@etherisc/gif-next 0.0.2-e016345-525 → 0.0.2-e04dbfc-031

package/contracts/instance/InstanceAdmin.sol

@@ -1,155 +1,183 @@
 // SPDX-License-Identifier: UNLICENSED
 pragma solidity ^0.8.20;
 
-
-import {AccessAdmin} from "../authorization/AccessAdmin.sol";
-import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
+import {IAccess} from "../authorization/IAccess.sol";
 import {IAuthorization} from "../authorization/IAuthorization.sol";
 import {IInstanceLinkedComponent} from "../shared/IInstanceLinkedComponent.sol";
-import {IAuthorization} from "../authorization/IAuthorization.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
 import {IInstance} from "./IInstance.sol";
-import {ObjectType} from "../type/ObjectType.sol";
+
+import {AccessAdmin} from "../authorization/AccessAdmin.sol";
+import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
+import {NftId} from "../type/NftId.sol";
+import {ObjectType, INSTANCE, ORACLE} from "../type/ObjectType.sol";
 import {RoleId, RoleIdLib} from "../type/RoleId.sol";
 import {Str, StrLib} from "../type/String.sol";
 import {TokenHandler} from "../shared/TokenHandler.sol";
-import {VersionPart} from "../type/Version.sol";
+import {VersionPart, VersionPartLib} from "../type/Version.sol";
 
 
 contract InstanceAdmin is
     AccessAdmin
 {
     string public constant INSTANCE_TARGET_NAME = "Instance";
-    string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
     string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
+    string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
     string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
-    string public constant RISK_SET_TAGET_NAME = "RiskSet";
+    string public constant RISK_SET_TARGET_NAME = "RiskSet";
 
     uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
 
-    error ErrorInstanceAdminNotRegistered(address target);
-    error ErrorInstanceAdminAlreadyAuthorized(address target);
+    error ErrorInstanceAdminNotInstanceService(address caller);
+
+    error ErrorInstanceAdminNotRegistered(address instance);
+    error ErrorInstanceAdminNotInstance(address instance);
+    error ErrorInstanceAdminAlreadyAuthorized(address instance);
+
+    error ErrorInstanceAdminNotComponentRole(RoleId roleId);
+    error ErrorInstanceAdminRoleAlreadyExists(RoleId roleId);
+    error ErrorInstanceAdminRoleTypeNotContract(RoleId roleId, IAccess.RoleType roleType);
+
     error ErrorInstanceAdminReleaseMismatch();
     error ErrorInstanceAdminExpectedTargetMissing(string targetName);
 
     IInstance internal _instance;
     IRegistry internal _registry;
-    uint64 internal _idNext;
+    VersionPart internal _release;
+    uint64 internal _customIdNext;
 
-    IAuthorization internal _instanceAuthorization;
+    mapping(address target => RoleId roleId) internal _targetRoleId;
+    uint64 internal _components;
+
+    modifier onlyInstanceService() {
+        if (msg.sender != _registry.getServiceAddress(INSTANCE(), getRelease())) {
+            revert ErrorInstanceAdminNotInstanceService(msg.sender);
+        }
+        _;
+    }
 
     /// @dev Only used for master instance admin.
-    /// Contracts created via constructor come with disabled initializers.
-    constructor(
-        address instanceAuthorization
-    )
-        AccessAdmin()
-    {
-        _instanceAuthorization = IAuthorization(instanceAuthorization);
+    constructor(address accessManager) {
+        initialize(
+            accessManager,
+            "MasterInstanceAdmin");
     }
 
