feat: idempotent accept/update with allocation rebinding

RembrandtK · RembrandtK · commit fcb563db7a9a · 2026-04-20T15:59:42.000+01:00
Align re-accept and re-update semantics across RecurringCollector and
SubgraphService so duplicate calls with the same signed terms are
no-ops rather than reverts, and allow an accepted agreement to be
moved to a different allocation.

RecurringCollector
- accept(): _registerNew short-circuits on matching activeTermsHash and
  _acceptRegistered short-circuits on Accepted state, so re-accepting
  the same signed RCA is a no-op. Cancelled agreements still revert —
  re-accept of a cancelled agreement is never valid.
- update(): entry-point short-circuit when activeTermsHash already
  equals the RCAU hash, skipping deadline and authorization checks on
  the idempotent path. _validateAndStoreUpdate retains the inner
  short-circuit for safety.

SubgraphService (IndexingAgreement library)
- update(): defers state authority to the collector — _isValid replaces
  _isActive, and an activeTermsHash match short-circuits the SS-side
  event and terms re-write.
- accept(): same-allocation re-accept is an idempotent no-op at the SS
  layer; different-allocation re-accept rebinds the agreement by
  clearing the old allocationToActiveAgreementId link and establishing
  the new one. Enables moving an active agreement to a new allocation
  when the original is closed.

Not strictly required by the audit, but triggered by and aligned with
the version-indexed view and state-authority semantics introduced in
the preceding L-11 refactor: once the collector owns version identity
via activeTermsHash, matching that hash on re-entry becomes the
natural idempotence signal, and the SS layer follows suit.
diff --git a/packages/horizon/contracts/payments/collectors/RecurringCollector.sol b/packages/horizon/contracts/payments/collectors/RecurringCollector.sol
@@ -308,6 +308,11 @@ contract RecurringCollector is
      */
     function _acceptRegistered(bytes16 agreementId) private {
         AgreementData storage agreement = _getAgreementStorage(agreementId);
+
+        // Idempotent: already accepted.
+        if (agreement.state == AgreementState.Accepted) return;
+
+        // Canceled state (or any non-NotAccepted state) blocks acceptance.
         require(
             agreement.state == AgreementState.NotAccepted,
             RecurringCollectorAgreementIncorrectState(agreementId, agreement.state)
@@ -364,15 +369,19 @@ contract RecurringCollector is
     function update(RecurringCollectionAgreementUpdate calldata rcau, bytes calldata signature) external whenNotPaused {
         AgreementData storage agreement = _requireValidUpdateTarget(rcau.agreementId);
 
+        bytes32 rcauHash = _hashRCAU(rcau);
+
+        // Idempotent: already at this version (state is Accepted per _requireValidUpdateTarget).
+        // Skip deadline + auth since no state change happens.
+        if (agreement.activeTermsHash == rcauHash) return;
+
         /* solhint-disable gas-strict-inequalities */
         require(
             rcau.deadline >= block.timestamp,
             RecurringCollectorAgreementDeadlineElapsed(block.timestamp, rcau.deadline)
         );
         /* solhint-enable gas-strict-inequalities */
 
-        bytes32 rcauHash = _hashRCAU(rcau);
-
         _requireAuthorization(agreement.payer, rcauHash, signature, rcau.agreementId, OFFER_TYPE_UPDATE);
 
         _validateAndStoreUpdate(agreement, rcau, rcauHash);
@@ -1105,9 +1114,9 @@ contract RecurringCollector is
         _rcau.maxOngoingTokensPerSecond * _rcau.maxSecondsPerCollection * 1024;
 
