feat: add pricing validation with upper bounds

- Replace string literal error with Errors.AtLeastOnePriceMustBeNonZero()
- Add 4x upper bounds on pricing updates (storage: 10 USDFC, cdn/cacheMiss: 2 USDFC)
- Add Errors.PriceExceedsMaximum() for bound violations
- Prices above bounds require contract upgrade via announcePlannedUpgrade()

Author: rjan90

CHANGELOG.md

@@ -12,9 +12,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - Added `updatePricing(uint256 newStoragePrice, uint256 newCacheMissPrice, uint256 newCdnPrice)` function to allow owner to update pricing rates without contract upgrades
   - Pass 0 for any parameter to keep that price unchanged (selective updates)
   - At least one parameter must be non-zero
+  - Prices cannot exceed 4x their initial values (max: storage 10 USDFC, cacheMiss/cdn 2 USDFC)
   - New rates apply to all active data sets on their next proving period update
 - Added `getCurrentPricingRates()` function to query current pricing values
 - Added `PricingUpdated` event to track pricing changes
+- Added `AtLeastOnePriceMustBeNonZero` and `PriceExceedsMaximum` errors for pricing validation
 
 ## [0.3.0] - 2025-10-08 - M3.1 Calibration Network Deployment
 

service_contracts/src/Errors.sol

@@ -286,4 +286,13 @@ library Errors {
     /// @param dataSetId The data set ID
     /// @param pdpEndEpoch The end epoch when the PDP payment rail will finalize
     error PaymentRailsNotFinalized(uint256 dataSetId, uint256 pdpEndEpoch);
+
+    /// @notice At least one pricing parameter must be non-zero when updating prices
+    error AtLeastOnePriceMustBeNonZero();
+
+    /// @notice Price exceeds the maximum allowed value (4x initial value)
+    /// @param priceType Description of which price exceeded the limit
+    /// @param maxAllowed The maximum allowed price value
+    /// @param actual The actual price value provided
+    error PriceExceedsMaximum(string priceType, uint256 maxAllowed, uint256 actual);
 }

service_contracts/src/FilecoinWarmStorageService.sol

@@ -198,6 +198,11 @@ contract FilecoinWarmStorageService is
     uint256 private immutable DEFAULT_CDN_LOCKUP_AMOUNT; // 0.7 USDFC
     uint256 private immutable DEFAULT_CACHE_MISS_LOCKUP_AMOUNT; // 0.3 USDFC
 
+    // Maximum pricing bounds (4x initial values)
+    uint256 private immutable MAX_STORAGE_PRICE_PER_TIB_PER_MONTH; // 10 USDFC (4x 2.5)
+    uint256 private immutable MAX_CACHE_MISS_PRICE_PER_TIB_PER_MONTH; // 2 USDFC (4x 0.5)
+    uint256 private immutable MAX_CDN_PRICE_PER_TIB_PER_MONTH; // 2 USDFC (4x 0.5)
+
     // Token decimals
     uint8 private immutable TOKEN_DECIMALS;
 
@@ -331,6 +336,11 @@ contract FilecoinWarmStorageService is
         // Initialize the lockup constants based on the actual token decimals
         DEFAULT_CDN_LOCKUP_AMOUNT = (7 * 10 ** TOKEN_DECIMALS) / 10; // 0.7 USDFC
         DEFAULT_CACHE_MISS_LOCKUP_AMOUNT = (3 * 10 ** TOKEN_DECIMALS) / 10; // 0.3 USDFC
+
+        // Initialize maximum pricing bounds (4x initial values)
+        MAX_STORAGE_PRICE_PER_TIB_PER_MONTH = (20 * 10 ** TOKEN_DECIMALS) / 2; // 10 USDFC (4x 2.5)
+        MAX_CACHE_MISS_PRICE_PER_TIB_PER_MONTH = (4 * 10 ** TOKEN_DECIMALS) / 2; // 2 USDFC (4x 0.5)
+        MAX_CDN_PRICE_PER_TIB_PER_MONTH = (4 * 10 ** TOKEN_DECIMALS) / 2; // 2 USDFC (4x 0.5)
     }
 
     /**
@@ -469,23 +479,35 @@ contract FilecoinWarmStorageService is
     /**
      * @notice Updates the pricing rates for storage and CDN services
      * @dev Only callable by the contract owner. Pass 0 to keep existing value unchanged.
-     * @param newStoragePrice New storage price per TiB per month (0 = no change)
-     * @param newCacheMissPrice New cache miss price per TiB per month (0 = no change)
-     * @param newCdnPrice New CDN price per TiB per month (0 = no change)
+     * Prices cannot exceed 4x their initial values without a contract upgrade.
+     * @param newStoragePrice New storage price per TiB per month (0 = no change, max 10 USDFC)
+     * @param newCacheMissPrice New cache miss price per TiB per month (0 = no change, max 2 USDFC)
+     * @param newCdnPrice New CDN price per TiB per month (0 = no change, max 2 USDFC)
      */
     function updatePricing(uint256 newStoragePrice, uint256 newCacheMissPrice, uint256 newCdnPrice)
         external
         onlyOwner
     {
-        require(newStoragePrice > 0 || newCacheMissPrice > 0 || newCdnPrice > 0, "At least one price must be non-zero");
+        if (newStoragePrice == 0 && newCacheMissPrice == 0 && newCdnPrice == 0) {
+            revert Errors.AtLeastOnePriceMustBeNonZero();
+        }
 
         if (newStoragePrice > 0) {
+            if (newStoragePrice > MAX_STORAGE_PRICE_PER_TIB_PER_MONTH) {
+                revert Errors.PriceExceedsMaximum("storage", MAX_STORAGE_PRICE_PER_TIB_PER_MONTH, newStoragePrice);
+            }
             storagePricePerTibPerMonth = newStoragePrice;
         }
         if (newCacheMissPrice > 0) {
+            if (newCacheMissPrice > MAX_CACHE_MISS_PRICE_PER_TIB_PER_MONTH) {
+                revert Errors.PriceExceedsMaximum("cacheMiss", MAX_CACHE_MISS_PRICE_PER_TIB_PER_MONTH, newCacheMissPrice);
+            }
             cacheMissPricePerTibPerMonth = newCacheMissPrice;
         }
         if (newCdnPrice > 0) {
+            if (newCdnPrice > MAX_CDN_PRICE_PER_TIB_PER_MONTH) {
+                revert Errors.PriceExceedsMaximum("cdn", MAX_CDN_PRICE_PER_TIB_PER_MONTH, newCdnPrice);
+            }
             cdnPricePerTibPerMonth = newCdnPrice;
         }