-    /// @dev Initializes this instance admin with the provided instances authorization specification.
-    /// Internally the function creates an instance specific OpenZeppelin AccessManager that is used as the authority
-    /// for the inststance authorizatios.
-    /// Important: Initialization of this instance admin is only complete after calling function initializeInstance. 
-    function initialize(
-        AccessManagerCloneable accessManager,
-        address instanceAuthorization
+
+    /// @dev Completes the initialization of this instance admin using the provided instance, registry and version.
+    /// Important: Initialization of instance admin is only complete after calling this function. 
+    /// Important: The instance MUST be registered and all instance supporting contracts must be wired to this instance.
+    function completeSetup(
+        address registry,
+        address instance,
+        address authorization,
+        VersionPart release
     )
         external
-        initializer() 
+        reinitializer(uint64(release.toInt()))
+        onlyDeployer()
     {
-        // create new access manager for this instance admin
-        _initializeAuthority(address(accessManager));
+        // checks
+        _checkRegistry(registry);
+        _checkIsRegistered(registry, instance, INSTANCE());
 
-        // create basic instance independent setup
-        _createAdminAndPublicRoles();
+        AccessManagerCloneable(
+            authority()).completeSetup(
+                registry, 
+                release); 
 
-        // store instance authorization specification
-        _instanceAuthorization = IAuthorization(instanceAuthorization);
-    }
+        _checkAuthorization(authorization, INSTANCE(), release, true);
 
-    function _checkTargetIsReadyForAuthorization(address target)
-        internal
-        view
-    {
-        if (address(_registry) != address(0) && !_registry.isRegistered(target)) {
-            revert ErrorInstanceAdminNotRegistered(target);
-        }
+        // effects
+        _registry = IRegistry(registry);
+        _release = release;
 
-        if (targetExists(target)) {
-            revert ErrorInstanceAdminAlreadyAuthorized(target);
-        }
-    }
+        _instance = IInstance(instance);
+        _authorization = IAuthorization(authorization);
+        _components = 0;
+        _customIdNext = CUSTOM_ROLE_ID_MIN;
 
-    /// @dev Completes the initialization of this instance admin using the provided instance.
-    /// Important: The instance MUST be registered and all instance supporting contracts must be wired to this instance.
-    function initializeInstanceAuthorization(address instanceAddress)
-        external
-    {
-        _checkTargetIsReadyForAuthorization(instanceAddress);
+        // link nft ownability to instance
+        _linkToNftOwnable(instance);
 
-        _idNext = CUSTOM_ROLE_ID_MIN;
-        _instance = IInstance(instanceAddress);
-        _registry = _instance.getRegistry();
-
-        // check matching releases
-        if (_instanceAuthorization.getRelease() != _instance.getRelease()) {
-            revert ErrorInstanceAdminReleaseMismatch();
-        }
+        // create instance role and target
+        _setupInstance(instance);
 
         // add instance authorization
-        _createRoles(_instanceAuthorization);
-        _createModuleTargetsWithRoles();
-        _createTargetAuthorizations(_instanceAuthorization);
+        _createRoles(_authorization);
+        // _createTargets(_authorization);
+        _setupInstanceHelperTargetsWithRoles();
+        _createTargetAuthorizations(_authorization);
+    }
+
+
+    function _createTargets(IAuthorization authorization)
+        internal
+    {
+        _createTargetWithRole(address(this), INSTANCE_ADMIN_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(INSTANCE_ADMIN_TARGET_NAME)));
+        _createTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(INSTANCE_STORE_TARGET_NAME)));
+        _createTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(BUNDLE_SET_TARGET_NAME)));
+        _createTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(RISK_SET_TARGET_NAME)));
     }
 
 
     /// @dev Initializes the authorization for the specified component.
     /// Important: The component MUST be registered.
     function initializeComponentAuthorization(
-        IInstanceLinkedComponent component
+        address componentAddress,
+        ObjectType expectedType
     )
         external
+        restricted()
     {
-        _checkTargetIsReadyForAuthorization(address(component));
+        // checks
+        _checkIsRegistered(address(getRegistry()), componentAddress, expectedType);
 
-        // get authorization specification
+        IInstanceLinkedComponent component = IInstanceLinkedComponent(componentAddress);
         IAuthorization authorization = component.getAuthorization();
+        _checkAuthorization(address(authorization), expectedType, getRelease(), false);
+
+        // effects
+        // setup target and role for component (including token handler if applicable)
+        _setupComponentAndTokenHandler(component, expectedType);
 
