* fix(vault): do no allow reuse of fund ids
Fixes an attack where all tokens can be drained from
the Vault by allowing a token flow to persist after
a Fund is deleted.
* chore(vault): update state diagram
* fix(slot-reservations): Allows slot to be reserved when in repair
Previous to when SlotState.Repair was implemented, slots in repair would be considered free and the slots could be reserved in this state. Now that SlotState.Repair has been implemented, the `canReserveSlot` needs to check that the SlotState is in Repair or is Free before allowing reservation.
* fix(slot reservations): clear AddressSet instead of delete
Deleting an AddressSet causes corrupted memory. Each address must be removed individually, which is OK to do since there is a maxReservations parameter that keeps this number small.
https://docs.openzeppelin.com/contracts/5.x/api/utils#EnumerableSet
* Switch to EnumerableSet clear function provided by openzeppelin
---------
Co-authored-by: Arnaud <arnaud@status.im>
Previous to when SlotState.Repair was implemented, slots in repair would be considered free and the slots could be reserved in this state. Now that SlotState.Repair has been implemented, the `canReserveSlot` needs to check that the SlotState is in Repair or is Free before allowing reservation.
* vault: deposit and withdraw
* vault: change data structure to be recipient oriented
* vault: burning funds
* vault: transfer tokens from one recipient to the other
* vault: designate tokens for a single recipient
* vault: lock up tokens until expiry time
* vault: lock is deleted upon withdrawal
* vault: simplify test setup
* vault: remove duplication in tests
* vault: further test for locks
* vault: allow recipient to withdraw
* vault: flow tokens from one recipient to the other
* vault: designate tokens that flow
* vault: move flow accumulation calculation into VaultBase
* vault: use custom operators to improve readability
* vault: stop flowing when lock expires
* vault: reject flow when insufficient tokens available
* vault: do not allow flow when lock already expired
* vault: allow automine to be disabled in time sensitive tests
* vault: improve naming of public functions
* vault: flow to multiple recipients
- changes balance from uint256 -> uint128
so that entire Balance can be read or written
with a single operation
- moves Lock to library
- simplifies lock checks
* vault: reject negative flows
* vault: make tests a bit more robust
* vault: change flows over time
* vault: check Lock invariant before writing
* vault: allow flows to be diverted to others
* vault: simplify example flow rates in test
* vault: disallow transfer of flowing tokens
* vault: cannot burn flowing tokens
* vault: delete flow when burning or withdrawing
* vault: fix flaky time sensitive tests
Ensures that setting of lock and starting of
flow happen in the same block.
Therefore hardhat cannot occasionally increase
the timestamp between the two operations.
This makes predicting the balances over time
much easier.
* vault: disallow designating of flowing tokens
* vault: document setAutomine()
* vault: delete lock all tokens are withdrawn or burned
* vault: cleanup
* vault: reorder tests
* vault: only allow deposit, transfer, etc when locked
* vault: reorder functions
in roughly chronological order
* vault: rename context -> fund
* vault: rename balance -> account
* vault: combine account and flow mappings
* vault: _getAccount updates to the latest timestamp
* vault: simplify _getAccount()
* vault: reordering
* vault: formatting
* vault: do not delete lock when burning
* vault: combine Account and Flow structs
* vault: cleanup
* vault: split flow into incoming and outgoing
- no need to deal with signed integers anymore
- allows flow to self to designate tokens over time
* vault: fix transfer to self
* vault: remove _getAccount()
- no longer calculate flow updates when not needed
- use account.update(timestamp) where needed
- use _getBalance() to view current balance
* vault: rename error
* vault: reduce size of timestamp further
* vault: prevent approval hijacking
- transfer ERC20 funds into the vault from the
controller, not from the user
- prevents an attacker from hijacking a user's
ERC20 approval to move tokens into a part of
the vault that is controlled by the attacker
* vault: extract common tests for unlocked funds
* vault: burn entire fund
* vault: transfer tokens to 0xdead when fund is burned
* vault: do not expose Lock internals on public api
* vault: formatting
* vault: test lock state transitions
* vault: clean up errors
* vault: rename burn -> burnAccount, burnAll -> burnFund
* vault: burn part of designated tokens
* vault: burn designated/fund allowed when flowing
* vault: prefix errors with 'Vault'
* vault: cleanup
* vault: remove dead code
* vault: add documentation
* vault: fix accounting of locked value when burning designated tokens
* vault: update documentation
* update openzeppelin contracts to 5.2.0
* vault: format all solidity files
* vault: cleanup tests
* vault: pausing and unpausing
* vault: rename account->holder in tests
* vault: allow for multiple accounts for one account holder
* vault: only allow account holder to withdraw for itself
* vault: freezeFund() instead of burnFund()
* vault: rename Fund -> FundId
* vault: rename lock states
- NoLock -> Inactive
- Unlocked -> Withdrawing
* vault: rename Lock -> Fund
* vault: clarification
Co-Authored-by: Adam Uhlíř <adam@uhlir.dev>
* vault: rename update() -> accumulateFlows()
Reason: update() is too generic, and can easily be
interpreted as changing the on-chain state, whereas
it actually updates the in-memory struct.