         // Store the RCAU offer if it isn't already stored (signed update path with no prior offer).
-        if ($.offers[_rcauHash].data.length == 0)
+        if ($.offers[_rcauHash].data.length == 0) {
             $.offers[_rcauHash] = StoredOffer({ offerType: OFFER_TYPE_UPDATE, data: abi.encode(_rcau) });
-
+        }
         // Clean up the replaced active offer — oldHash is always non-zero for accepted agreements.
         delete $.offers[_agreement.activeTermsHash];
         // If an another pending update existed, drop it too — the nonce has been consumed.
diff --git a/packages/horizon/test/unit/payments/recurring-collector/accept.t.sol b/packages/horizon/test/unit/payments/recurring-collector/accept.t.sol
@@ -25,6 +25,8 @@ contract RecurringCollectorAcceptTest is RecurringCollectorSharedTest {
     ) public {
         // Ensure non-empty signature so the signed path is taken (which checks deadline first)
         vm.assume(fuzzySignature.length > 0);
+        // Pranking as the proxy admin hits ProxyDeniedAdminAccess before the deadline check.
+        vm.assume(fuzzyRCA.dataService != _proxyAdmin);
         // Generate deterministic agreement ID for validation
         bytes16 agreementId = _recurringCollector.generateAgreementId(
             fuzzyRCA.payer,
@@ -47,22 +49,20 @@ contract RecurringCollectorAcceptTest is RecurringCollectorSharedTest {
         _recurringCollector.accept(fuzzyRCA, fuzzySignature);
     }
 
-    function test_Accept_Revert_WhenAlreadyAccepted(FuzzyTestAccept calldata fuzzyTestAccept) public {
+    function test_Accept_Idempotent_WhenAlreadyAccepted(FuzzyTestAccept calldata fuzzyTestAccept) public {
         (
             IRecurringCollector.RecurringCollectionAgreement memory acceptedRca,
             bytes memory signature,
             ,
             bytes16 agreementId
         ) = _sensibleAuthorizeAndAccept(fuzzyTestAccept);
 
-        bytes memory expectedErr = abi.encodeWithSelector(
-            IRecurringCollector.RecurringCollectorAgreementIncorrectState.selector,
-            agreementId,
-            IRecurringCollector.AgreementState.Accepted
-        );
-        vm.expectRevert(expectedErr);
+        // Re-accepting the same RCA is a no-op — succeeds without reverting or re-emitting.
+        vm.recordLogs();
         vm.prank(acceptedRca.dataService);
-        _recurringCollector.accept(acceptedRca, signature);
+        bytes16 returnedId = _recurringCollector.accept(acceptedRca, signature);
+        assertEq(returnedId, agreementId);
+        assertEq(vm.getRecordedLogs().length, 0, "no event emitted on idempotent re-accept");
     }
 
     /* solhint-enable graph/func-name-mixedcase */
diff --git a/packages/horizon/test/unit/payments/recurring-collector/acceptUnsigned.t.sol b/packages/horizon/test/unit/payments/recurring-collector/acceptUnsigned.t.sol
@@ -128,7 +128,7 @@ contract RecurringCollectorAcceptUnsignedTest is RecurringCollectorSharedTest {
         _recurringCollector.accept(rca, "");
     }
 
-    function test_AcceptUnsigned_Revert_WhenAlreadyAccepted(FuzzyTestAccept calldata fuzzyTestAccept) public {
+    function test_AcceptUnsigned_Idempotent_WhenAlreadyAccepted(FuzzyTestAccept calldata fuzzyTestAccept) public {
         MockAgreementOwner approver = _newApprover();
         IRecurringCollector.RecurringCollectionAgreement memory rca = _recurringCollectorHelper.sensibleRCA(
             fuzzyTestAccept.rca
@@ -143,16 +143,10 @@ contract RecurringCollectorAcceptUnsignedTest is RecurringCollectorSharedTest {
         vm.prank(rca.dataService);
         bytes16 agreementId = _recurringCollector.accept(rca, "");
 