-        // create roles
+        // create other roles and function authorizations
         _createRoles(authorization);
+        _createTargetAuthorizations(authorization);
+    }
+
+    function getRelease()
+        public
+        view
+        override
+        returns (VersionPart release)
+    {
+        return _release;
+    }
+
+
+    // create instance role and target
+    function _setupInstance(address instance) internal {
+
+        // create instance role
+        RoleId instanceRoleId = _authorization.getTargetRole(
+            _authorization.getMainTarget());
 
-        // create component target
+        _createRole(
+            instanceRoleId,
+            _authorization.getRoleInfo(instanceRoleId));
+
+        // create instance target
         _createTarget(
-            address(component), 
-            authorization.getTargetName(), 
+            instance, 
+            _authorization.getMainTargetName(), 
             true, // checkAuthority
             false); // custom
 
-        _createTarget(
-            address(component.getTokenHandler()), 
-            string(abi.encodePacked(authorization.getTargetName(), "TH")), 
-            true, 
-            false);
-        
-        FunctionInfo[] memory functions = new FunctionInfo[](3);
-        functions[0] = toFunction(TokenHandler.collectTokens.selector, "collectTokens");
-        functions[1] = toFunction(TokenHandler.collectTokensToThreeRecipients.selector, "collectTokensToThreeRecipients");
-        functions[2] = toFunction(TokenHandler.distributeTokens.selector, "distributeTokens");
-
-        // FIXME: make this a bit nicer and work with IAuthorization. Use a specific role, not public - access to TokenHandler must be restricted
-        _authorizeTargetFunctions(
-            address(component.getTokenHandler()),
-            getPublicRole(),
-            functions);
-
+        // assign instance role to instance
         _grantRoleToAccount(
-            authorization.getTargetRole(
-                authorization.getMainTarget()), 
-            address(component));
-        
-        _createTargetAuthorizations(authorization);
+            instanceRoleId, 
+            instance);
     }
 
     /// @dev Creates a custom role
@@ -171,14 +199,41 @@ contract InstanceAdmin is
         _grantRoleToAccount(roleId, account);
     }
 
+
+    function setInstanceLocked(bool locked)
+        external
+        // not restricted(): need to operate on locked instances to unlock instance
+        onlyInstanceService()
+    {
+        AccessManagerCloneable accessManager = AccessManagerCloneable(authority());
+        accessManager.setLocked(locked);
+    }
+
+
     function setTargetLocked(address target, bool locked) 
         external 
-        restricted()
+        // not restricted(): might need to operate on targets while instance is locked
+        onlyInstanceService()
     {
-        _setTargetClosed(target, locked);
+        _setTargetLocked(target, locked);
     }
 
 
+    function setComponentLocked(address target, bool locked) 
+        external 
+        restricted()
+    {
+        _setTargetLocked(target, locked);
+    }
+
+    /// @dev Returns the number of components that have been registered with this instance.   
+    function components() 
+        external 
+        view 
+        returns (uint64)
+    {
+        return _components;
+    }
 