Co-Authored-By: Eric <5089238+emizzle@users.noreply.github.com>
Co-Authored-By: Adam Uhlíř <adam@uhlir.dev>
* vault: rephrase
Co-Authored-By: Adam Uhlíř <adam@uhlir.dev>
---------
Co-authored-by: Adam Uhlíř <adam@uhlir.dev>
Co-authored-by: Eric <5089238+emizzle@users.noreply.github.com>
- use the `allowBlocksWithSameTimestamp` hardhat option
- remove block time gymnastics from marketplace tests
- fix erroneous implementation of requestEnd() which
surfaced because of the the improved tests
* Remove the mapping _probabilities
* Fix the slot propability calculation test by filling slot only instead of requiring proofs
* Remove custom errorr Proofs_InvalidProbability not used anymore
* changes reward => pricePerByte
* collateral => collateralPerByte
* updates tests
* introduces AskHelpers to compute price and collateral per slot
* adds public view function returning currentCollateral for the slot
* updates names for price and collateral
* uses pricePerSlotPerSecond in maxPriceHelper
* adds collateralPerSlot helper
* makes sure that the intended use of the <<currentCollateral>> view function is demonstrated in tests
* formatting
* fix comment
* mints more tokens so that it can be used with contracts tests in nim-codex
* Renaming <<collateral>> and <<reward>> to <<collateralPerByte>> and <<pricePerBytePerSecond>> respectively (merged in the meantime to the master)
This is not the right reason to be making this kind of change, but a very hard to debug symbol clash in codex for `config`. Changing this to `configuration` is the easiest way to fix the issue.
`SlotReservationsFull` event is emitted once a slot has reached its capacity for slot reservations (3 reservations at this time).
`SlotReservationsFull` event emists `requestId` and `slotIndex`.
* feat(slot-reservations): Allow slots to be reserved
Closes#175.
Allows reservation of slots, without an implementation of the expanding window.
- Add a function called `reserveSlot(address, SlotId)`, that allows three unique addresses per slot to be reserved, that returns bool if successful.
- Use `mapping(SlotId => EnumerableSet.AddressSet)`
- Return false if the address could not be added to the set (if `EnumerableSet.add` returns false)
- Add `canReserveSlot(address, SlotId)`
- Return `true` if set of reservations is less than 3 and the set doesn't already contain the address
- Return `true` otherwise (for now, later add in logic for checking the address is inside the expanding window)
- Call `canReserveSlot` from `reserveSlot` as a `require` or invariant
- Add `SlotReservations` configuration struct to the network-level config, with `maxReservations`
There is a missing check in `requestStorage()` on whether the `Request`
contains an `Ask` where its `slots` is `> 0`.
This allows for making storage request without slots. Not harmful but
not a valid state of the system either.
This commit adds that check and a test with batteries included.
* initial commit for splitting payouts
Collateral goes to slot's host address, while reward payouts go to the slot's host payoutAddress
* Add fillSlot overload to make payoutAddress "optional"
* add tests for payoutAddress
* add doc to patchFillSlotOverloads
* formatting
* remove optional payoutAddress parameter
* Move payoutAddress to freeSlot
- remove payoutAddress parameter from `fillSlot`
- remove `payoutAddress` from slot struct and storage
- add payoutAddress parameter to `freeSlot`, preventing the need for storage
* formatting
* update certora spec to match updated function signature
* Add withdrawAddress to withdrawFunds
- prevent erc20 msg.sender blacklisting
* Update tests for paying out to withdrawAddress
* formatting
* Add collateralRecipient
* refactor: change withdrawFunds and freeSlot overloads
- `withdrawFunds` now has an option withdrawRecipient parameter
- `freeSlot` now has two optional parameters: rewardRecipient, and collateralRecipient. Both or none must be specified.
* update certora spec for new sigs
This commit adds CVL rule that formally verifies the state changes of
any given request in relation to the functions of the contract that can
cause them.
Closes#128
Rationale: subtracting 2000 from the provided gas seems
arbitrary, and doesn't provide any benefits. Whether
verify() fails with an out-of-gas error, or returns
'false', in both cases the proof is not verified.
Co-Authored-By: Balazs Komuves <bkomuves@gmail.com>
