feat(run-protocol): interest charging O(1) for all vaults in a manager

[turadg]

closes: #4341
refs: #4345

Description

Vault need to be able to persist to disk (#4511). On the path to that is making them store as virtual objects in the new Collections API. While doing this refactor though we design for the durable case and take as a requirement that when interest is charged each day that it does not require disk IO for each vault (O(n)).

To make charging interest O(1) we virtualize the debt that a vault owes to be a function of stable vault attributes and values that change in the vault manager when it charges interest. Specifically,

• a compoundedInterest value on the manager that keeps track of interest accrual since its launch
• a debtSnapshot on the vault by which one can calculate the actual debt

To maintain that the keys of vaults to liquidate are stable requires that its keys are also time-independent so they're recorded as a "normalized collateralization ratio", with the actual collateral divided by the normalized debt.

Before merging I plan to,

• fix or remove each skipped test
• clean up the tracing (either remove or figure out a way to configure what gets output, e.g. like https://www.npmjs.com/package/debug )
• turn each new TODO line into a ticket or do it
• remove each ??? (hopefully by replacing with an answer)
• convert the forEach method with callback to a generator
• assess maximum key length limits with Collections API
• eliminate Eslint-disable lines by updating eslint config (style: loosen some eslint rules #4530)

Security Considerations

Now the actual debts of all vaults are manipulated by a single value in the vault manager, making it higher stakes. Of course if the vault manager is compromised there are bigger problems and, on the other hand, this moves that out of the vaults which are more distributed.

An implication of this change is that we'll have to #4540 for which there may be some misleading UI could deceive users. Let's consider that when we come to that design.

Documentation Considerations

Reviewers, how much of the design should I document in the README.md?

Anything to do in https://github.com/Agoric/documentation ?

Testing Considerations

There are new tests for the functionality. I think it maintained the APi that the UI was depending on. @samsiegart anything extra to do?

[Chris-Hibbert]

I'd like to see tests showing the interest rate and debt calculation when some of the vaults were opened significantly after the vaultManager.

I'm worried that the fact that the debt has to be represented as a back-dated value in order to agree with the compoundedInterest may impose a higher floor on the minimum debt. Currently you can take out a loan as long as the interest each period would be non-negligible. This may make that minimum larger in order to be able to back-date the debt.

[Chris-Hibbert]

why drop this? The Vault's owner has no other way to get the promise, which they can use to be notified when the vault is liquidated.

[turadg]

I should have explained: #4539

[Chris-Hibbert]

perhaps a hardened DebtSnapshot {debt: Amount, interest: Ratio}

That's what I'd do, together with a single method for updating the bundle, which you already have.

[Chris-Hibbert]

I'm in favor. I've treated this restriction as a matter of JavaScript style and followed the rule most of the time. I think I've only disabled the check when circular dependencies made it too painful to comply with.

I'll continue as long as it requires the explicit eslint-disable in each file. If we drop the rule, I'll happily go along.

[turadg]

Will come after a release of endojs/endo#1071

[Chris-Hibbert]

TIL about optional chaining. Why is this necessary here?

[turadg]

Not necessary just more clear intent.

[dckc]

Is optional chaining in standard JS yet? Is it in test262? (that would let me check whether it's supported by XS.)

A quick check suggests that it is not supported by XS:

packages/xsnap$ ./src/xsrepl
xs> {bob: {size: 2}}?.fred
(Error#1)
Error#1: Uncaught exception in <unnamed xsnap worker>: SyntaxError: invalid token ?.

false alarm: 76/76 optional-chaining says XS conformance

$ ./src/xsrepl
xs> ({a: 1}?.b) === undefined
true

[turadg]

I'd like to see tests showing the interest rate and debt calculation when some of the vaults were opened significantly after the vaultManager.

I added some in b85cc96 and 162fba6.

I'm worried that the fact that the debt has to be represented as a back-dated value in order to agree with the compoundedInterest may impose a higher floor on the minimum debt. Currently you can take out a loan as long as the interest each period would be non-negligible. This may make that minimum larger in order to be able to back-date the debt.

We discussed offline how the check is currently only against loan fees. We also uncovered that the "ceil" implies at least one of the RUN brand amount will be charged at each interest period. However it's denominated in µRUN, not an usurious full RUN. I've documented that in the README.

[Chris-Hibbert]

issuers are light weight enough that we usually just create a new issuer whenever we need a brand in a test. What's the advantage of a mock brand over that?

[turadg]

Discovery, I suppose. I know now can simply do const mockBrand = Far('brand') because it's any but I first looked for fakeBrand.

