RFC: Ordered Spend Payouts

[muharem]

Problem:

The Treasury doesn't always have enough assets like USDt or USDc to pay for every approved spend. It usually gets more of these assets by periodically swapping its native currency for them.

Since anyone can trigger an approved expense payment as soon as it matures, regardless of the order in which expenses were approved, a problem can arise. If smaller, more recently approved spends are paid out first, they can drain the Treasury's funds. This can leave insufficient funds to pay out a larger expense that was approved earlier.

Details:

Let’s look at the example:

At block 50:
Treasury USDt balance: 150 USDt, acquiring 10 USDt daily.
Spend 1: 200 USDt, approved at block 10, matured for payout since block 15.
Spend 2: 180 USDt, approved at block 20, matured for payout since block 25.
Spend 3: 170 USDt, approved at block 30, matured for payout since block 35.

At block 52:
Treasury USDt balance: 170 USDt, acquiring 10 USDt daily.
Spend 1: not able to be paid out, as the Treasury balance is insufficient.
Spend 2: not able to be paid out, as the Treasury balance is insufficient.
Spend 3: paid out first, despite being approved last.

At block 70:
Treasury USDt balance: 180 USDt, acquiring 10 USDt daily.
Spend 1: not able to be paid out, as the Treasury balance is insufficient.
Spend 2: paid out, despite being approved later than Spend 1.
Spend 3: executed.
Spend 4: 100 USDt, will be able to be paid out earlier than Spend 1.

Proposed Solution:

Solution 1. with fixed expiration

We need to introduce two new storage items:

StorageValue of NextPayout ( SpendIndex, ExpireAt ) - the spend to be paid out next; where the first value is the spend identifier and the second value is when its order expires and can be moved to the end of the list of mature spends.

StorageValue of PayoutQueue ( Vec<SpendIndex> ) - the list of mature spends in the order they can be paid out. This requires MaxQueuedSpends to store a bounded Vec. We also need to keep the vector’s type relatively small to avoid increasing the PoV size.

Spends have a maturity block number that determines when they can be paid out, and this value is derived from the valid_from field. An undefined valid_from value means the spend is immediately payable after approval, whereas a defined value specifies a future date from which it can be paid.

Upon maturity, each spend can be added to the end of the PayoutQueue via the new call (call: 1.1). If the queue is empty, the spend becomes NextPayout. ExpireAt(n) is calculated as now + OrderExpirationPeriod, where OrderExpirationPeriod is a configurable time period.

Every next payout is only possible for the spend from NextPayout storage item. The payout call is permissionless and can be executed by any signed origin.

If the order for the next spend payout is expired (ExpireAt(0) < now), anyone can submit an extrinsic with a call to update the payout order (call: 1.2). The first (n = 0) in the list will be moved to the end. The second (n = 1) spend from the list will be set as NextPayout with the ExpireAt set as now + OrderExpirationPeriod.

The spend that has been successfully paid out is removed from the list and NextPayout with the check_status call.

The described approach uses a fixed order expiration and does not account for cases where the treasury may have insufficient balance for an extended period (> OrderExpirationPeriod).

Solution 1.1. with fixed extendable expiration (extension of Solution 1.)

Optionally, users can be allowed to extend a spend’s order expiration after a failed payout attempt, but this introduces additional complexity. Let’s look at it:

A spend whose payout order is approaching expiration can extend its expiration date if the treasury is still unable to fulfill the payout. The user submits an extrinsic to pay out a specific spend and later calls check_status to update its payment status to FailedOnExpiration, if the spend’s ExpireAt is about to elapse relative to now (within some fraction of OrderExpirationPeriod).

The new call (call: 1.3) to update the order expiration first checks that the payment status of the spend (n = 0) is FailedOnExpiration and then updates the expiration block to now + OrderExpirationPeriod. At the same time, the payment status is set to Pending to ensure the expiration is not updated again for the same payout attempt.

Conclusion:

Both options seem reasonable to me. However, I prefer Solution (1) because it is simpler. I also believe the treasury should learn to manage its funds more efficiently. A single large spend should not indefinitely block other payouts.

Instead, we can focus on choosing better parameters for OrderExpirationPeriod and PayoutPeriod (i.e., defining the spend validity window via ValidFrom). The PayoutPeriod can be significantly longer, as it mainly serves to prevent unclaimed spends from remaining pending indefinitely.

Open questions:

1. Solution (1) or Solution (1.2) ?
2. (call: 1.1) permissionless or permissioned to the owner of the spend?

[oshakarishvili]

I’m generally in favour of Solution (1) just to keep this simple. My only real concern is that the queue can get stuck in practice. If NextPayout can’t be executed and no one calls 1.2 after expiry, nothing moves even if there’s enough balance for smaller spends behind it. That means we’re implicitly relying on bots or clients to keep rotating the queue.

And on call 1.1: I’d keep it permissionless. If payouts themselves are permissionless, enqueueing mature spends should be too. Otherwise, we introduce a new liveness dependency on the beneficiary being active, which feels unnecessary. As long as maturity is objectively verifiable and the queue is bounded, I don’t see a strong reason to restrict it.

Also, given the recent treasury policy changes and the lower number of large spends getting approved, this isn’t as urgent as it was a few months ago. Still worth fixing, just not something we should overcomplicate.

[zhanglin2603]

Hi team, I read through #11100 and I can own this (listed bounty: $200).

• My read: this is primarily a UI/UX task tied to "RFC: Ordered Spend Payouts".
• I will focus on these issue-specific points first: rfc, ordered, spend.
• I will prioritize user flow clarity and edge-case interaction behavior, not only code-level correctness.
• I will keep user-facing impact and interaction logic clear while implementing the fix.
• I can take responsibility for delivery and reviewer follow-through.
• I will isolate the root cause before touching implementation details.
• The fix will stay minimal, explicit, and consistent with existing patterns. (high confidence).
• I will provide a short QA matrix so expected results are clear.
• I will share a working PR update fast (12-24h for first patch, 24-48h for final polish).
  If this approach looks good, I can begin now.

[zhanglin2603]

Quick follow-up on #11100: I am still available to work on this issue.
I can share a first concrete patch in 24 hours, then refine quickly based on review comments.
If the issue is already covered by someone else, I will step back immediately.

[Doordashcon]

seems like a duplicate of #10381? @muharem

[muharem]

@zhanglin2603 please wait until we reach some consensus here. @Doordashcon commented here #7961

[ggwpez]

No begging in this issue and no implementing until we settled on the design.

[chienvon]

Hi there! 👋

I'd love to help with this issue. Here's my approach:

Understanding: Based on the description, this involves rfc: ordered spend payouts.

Proposed Solution:

1. Analyze the root cause by reviewing the relevant codebase
2. Implement a clean, well-tested fix with minimal side effects
3. Add unit tests to prevent regression
4. Submit a PR with detailed documentation

Timeline: I can deliver a working solution within 24-48 hours.

About me: I'm a full-stack developer specializing in Python, automation, data processing, and bug fixes. I have experience with similar tasks and can start immediately.

Payment: ERC-20 (ETH/USDT/USDC) to 0x592ed145c859410de18d1b7a9d9a6d5b1a06552b

Looking forward to working on this! Let me know if you need any clarification.