-        // Stored offer persists, so authorization passes but state check fails
-        vm.expectRevert(
-            abi.encodeWithSelector(
-                IRecurringCollector.RecurringCollectorAgreementIncorrectState.selector,
-                agreementId,
-                IRecurringCollector.AgreementState.Accepted
-            )
-        );
+        // Re-accepting the same RCA is a no-op — succeeds without reverting.
         vm.prank(rca.dataService);
-        _recurringCollector.accept(rca, "");
+        bytes16 returnedId = _recurringCollector.accept(rca, "");
+        assertEq(returnedId, agreementId);
     }
 
     function test_AcceptUnsigned_Revert_WhenDeadlineElapsed() public {
diff --git a/packages/horizon/test/unit/payments/recurring-collector/update.t.sol b/packages/horizon/test/unit/payments/recurring-collector/update.t.sol
@@ -313,5 +313,38 @@ contract RecurringCollectorUpdateTest is RecurringCollectorSharedTest {
         assertEq(updatedAgreement2.updateNonce, 2);
     }
 
+    function test_Update_Idempotent_WhenAlreadyAtActiveHash(FuzzyTestUpdate calldata fuzzyTestUpdate) public {
+        (
+            IRecurringCollector.RecurringCollectionAgreement memory acceptedRca,
+            ,
+            uint256 signerKey,
+            bytes16 agreementId
+        ) = _sensibleAuthorizeAndAccept(fuzzyTestUpdate.fuzzyTestAccept);
+
+        IRecurringCollector.RecurringCollectionAgreementUpdate memory rcau = _recurringCollectorHelper.sensibleRCAU(
+            fuzzyTestUpdate.rcau
+        );
+        rcau.agreementId = agreementId;
+        rcau.nonce = 1;
+        (, bytes memory signature) = _recurringCollectorHelper.generateSignedRCAU(rcau, signerKey);
+
+        // First update consumes nonce 1 and sets activeTermsHash = hash(rcau).
+        vm.prank(acceptedRca.dataService);
+        _recurringCollector.update(rcau, signature);
+
+        IRecurringCollector.AgreementData memory afterFirst = _recurringCollector.getAgreement(agreementId);
+        assertEq(afterFirst.updateNonce, 1, "nonce advanced to 1 after first update");
+
+        // Re-submitting the same RCAU is a no-op — nonce does NOT advance, no event, no revert.
+        vm.recordLogs();
+        vm.prank(acceptedRca.dataService);
+        _recurringCollector.update(rcau, signature);
+        assertEq(vm.getRecordedLogs().length, 0, "no event emitted on idempotent re-update");
+
+        IRecurringCollector.AgreementData memory afterSecond = _recurringCollector.getAgreement(agreementId);
+        assertEq(afterSecond.updateNonce, 1, "nonce unchanged on idempotent re-update");
+        assertEq(afterSecond.activeTermsHash, afterFirst.activeTermsHash, "activeTermsHash unchanged");
+    }
+
     /* solhint-enable graph/func-name-mixedcase */
 }
diff --git a/packages/subgraph-service/contracts/libraries/IndexingAgreement.sol b/packages/subgraph-service/contracts/libraries/IndexingAgreement.sol
@@ -218,12 +218,6 @@ library IndexingAgreement {
         bytes32 allocationDeploymentId
     );
 
-    /**
-     * @notice Thrown when the agreement is already accepted
-     * @param agreementId The agreement ID
-     */
-    error IndexingAgreementAlreadyAccepted(bytes16 agreementId);
-
     /**
      * @notice Thrown when an allocation already has an active agreement
      * @param allocationId The allocation ID
@@ -310,42 +304,48 @@ library IndexingAgreement {
 
         IIndexingAgreement.State storage agreement = self.agreements[agreementId];
 
