[SEV] Hotfix FWSS v1.2.0 compatibility with PDPVerifier v3.4.0

[rjan90]

Summary

PDPVerifier v3.4.0 remains active on Calibration and Mainnet. The incident was caused by deployed FWSS v1.2.0 still calling IPDPVerifier.USDFC_SYBIL_FEE() during new data-set creation and pre-flight lockup validation, while PDPVerifier v3.4.0 had removed that getter as part of the cleanup-deposit change.

The chosen mitigation was the lower-disruption FWSS hotfix path, not PDPVerifier rollback. FWSS v1.2.1 preserves the FWSS v1.2.0 USDFC sybil-fee burn rail, but replaces the PDPVerifier getter dependency with a local 0.1 USDFC FWSS constant. Curio/SP software still needs to send the 0.1 FIL cleanup deposit required by PDPVerifier v3.4.0 when creating new data sets.

Current Status

• PDPVerifier v3.4.0 remains active on Calibration and Mainnet.
• FWSS v1.2.1 hotfix was merged into releases/v1.2.x: fix(fwss): remove PDPVerifier sybil fee dependency filecoin-services#491
• FWSS hotfix commit: a6dec30d61213c2eb9af2b5bbabb4ab36ec531b1
• FWSS changelog/deployments PR merged: chore: record v1.2.1 rollout addresses filecoin-services#492
• FWSS v1.2.1 release published: https://github.com/FilOzone/filecoin-services/releases/tag/v1.2.1
• FWSS incident/hotfix tracking issue closed: [SEV] Hotfix FWSS v1.2.0 for PDPVerifier v3.4.0 compatibility filecoin-services#490
• Calibration FWSS smoke testing has confirmed the hotfix works.
• Mainnet FWSS has been upgraded and verified on-chain.

Impact

• New data-set creation through deployed FWSS v1.2.0 could fail against PDPVerifier v3.4.0 because FWSS called the removed USDFC_SYBIL_FEE() getter.
• Existing data sets appeared unaffected.
• PDPVerifier rollback was prepared as a fallback, but was not used.

Root Cause

FWSS v1.2.0 contained two IPDPVerifier(pdpVerifierAddress).USDFC_SYBIL_FEE() dependencies:

• data-set creation sybil-fee burn-rail path
• pre-flight minimum lockup calculation in validatePayerOperatorApprovalAndFunds()

Those calls were incompatible with PDPVerifier v3.4.0 because that release removed the old PDPVerifier USDFC sybil-fee getter and introduced the FIL cleanup deposit requirement for new data-set creation.

Active PDPVerifier State

Calibration

• Proxy: 0x85e366Cf9DD2c0aE37E963d9556F5f4718d6417C
• Active implementation: 0xd60b90f6D3C42B26a246E141ec701a20Dde2fA61
• Version verified: 3.4.0
• Upgrade tx: https://filecoin-testnet.blockscout.com/tx/0x0bb3597820f0c14a902f6c5672e5b3d1e2f9b7e60174773af07ef6f2762121ad

Mainnet

• Proxy: 0xBADd0B92C1c71d02E7d520f64c0876538fa2557F
• Active implementation: 0xb41A97FEDD2D9497C639A643ec75E56CbCeDe8BA
• Version verified: 3.4.0
• Upgrade tx: https://filecoin.blockscout.com/tx/0x07407b3becb1786e3b4217bfb5774d155d91d9688b0800fe5740689a72c4ed10

FWSS Hotfix State

Calibration

• Proxy: 0x02925630df557F957f70E112bA06e50965417CA0
• Active implementation: 0xC196EFddF64C4c2605284Ab66bdbc24fC795dE9E
• Version verified: 1.2.1
• nextUpgrade() verified cleared
• Announce tx: https://filecoin-testnet.blockscout.com/tx/0x59a6423086a0ee728b118441f074f677e35d25cd8bdd1029f934b5b6ed0a6cce
• Execute tx: https://filecoin-testnet.blockscout.com/tx/0xb1f6feeb4e7d360203810d7a95f24fbcd13c9e8b278c3756136b7409aa762c81
• Smoke test: confirmed working

