Scilla Tips and Tricks¶
Performance¶
Field map size¶
If your contract needs to know the size of a field map, i.e. a field
variable that is a map then the obvious implementation that reads a
field map into a variable and applies the size
builtin (as in the
following code snippet) can be very inefficient as it requires making
a copy of the map in question.
field accounts : Map ByStr20 Uint128 = Emp ByStr20 Uint128
transition Foo()
...
accounts_copy <- accounts;
accounts_size = builtin size accounts_copy;
...
end
In order to solve the issue one tracks the size information in a
corresponding field variable as in the following code snippet. Notice
that now instead of copying a map one just reads from
accounts_size
field variable.
let uint32_one = Uint32 1
field accounts : Map ByStr20 Uint128 = Emp ByStr20 Uint128
field accounts_size : Uint32 = 0
transition Foo()
...
num_of_accounts <- accounts_size;
...
end
Now, to make sure that the map and its size stay in sync, one needs to
update the size of the map when using the builtin in-place statements
like m[k] := v
or delete m[k]
or better yet define and use
systematically procedures that do exactly that.
Here is the definition of a procedure that updates a key/value pair in
the accounts
map and changes its size accordingly.
procedure insert_to_accounts (key : ByStr20, value : Uint128)
already_exists <- exists accounts[key];
match already_exists with
| True =>
(* do nothing as the size does not change *)
| False =>
size <- accounts_size;
new_size = builtin add size uint32_one;
accounts_size := new_size
end;
accounts[key] := value
end
And this is the definition of a procedure that removes a key/value pair from
the accounts
map and changes its size accordingly.
procedure delete_from_accounts (key : ByStr20)
already_exists <- exists accounts[key];
match already_exists with
| False =>
(* do nothing as the map and its size do not change *)
| True =>
size <- accounts_size;
new_size = builtin sub size uint32_one;
accounts_size := new_size
end;
delete accounts[key]
end
Money Idioms¶
Partially accepting funds¶
Let’s say you are working on a contract which lets people tips each other.
Naturally, you’d like to avoid a situation when a person tips too much because
of a typo. It would be nice to ask Scilla to accept incoming funds partially,
but there is no accept <cap>
builtin. You can either not accept at all or
accept the funds fully. We can work around this restriction by fully accepting
the incoming funds and then immediately refunding the tipper if the tip exceeds
some cap.
It turns out we can encapsulate this kind of behavior as a reusable procedure.
procedure accept_with_cap (cap : Uint128)
sent_more_than_necessary = builtin lt cap _amount;
match sent_more_than_necessary with
| True =>
amount_to_refund = builtin sub _amount cap;
accept;
msg = { _tag : ""; _recipient: _sender; _amount: amount_to_refund };
msgs = one_msg msg;
send msgs
| False =>
accept
end
end
Now, the accept_with_cap
procedure can be used as follows.
<contract library and procedures here>
contract Tips (tip_cap : Uint128)
transition Tip (message_from_tipper : String)
accept_with_cap tip_cap;
e = { _eventname: "ThanksForTheTip" };
event e
end
Safety¶
Transfer Contract Ownership¶
If your contract has an owner (usually it means someone with admin powers like
adding/removing user accounts or pausing/unpausing the contract) which can be
changed at runtime then at first sight this can be formalized in the code as a
field owner
and a transition like ChangeOwner
:
contract Foo (initial_owner : ByStr20)
field owner : ByStr20 = initial_owner
transition ChangeOwner(new_owner : ByStr20)
(* continue executing the transition if _sender is the owner,
throw exception and abort otherwise *)
isOwner;
owner := new_owner
end
However, this might lead to a situation when the current owner gets locked out
of the control over the contract. For instance, the current owner can
potentially transfer contract ownership to a non-existing address due to a typo
in the address parameter when calling the ChangeOwner
transition. Here we
provide a design pattern to circumvent this issue.
One way to ensure the new owner is active is to do ownership transfer in two phases:
- the current owner offers to transfer ownership to a new owner, note that at this point the current owner is still the contract owner;
- the future new owner accepts the pending ownership transfer and becomes the current owner;
- at any moment before the future new owner accepts the transfer the current owner can abort the ownership transfer.
Here is a possible implementation of the pattern outlined above (the code for
the isOwner
procedure is not shown):
contract OwnershipTransfer (initial_owner : ByStr20)
field owner : ByStr20 = initial_owner
field pending_owner : Option ByStr20 = None {ByStr20}
transition RequestOwnershipTransfer (new_owner : ByStr20)
isOwner;
po = Some {ByStr20} new_owner;
pending_owner := po
end
transition ConfirmOwnershipTransfer ()
optional_po <- pending_owner;
match optional_po with
| Some pend_owner =>
caller_is_new_owner = builtin eq _sender pend_owner;
match caller_is_new_owner with
| True =>
(* transfer ownership *)
owner := pend_owner;
none = None {ByStr20};
pending_owner := none
| False => (* the caller is not the new owner, do nothing *)
end
| None => (* ownership transfer is not in-progress, do nothing *)
end
end
Ownership transfer for contracts with the above transition is supposed to happen as follows:
- the current owner calls
RequestOwnershipTransfer
transition with the new owner address as its only explicit parameter;- the new owner calls
ConfirmOwnershipTransfer
.
Until the ownership transition is finalized, the current owner can abort it by
calling RequestOwnershipTransfer
with their own address. A (redundant)
dedicated transition can be added to make it even more evident to the contract
owners and users.