInterval (30 seconds) and override the old one from bootstrap space.
  • Repeat below steps for three times. This will ensure the fees are coming from the new feeDistributor and not the old one as the old one's collectionInterval is 1 hour.
    • Open a vault
    • Use syncTools to wait until reserve balance increases

replaceFeeDistributor.test.js produces expected results.

I believe it's safe to close this ticket. @LuqiPan @Chris-Hibbert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working contract-upgrade Inter-protocol Overarching Inter Protocol
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@warner @dckc @LuqiPan @Chris-Hibbert @anilhelvaci