-        require(agreement.allocationId == address(0), IndexingAgreementAlreadyAccepted(agreementId));
-
-        require(
-            allocation.subgraphDeploymentId == metadata.subgraphDeploymentId,
-            IndexingAgreementDeploymentIdMismatch(
-                metadata.subgraphDeploymentId,
+        // Accept is idempotent for the same allocation, and supports moving
+        // the agreement to a different allocation. The collector's accept handles state
+        // validity (reverts if the agreement is cancelled, no-ops if already accepted).
+        if (agreement.allocationId != allocationId) {
+            require(
+                allocation.subgraphDeploymentId == metadata.subgraphDeploymentId,
+                IndexingAgreementDeploymentIdMismatch(
+                    metadata.subgraphDeploymentId,
+                    allocationId,
+                    allocation.subgraphDeploymentId
+                )
+            );
+
+            // Ensure that an allocation can only have one active indexing agreement
+            require(
+                self.allocationToActiveAgreementId[allocationId] == bytes16(0),
+                AllocationAlreadyHasIndexingAgreement(allocationId)
+            );
+
+            if (agreement.allocationId != address(0)) delete self.allocationToActiveAgreementId[agreement.allocationId];
+            agreement.allocationId = allocationId;
+
+            self.allocationToActiveAgreementId[allocationId] = agreementId;
+
+            agreement.version = metadata.version;
+
+            require(
+                metadata.version == IIndexingAgreement.IndexingAgreementVersion.V1,
+                IndexingAgreementInvalidVersion(metadata.version)
+            );
+            _setTermsV1(self, agreementId, metadata.terms, rca.maxOngoingTokensPerSecond);
+
+            emit IndexingAgreementAccepted(
+                rca.serviceProvider,
+                rca.payer,
+                agreementId,
                 allocationId,
-                allocation.subgraphDeploymentId
-            )
-        );
-
-        // Ensure that an allocation can only have one active indexing agreement
-        require(
-            self.allocationToActiveAgreementId[allocationId] == bytes16(0),
-            AllocationAlreadyHasIndexingAgreement(allocationId)
-        );
-        self.allocationToActiveAgreementId[allocationId] = agreementId;
-
-        agreement.version = metadata.version;
-        agreement.allocationId = allocationId;
-
-        require(
-            metadata.version == IIndexingAgreement.IndexingAgreementVersion.V1,
-            IndexingAgreementInvalidVersion(metadata.version)
-        );
-        _setTermsV1(self, agreementId, metadata.terms, rca.maxOngoingTokensPerSecond);
-
-        emit IndexingAgreementAccepted(
-            rca.serviceProvider,
-            rca.payer,
-            agreementId,
-            allocationId,
-            metadata.subgraphDeploymentId,
-            metadata.version,
-            metadata.terms
-        );
+                metadata.subgraphDeploymentId,
+                metadata.version,
+                metadata.terms
+            );
+        }
 
         require(
             _directory().recurringCollector().accept(rca, authData) == agreementId,
@@ -380,12 +380,18 @@ library IndexingAgreement {
         bytes calldata authData
     ) external {
         IIndexingAgreement.AgreementWrapper memory wrapper = _get(self, rcau.agreementId);
-        require(_isActive(wrapper), IndexingAgreementNotActive(rcau.agreementId));
+        // SS gate: only checks that this is an SS-managed, tracked agreement. Collector is the
+        // state authority — it reverts if the agreement cannot actually accept an update.
+        require(_isValid(wrapper), IndexingAgreementNotActive(rcau.agreementId));
         require(
             wrapper.collectorAgreement.serviceProvider == indexer,
             IndexingAgreementNotAuthorized(rcau.agreementId, indexer)
         );
 
+        // Idempotent: this RCAU is already the active version — both SS terms and collector state
+        // are in sync because both are written together on the original update.
+        if (wrapper.collectorAgreement.activeTermsHash == _directory().recurringCollector().hashRCAU(rcau)) return;
+
         UpdateIndexingAgreementMetadata memory metadata = IndexingAgreementDecoder.decodeRCAUMetadata(rcau.metadata);
 
         require(
diff --git a/packages/subgraph-service/test/unit/subgraphService/indexing-agreement/accept.t.sol b/packages/subgraph-service/test/unit/subgraphService/indexing-agreement/accept.t.sol
diff --git a/packages/subgraph-service/test/unit/subgraphService/indexing-agreement/update.t.sol b/packages/subgraph-service/test/unit/subgraphService/indexing-agreement/update.t.sol