Mainnet

• Proxy: 0x8408502033C418E1bbC97cE9ac48E5528F371A9f
• Active implementation: 0xEBc8CD859d0D389235bDe59B97485936daA1aED5
• Version verified: 1.2.1
• nextUpgrade() verified cleared
• Announce tx: https://filecoin.blockscout.com/tx/0xe61059f8d764a2b4d664769c7eee7973a078fbbc0f7c2fd144e86ebba54d483e
• Execute tx: https://filecoin.blockscout.com/tx/0x45c82cd462ae683e92636b158604bccec9c1dd65b95e45fb23ed7f53bf8a4a25
• Safe tx: https://safe.filecoin.io/transactions/tx?id=multisig_0x6386622B4915B027900d65560b0ab84F8a1ff2AA_0x6f23513bd866e2098c766d8e1a10e5fe81e813a93f075dd81bce9dd69a9a6632&safe=filecoin:0x6386622B4915B027900d65560b0ab84F8a1ff2AA

Completed Mitigation Checklist

Code / Release Prep

• Create minimal filecoin-services hotfix branch from the deployed FWSS v1.2.0 baseline
• Preserve the FWSS sybil-fee burn rail while removing the PDPVerifier getter dependency
• Use a local FWSS 0.1 USDFC sybil-fee constant
• Keep sybil-fee amount included in validatePayerOperatorApprovalAndFunds()
• Bump FWSS VERSION() to 1.2.1
• Run focused FWSS tests
• Run full Forge test suite
• Review and merge the hotfix PR into releases/v1.2.x

Calibration

• Deploy FWSS v1.2.1 implementation
• Announce planned FWSS upgrade
• Execute FWSS upgradeToAndCall
• Verify FWSS proxy implementation slot
• Verify FWSS VERSION() returns 1.2.1
• Verify FWSS nextUpgrade() is cleared
• Verify PDPVerifier remains on v3.4.0
• Run end-to-end Calibration smoke test

Mainnet

• Proceed only after Calibration smoke test passed
• Deploy FWSS v1.2.1 implementation
• Announce planned FWSS upgrade
• Execute FWSS upgradeToAndCall
• Verify FWSS proxy implementation slot
• Verify FWSS VERSION() returns 1.2.1
• Verify FWSS nextUpgrade() is cleared
• Verify PDPVerifier remains on v3.4.0

Closed-Out Status

• FWSS changelog/deployments PR merged: chore: record v1.2.1 rollout addresses filecoin-services#492
• FWSS v1.2.1 release published: https://github.com/FilOzone/filecoin-services/releases/tag/v1.2.1
• FWSS incident/hotfix issue closed: [SEV] Hotfix FWSS v1.2.0 for PDPVerifier v3.4.0 compatibility filecoin-services#490
• Curio/SP guidance remains clear: new data-set creation against PDPVerifier v3.4.0 requires the 0.1 FIL cleanup deposit.

Fallback

PDPVerifier rollback was the fallback path if the FWSS hotfix failed. It was not used because FWSS v1.2.1 was deployed and verified on both networks.

If PDPVerifier rollback ever becomes necessary later, use upgradeToAndCall(previousImplementation, 0x), not the existing PDP tools/upgrade.sh default migrate() calldata, because the proxy initializer counter is already 3 and v3.2.0 migrate() uses reinitializer(2).

[rjan90]

Update: evaluating an alternative mitigation before pursuing PDPVerifier rollback.

The likely lower-disruption path is a minimal FWSS hotfix implementation based on the deployed v1.2.0 code that removes the on-chain IPDPVerifier.USDFC_SYBIL_FEE() dependency, then upgrades FWSS while keeping PDPVerifier v3.4.0 active. Curio/SP software still needs to send the 0.1 FIL cleanup deposit to PDPVerifier v3.4.0 for new data-set creation.

Do not stage the rollback payloads above unless we explicitly choose the PDPVerifier rollback path.

[rjan90]

Corresponding FWSS hotfix issue opened: FilOzone/filecoin-services#490

Execution should be tracked there for the code/deploy path. PDP #278 remains the incident coordinator and fallback path tracker.

[rjan90]

FWSS hotfix path is now in PR: https://github.com/FilOzone/filecoin-services/pull/491\n\nThe PR targets releases/v1.2.x and removes the deployed FWSS v1.2.0 dependency on IPDPVerifier.USDFC_SYBIL_FEE(). This keeps PDPVerifier v3.4.0 active and avoids using the PDPVerifier rollback fallback unless the FWSS hotfix path becomes blocked.