     /// @dev Returns the instance authorization specification used to set up this instance admin.
     function getInstanceAuthorization()
@@ -186,7 +241,102 @@ contract InstanceAdmin is
         view
         returns (IAuthorization instanceAuthorizaion)
     {
-        return _instanceAuthorization;
+        return _authorization;
+    }
+
+    // ------------------- Internal functions ------------------- //
+
+    function _setupComponentAndTokenHandler(
+        IInstanceLinkedComponent component,
+        ObjectType componentType
+    )
+        internal
+    {
+
+        IAuthorization authorization = component.getAuthorization();
+        string memory targetName = authorization.getMainTargetName();
+
+        // create component role and target
+        RoleId componentRoleId = _createComponentRoleId(component, authorization);
+
+        // create component's target
+        _createTarget(
+            address(component), 
+            targetName, 
+            true, // checkAuthority
+            false); // custom
+
+        // create component's token handler target if app
+        if (componentType != ORACLE()) {
+            NftId componentNftId = _registry.getNftIdForAddress(address(component));
+            address tokenHandler = address(
+                _instance.getInstanceReader().getComponentInfo(
+                    componentNftId).tokenHandler);
+
+            _createTarget(
+                tokenHandler, 
+                authorization.getTokenHandlerName(), 
+                true, 
+                false);
+
+            // token handler does not require its own role
+            // token handler is not calling other components
+        }
+
+        // assign component role to component
+        _grantRoleToAccount(
+            componentRoleId, 
+            address(component));
+    }
+
+
+    function _createComponentRoleId(
+        IInstanceLinkedComponent component,
+        IAuthorization authorization
+    )
+        internal 
+        returns (RoleId componentRoleId)
+    {
+        // checks
+        // check component is not yet authorized
+        if (_targetRoleId[address(component)].gtz()) {
+            revert ErrorInstanceAdminAlreadyAuthorized(address(component));
+        }
+
+        // check generic component role
+        RoleId genericComponentRoleId = authorization.getTargetRole(
+            authorization.getMainTarget());
+
+        if (!genericComponentRoleId.isComponentRole()) {
+            revert ErrorInstanceAdminNotComponentRole(genericComponentRoleId);
+        }
+
+        // check component role does not exist
+        componentRoleId = toComponentRole(
+            genericComponentRoleId, 
+            _components);
+
+        if (roleExists(componentRoleId)) {
+            revert ErrorInstanceAdminRoleAlreadyExists(componentRoleId);
+        }
+
+        // check role info
+        IAccess.RoleInfo memory roleInfo = authorization.getRoleInfo(
+            genericComponentRoleId);
+
+        if (roleInfo.roleType != IAccess.RoleType.Contract) {
+            revert ErrorInstanceAdminRoleTypeNotContract(
+                componentRoleId,
+                roleInfo.roleType);
+        }
+
+        // effects
+        _targetRoleId[address(component)] = componentRoleId;
+        _components++;
+
+        _createRole(
+            componentRoleId,
+            roleInfo);
     }
 
 
@@ -194,13 +344,18 @@ contract InstanceAdmin is
         internal
     {
         RoleId[] memory roles = authorization.getRoles();
+        RoleId mainTargetRoleId = authorization.getTargetRole(
+            authorization.getMainTarget());
+
         RoleId roleId;
         RoleInfo memory roleInfo;
 
         for(uint256 i = 0; i < roles.length; i++) {
+
             roleId = roles[i];
 
-            if (!roleExists(roleId)) {
+            // skip main target role, create role if not exists
+            if (roleId != mainTargetRoleId && !roleExists(roleId)) {
                 _createRole(
                     roleId,
                     authorization.getRoleInfo(roleId));
@@ -209,6 +364,16 @@ contract InstanceAdmin is
     }
 
 
+    function toComponentRole(RoleId roleId, uint64 componentIdx)
+        internal
+        pure
+        returns (RoleId)
+    {
+        return RoleIdLib.toRoleId(
+            RoleIdLib.toInt(roleId) + componentIdx);
+    }
+
+
     function _createTargetAuthorizations(IAuthorization authorization)
         internal
     {
@@ -241,7 +406,7 @@ contract InstanceAdmin is
     {
         // check that target name is defined in authorization specification
         Str name = StrLib.toStr(targetName);
-        if (!_instanceAuthorization.targetExists(name)) {
+        if (!_authorization.targetExists(name)) {
             revert ErrorInstanceAdminExpectedTargetMissing(targetName);
         }
 
@@ -253,25 +418,25 @@ contract InstanceAdmin is
             false);
 
         // assign target role if defined
-        RoleId targetRoleId = _instanceAuthorization.getTargetRole(name);
+        RoleId targetRoleId = _authorization.getTargetRole(name);
         if (targetRoleId != RoleIdLib.zero()) {
             _grantRoleToAccount(targetRoleId, target);
         }
     }
 
