chore(fusdc): settle ForwardFailed, minted while Advancing, and minted early txs

[0xpatrickdev]

closes: #10625

Description

• fix: ensure "minted while Advancing" results in Disburse or Forward
• feat: handle "unknown mint" by forwarding if and when Evidence is reported
  • via Settler.forwardIfMinted() called by Advancer
• chore: capture ForwardFailed (terminal) state if Forward fails

Security Considerations

None new introduced, these behaviors are consistent with the product spec.

Scaling Considerations

The mintedEarly mapStore could grow large if an attacker spams the settlementAccount with uusdc

Documentation Considerations

None

Testing Considerations

Includes tests for all new behaviors.

Upgrade Considerations

Targeting FUSDC's first release

[cloudflare-workers-and-pages]

Deploying agoric-sdk with    Cloudflare Pages

Latest commit:	9c01dc4
Status:	✅  Deploy successful!
Preview URL:	https://a4046484.agoric-sdk.pages.dev
Branch Preview URL:	https://pc-10625-forward-failed.agoric-sdk.pages.dev

View logs

[dckc]

a couple notes before our chat

[dckc]

assuming all exceptions have this meaning seems inconsistent with https://github.com/Agoric/agoric-sdk/wiki/Errors-and-Control-Flow

[0xpatrickdev]

I realized while writing this PR desc:

The mintedEarly mapStore could grow large if an attacker spams the settlementAccount with uusdc

Worth adding a check here to see if the advance exceeds min fees? That should like help with 1uusdc spam.

[0xpatrickdev]

comment for reviewers, not something to check in

[turadg]

what's the alternative? pros/cons?

[0xpatrickdev]

It'd take some time to think of an attack vector - currently coming up short.

In general, they're pretty distinct behaviors / states so commingling didn't seem right.

Since we don't currently have sufficient motivation to separate, I'll leave as-is for now and remove the comment.

[0xpatrickdev]

This is maybe not entirely relevant. We could adjust the test to fail (AdvanceFailed), and we would not pay fees to the pool here. This is covered in settler.test.ts, though.

[0xpatrickdev]

considered parameterizing like: transmitTransferAck(-1) but came up short. I think it's only the sequence that difference, not the index of localBridgeMessage.

[dckc]

here are some comments based on one read / skim

[dckc]

#10510 is closed. should this TODO still be here?

[0xpatrickdev]

I think this was removed in a later commit but will check again

[dckc]

this tracer shouldn't call itself 'Advancer'.
out of scope of this PR, but since you're in the neighborhood...

[dckc]

we should use the log/tracer, shouldn't we?

[0xpatrickdev]

There's nothing currently logging anything in statusManager. vstorage seems to be the main way of communicating

[dckc]

the "undefined in case..." docstring looks outdated

[dckc]

I suppose the preconditions for forwarded(...) are in a state transition diagram somewhere, but it would be nice to have them here locally.

In particular, this would throw if you call it twice on the same txHash, right?

[dckc]

TODO when? in this PR?

[0xpatrickdev]

#10750 but maybe will collapse into this

[0xpatrickdev]

Closing 10750 and collapsing into this PR

[dckc]

nice.

[dckc]

what does "not necessarily an exact match" mean? isn't "same forwarding account and amount" the relevant definition of "matching"?

[0xpatrickdev]

The ordering could be different if Alice requests two advances for the same amount.

[turadg]

It is an exact match based on available data, which treats (EUD,Amount) interchangeably.

I think think what you're getting at is that a mint deposit may be for any of the matching transactions and we can't distinguish between them, so we go with the first.

[0xpatrickdev]

How's this:

/**
 * Remove and return the oldest pending settlement transaction that matches the given
 * forwarding account and amount. Since multiple pending transactions may exist with
 * identical (account, amount) pairs, we process them in FIFO order.
 */

[dckc]

creator facet?

[turadg]

sometime before this PR, but I'm surprised to see Facet in the name of the object. the consumer needn't be concerned with the structure in which the object resides.

I've added this to revisit in #10432

[turadg]

surprising to see the condition be the result of an action. please make more clear.

Suggested change

	if (
	notifyFacet.forwardIfMinted(
	destination,
	forwardingAddress,
	fullAmount,
	txHash,
	)
	) {
	const forwarded = notifyFacet.forwardIfMinted(
	destination,
	forwardingAddress,
	fullAmount,
	txHash,
	);
	if (forwarded)) {

[turadg]

This name was weird to me and as I get through more of the review, I understand better why. The notify facet shouldn't be telling the settler what to do.

What is it notifying it of? It's telling the settler about a transaction and it needs to know what decision the settler has to say about it. So I think this should be,

Suggested change

	if (
	notifyFacet.forwardIfMinted(
	destination,
	forwardingAddress,
	fullAmount,
	txHash,
	)
	) {
	const forwarded = notifyFacet.checkForwarded(
	destination,
	forwardingAddress,
	fullAmount,
	txHash,
	);
	if (forwarded) {
	return;
	}

I took out the logging too because the settler already does that. I'm not as confident in that change.

[0xpatrickdev]

This was tricky to name since "checkForwarded" does more than checking - it actually starts a Forward via MsgTransfer if conditions are met. That's why i wanted to include a verb.

I've heeded your suggestion, and renamed to checkIfMinted. (the forward hasn't occurred yet, and the early mint is the thing we're checking)

[turadg]

it actually starts a Forward via MsgTransfer if conditions are met. That's why i wanted to include a verb.

It happens to but needn't be a commitment to the caller. The caller is providing information and asking for a state.

[turadg]

It is an exact match based on available data, which treats (EUD,Amount) interchangeably.

I think think what you're getting at is that a mint deposit may be for any of the matching transactions and we can't distinguish between them, so we go with the first.

[turadg]

It's not "will Forward" because that has started at this point. I don't think this comment adds enough over the log message and the if (forwarded) branch

Suggested change

// settlement already received; tx will Forward.

[turadg]

what's the alternative? pros/cons?

[turadg]

Suggested change

	// TODO: does not write `ADVANCE_FAILED` to vstorage
	// FIXME: does not write `ADVANCE_FAILED` to vstorage

[0xpatrickdev]

TODO will appear in commit history, but not the final HEAD of this PR

[0xpatrickdev]

Not crazy about advanceOutcomeForSettled, but implemented the suggestion.

I liked notify since all we're doing here is a vstorage write. Technically, it's not settled yet (we could say minted).

Where does that leave us with notifyObserved?

[turadg]

I liked notify since all we're doing here is a vstorage write.

That shouldn't be a commitment to the caller. The caller tells the status manager about stuff and the status manager abstracts what it does with that information.

Technically, it's not settled yet (we could say minted).

Yeah that would be better.

Where does that leave us with notifyObserved?

To be renamed for the same reasons

[0xpatrickdev]

I landed on advanceOutcomeForMintedEarly and advanceOutcomeForUnknownMint. If we want something more concise, i think we can tackle that in #10432