diff --git a/pkg/api/dynamicaccess.go b/pkg/api/dynamicaccess.go
index e776857d190..aad9a69d56a 100644
--- a/pkg/api/dynamicaccess.go
+++ b/pkg/api/dynamicaccess.go
@@ -113,6 +113,8 @@ func (s *Service) actDecryptionHandler() func(h http.Handler) http.Handler {
 			ls := loadsave.NewReadonly(s.storer.Download(cache))
 			reference, err := s.dac.DownloadHandler(ctx, ls, paths.Address, headers.Publisher, *headers.HistoryAddress, timestamp)
 			if err != nil {
+				logger.Debug("act failed to decrypt reference", "error", err)
+				logger.Error(nil, "act failed to decrypt reference")
 				jsonhttp.InternalServerError(w, errActDownload)
 				return
 			}
@@ -132,7 +134,7 @@ func (s *Service) actEncryptionHandler(
 ) (swarm.Address, error) {
 	logger := s.logger.WithName("act_encryption_handler").Build()
 	publisherPublicKey := &s.publicKey
-	ls := loadsave.New(s.storer.ChunkStore(), s.storer.Cache(), requestPipelineFactory(ctx, putter, false, redundancy.NONE))
+	ls := loadsave.New(s.storer.Download(true), s.storer.Cache(), requestPipelineFactory(ctx, putter, false, redundancy.NONE))
 	storageReference, historyReference, encryptedReference, err := s.dac.UploadHandler(ctx, ls, reference, publisherPublicKey, historyRootHash)
 	if err != nil {
 		logger.Debug("act failed to encrypt reference", "error", err)
@@ -324,8 +326,8 @@ func (s *Service) actGrantRevokeHandler(w http.ResponseWriter, r *http.Request)
 
 	granteeref := paths.GranteesAddress
 	publisher := &s.publicKey
-	ls := loadsave.New(s.storer.ChunkStore(), s.storer.Cache(), requestPipelineFactory(ctx, putter, false, redundancy.NONE))
-	gls := loadsave.New(s.storer.ChunkStore(), s.storer.Cache(), requestPipelineFactory(ctx, putter, granteeListEncrypt, redundancy.NONE))
+	ls := loadsave.New(s.storer.Download(true), s.storer.Cache(), requestPipelineFactory(ctx, putter, false, redundancy.NONE))
+	gls := loadsave.New(s.storer.Download(true), s.storer.Cache(), requestPipelineFactory(ctx, putter, granteeListEncrypt, redundancy.NONE))
 	granteeref, encryptedglref, historyref, actref, err := s.dac.UpdateHandler(ctx, ls, gls, granteeref, historyAddress, publisher, grantees.Addlist, grantees.Revokelist)
 	if err != nil {
 		logger.Debug("failed to update grantee list", "error", err)
@@ -469,8 +471,8 @@ func (s *Service) actCreateGranteesHandler(w http.ResponseWriter, r *http.Reques
 	}
 
 	publisher := &s.publicKey
-	ls := loadsave.New(s.storer.ChunkStore(), s.storer.Cache(), requestPipelineFactory(ctx, putter, false, redundancy.NONE))
-	gls := loadsave.New(s.storer.ChunkStore(), s.storer.Cache(), requestPipelineFactory(ctx, putter, granteeListEncrypt, redundancy.NONE))
+	ls := loadsave.New(s.storer.Download(true), s.storer.Cache(), requestPipelineFactory(ctx, putter, false, redundancy.NONE))
+	gls := loadsave.New(s.storer.Download(true), s.storer.Cache(), requestPipelineFactory(ctx, putter, granteeListEncrypt, redundancy.NONE))
 	granteeref, encryptedglref, historyref, actref, err := s.dac.UpdateHandler(ctx, ls, gls, swarm.ZeroAddress, historyAddress, publisher, list, nil)
 	if err != nil {
 		logger.Debug("failed to update grantee list", "error", err)
diff --git a/pkg/dynamicaccess/controller.go b/pkg/dynamicaccess/controller.go
index 030e7c3316d..7ce650ef348 100644
--- a/pkg/dynamicaccess/controller.go
+++ b/pkg/dynamicaccess/controller.go
@@ -76,7 +76,6 @@ func (c *ControllerStruct) UploadHandler(
 		storage kvs.KeyValueStore
 		actRef  swarm.Address
 	)
-	now := time.Now().Unix()
 	if historyRef.IsZero() {
 		history, err := NewHistory(ls)
 		if err != nil {
@@ -94,7 +93,7 @@ func (c *ControllerStruct) UploadHandler(
 		if err != nil {
 			return swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, err
 		}
-		err = history.Add(ctx, actRef, &now, nil)
+		err = history.Add(ctx, actRef, nil, nil)
 		if err != nil {
 			return swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, err
 		}
@@ -107,12 +106,11 @@ func (c *ControllerStruct) UploadHandler(
 		if err != nil {
 			return swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, err
 		}
-		entry, err := history.Lookup(ctx, now)
-		actRef = entry.Reference()
+		entry, err := history.Lookup(ctx, time.Now().Unix())
 		if err != nil {
 			return swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, err
 		}
-		storage, err = kvs.NewReference(ls, actRef)
+		storage, err = kvs.NewReference(ls, entry.Reference())
 		if err != nil {
 			return swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, err
 		}
@@ -197,15 +195,12 @@ func (c *ControllerStruct) UpdateHandler(
 			return swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, err
 		}
 	}
+	granteesToAdd := addList
 	if len(removeList) != 0 {
 		err = gl.Remove(removeList)
 		if err != nil {
 			return swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, err
 		}
-	}
-
-	var granteesToAdd []*ecdsa.PublicKey
-	if len(removeList) != 0 || encryptedglref.IsZero() {
 		// generate new access key and new act
 		act, err = kvs.New(ls)
 		if err != nil {
@@ -216,8 +211,6 @@ func (c *ControllerStruct) UpdateHandler(
 			return swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, swarm.ZeroAddress, err
 		}
 		granteesToAdd = gl.Get()
-	} else {
-		granteesToAdd = addList
 	}
 
 	for _, grantee := range granteesToAdd {