-    function _createModuleTargetsWithRoles()
+    function _setupInstanceHelperTargetsWithRoles()
         internal
     {
+
         // create module targets
-        _checkAndCreateTargetWithRole(address(_instance), INSTANCE_TARGET_NAME);
         _checkAndCreateTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME);
         _checkAndCreateTargetWithRole(address(_instance.getInstanceAdmin()), INSTANCE_ADMIN_TARGET_NAME);
         _checkAndCreateTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME);
-        _checkAndCreateTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TAGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME);
 
-        // create targets for services that need to access the module targets
-        ObjectType[] memory serviceDomains = _instanceAuthorization.getServiceDomains();
-        VersionPart release = _instanceAuthorization.getRelease();
+        // create targets for services that need to access the instance targets
+        ObjectType[] memory serviceDomains = _authorization.getServiceDomains();
+        VersionPart release = _authorization.getRelease();
         ObjectType serviceDomain;
 
         for (uint256 i = 0; i < serviceDomains.length; i++) {
@@ -279,7 +444,7 @@ contract InstanceAdmin is
 
             _checkAndCreateTargetWithRole(
                 _registry.getServiceAddress(serviceDomain, release),
-                _instanceAuthorization.getServiceTarget(serviceDomain).toString());
+                _authorization.getServiceTarget(serviceDomain).toString());
         }
     }
 }

package/contracts/instance/InstanceAuthorizationV3.sol

@@ -1,17 +1,16 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
 
-import {
-     ACCOUNTING, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE, RISK
-} from "../../contracts/type/ObjectType.sol";
+import {IAccess} from "../authorization/IAccess.sol";
 
+import {Authorization} from "../authorization/Authorization.sol";
+import {ACCOUNTING, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE, RISK} from "../../contracts/type/ObjectType.sol";
 import {BundleSet} from "../instance/BundleSet.sol";
-import {RiskSet} from "../instance/RiskSet.sol"; 
-import {IAccess} from "../authorization/IAccess.sol";
 import {Instance} from "../instance/Instance.sol";
 import {InstanceAdmin} from "../instance/InstanceAdmin.sol";
 import {InstanceStore} from "../instance/InstanceStore.sol";
-import {Authorization} from "../authorization/Authorization.sol";
+import {PUBLIC_ROLE} from "../type/RoleId.sol";
+import {RiskSet} from "../instance/RiskSet.sol"; 
 
 
 contract InstanceAuthorizationV3
@@ -26,33 +25,11 @@ contract InstanceAuthorizationV3
      string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
      string public constant RISK_SET_TARGET_NAME = "RiskSet";
 
-     constructor() Authorization(INSTANCE_TARGET_NAME) {}
-
-
-     function _setupRoles()
-          internal
-          override
-     {
-          // empty implementation
-     }
-
-
-     function _setupTargets()
-          internal
-          override
-     {
-          // instance target
-          _addTargetWithRole(
-               INSTANCE_TARGET_NAME, 
-               _toTargetRoleId(INSTANCE()),
-               INSTANCE_ROLE_NAME);
-
-          // instance supporting targets
-          _addTarget(INSTANCE_STORE_TARGET_NAME);
-          _addTarget(INSTANCE_ADMIN_TARGET_NAME);
-          _addTarget(BUNDLE_SET_TARGET_NAME);
-          _addTarget(RISK_SET_TARGET_NAME);
+     constructor()
+          Authorization(INSTANCE_TARGET_NAME, INSTANCE(), false, false)
+     { }
 
+     function _setupServiceTargets() internal virtual override {
           // service targets relevant to instance
           _addServiceTargetWithRole(INSTANCE());
           _addServiceTargetWithRole(ACCOUNTING());
@@ -67,6 +44,19 @@ contract InstanceAuthorizationV3
           _addServiceTargetWithRole(CLAIM());
      }
 
+     function _setupTargets()
+          internal
+          override
+     {
+          // instance supporting targets
+          // _addGifContractTarget(INSTANCE_ADMIN_TARGET_NAME);
+          _addTarget(INSTANCE_ADMIN_TARGET_NAME);
+          _addTarget(INSTANCE_STORE_TARGET_NAME);
+          _addTarget(BUNDLE_SET_TARGET_NAME);
+          _addTarget(RISK_SET_TARGET_NAME);
+
+     }
+
 
      function _setupTargetAuthorizations()
           internal
@@ -120,6 +110,24 @@ contract InstanceAuthorizationV3
      {
           IAccess.FunctionInfo[] storage functions;
 
+          // authorize instance service role
+          functions = _authorizeForTarget(INSTANCE_TARGET_NAME, PUBLIC_ROLE());
+          _authorize(functions, Instance.registerProduct.selector, "registerProduct");
+          _authorize(functions, Instance.upgradeInstanceReader.selector, "upgradeInstanceReader");
+
+          // staking
+          _authorize(functions, Instance.setStakingLockingPeriod.selector, "setStakingLockingPeriod");
+          _authorize(functions, Instance.setStakingRewardRate.selector, "setStakingRewardRate");
+          _authorize(functions, Instance.refillStakingRewardReserves.selector, "refillStakingRewardReserves");
+          _authorize(functions, Instance.withdrawStakingRewardReserves.selector, "withdrawStakingRewardReserves");
+
+          // custom authz
+          _authorize(functions, Instance.createRole.selector, "createRole");
+          _authorize(functions, Instance.grantRole.selector, "grantRole");
+          _authorize(functions, Instance.revokeRole.selector, "revokeRole");
+          _authorize(functions, Instance.createTarget.selector, "createTarget");
+          _authorize(functions, Instance.setTargetFunctionRole.selector, "setTargetFunctionRole");
+
           // authorize instance service role
           functions = _authorizeForTarget(INSTANCE_TARGET_NAME, getServiceRole(INSTANCE()));
           _authorize(functions, Instance.setInstanceReader.selector, "setInstanceReader");
@@ -131,13 +139,15 @@ contract InstanceAuthorizationV3
      {
           IAccess.FunctionInfo[] storage functions;
 
-          // authorize instance role
-          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, _toTargetRoleId(INSTANCE()));
-          _authorize(functions, InstanceAdmin.grantRole.selector, "grantRole");
+          // authorize component service role
+          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(INSTANCE()));
+          _authorize(functions, InstanceAdmin.setInstanceLocked.selector, "setInstanceLocked");
+          _authorize(functions, InstanceAdmin.setTargetLocked.selector, "setTargetLocked");
 
           // authorize component service role
           functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(COMPONENT()));
-          _authorize(functions, InstanceAdmin.setTargetLocked.selector, "setTargetLocked");
+          _authorize(functions, InstanceAdmin.initializeComponentAuthorization.selector, "initializeComponentAuthoriz");
+          _authorize(functions, InstanceAdmin.setComponentLocked.selector, "setComponentLocked");
      }
 
 
@@ -160,6 +170,8 @@ contract InstanceAuthorizationV3
           _authorize(functions, InstanceStore.createPool.selector, "createPool");
           _authorize(functions, InstanceStore.createProduct.selector, "createProduct");
           _authorize(functions, InstanceStore.updateProduct.selector, "updateProduct");
+          _authorize(functions, InstanceStore.createFee.selector, "createFee");
+          _authorize(functions, InstanceStore.updateFee.selector, "updateFee");
           
           // authorize distribution service role
           functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(DISTRIBUTION()));
@@ -217,6 +229,7 @@ contract InstanceAuthorizationV3
           _authorize(functions, InstanceStore.updateClaim.selector, "updateClaim");
           _authorize(functions, InstanceStore.createPayout.selector, "createPayout");
           _authorize(functions, InstanceStore.updatePayout.selector, "updatePayout");
+          _authorize(functions, InstanceStore.updatePayoutState.selector, "updatePayoutState");
      }
 }