[Chris-Hibbert]

If they don't serve any useful purpose, please replace them with either actual issuers or Far('brand'). If the test doesn't rely on these methods, let's not clutter the test with them. Being consistent with other tests when there's no need to diverge makes reviewing them easier.

[Chris-Hibbert]

is orderedVaultStore going to support removing a range of keys as a bulk operation?

[turadg]

I think the underlying Collections API supports that but there's no need to use it yet since vaults are removed whenever their liquidation completes, not a single bulk operation.

[Chris-Hibbert]

orderedVaultStore has methods that aren't tested here: removeByKey, keys, getSize, values. I'd like to see a test of at least removeByKey.

I expected a bulk removal operation. If that's coming, I'd like a test of that as well.

OIC. Those are now in test-prioritizedVaults.js. That's fine.

[Chris-Hibbert]

I'm confused by this change. Is it now charging as much interest on 50n as it used to on 50_000n?

[turadg]

Sorry about that. I blew away that file and made it anew, so ignore the diff on it.

[Chris-Hibbert]

We never simplify ratios. This ratio is going to contain bigIntegers that grow by a few digits (!) every compounding period. I think we need to choose a resolution and reduce regularly.

[turadg]

Great catch! 🙏

7c3bff8 to address

[Chris-Hibbert]

switching back and forth between Amounts and bigInts seems wrong. Can everything here be done with Amounts? If we're already branching based on whether the result of a subtraction is positive or negative, we could branch on which operand is larger, and have nats on both branches, right?

[turadg]

switching back and forth between Amounts and bigInts seems wrong.

Good call. For anyone following along, we chatted and agreed to use bigint more consistently. I think I mostly had them around to be able to make Ratios, but I should be able to simplify those too.

The utility of Amount is as an abstraction when brand or amount type could be different. In the case of interest calculation the brand is always RUN and the amount type is always bigint.

[Chris-Hibbert]

Suggested change

	// divide compounded interest by the the snapshot
	// divide compounded interest by the snapshot

[michaelfig]

Suggested change

	* @yields {[string, VaultKit]>}
	* @yields {[string, VaultKit]}

[Chris-Hibbert]

The approach looks sound. There are a few things to clean up.

Isn't your expectation that all the '???' should be removed before merging?

[Chris-Hibbert]

Suggested change

	Anyone can open make a **Vault** by putting up collateral the appropriate VaultManager. Then they can request RUN that is backed by that collateral.
	When any vat the ratio of the debt to the collateral exceeds a governed threshold, it is deemed undercollateralized. If the result of a price check shows that a vault is undercollateralized. the VaultManager liquidates it.
	Anyone can make a **Vault** by putting up collateral with the appropriate VaultManager. Then
	they can request RUN that is backed by that collateral.
	In any vat, when the ratio of the debt to the collateral exceeds a governed threshold, it is
	deemed undercollateralized. If the result of a price check shows that a vault is
	undercollateralized, the VaultManager liquidates it.

[Chris-Hibbert]

This seems like it'll do the wrong thing. If as a result of multiplication, the new ratio is 25.929489523*COMPOUNDED_INTEREST_PRECISION / 20.239482873*COMPOUNDED_INTEREST_PRECISION, this will reduce it to 25/20. I think Dean's suggestion to reduce the numerator to numerator/denominator * COMPOUNDED_INTEREST_PRECISION, and the denominator to COMPOUNDED_INTEREST_PRECISION would be a better approach.

and 10**30 is more than we need/want. How about 10**21?

[turadg]

This seems like it'll do the wrong thing

Yep, this was a silly thing whipped up for the design discussion.

and 1030 is more than we need/want. How about 1021?
👍 5d43e74

I think we can cut it down more after #4573

[Chris-Hibbert]

trace() would probably be better.

[turadg]

Agreed. I ended up removing it.

[Chris-Hibbert]

If they don't serve any useful purpose, please replace them with either actual issuers or Far('brand'). If the test doesn't rely on these methods, let's not clutter the test with them. Being consistent with other tests when there's no need to diverge makes reviewing them easier.

[Chris-Hibbert]

Suggested change

	* Each VaultManager manages a single collateralType.
	*
	* It owns an autoswap instance which trades this collateralType against RUN. It
	* also manages some number of outstanding loans, each called a Vault, for which
	* the collateral is provided in exchange for borrowed RUN.
	*
	* Each VaultManager manages a single collateral type.
	*
	* It manages some number of outstanding loans, each called a Vault, for which
	* the collateral is provided in exchange for borrowed RUN.
	*

[Chris-Hibbert]

Is the identity for interest 1n instead of 0n?

[turadg]

latestInterestUpdate is a timestamp, 0n here because there is no previous update. I'll add a comment.

[Chris-Hibbert]

shouldn't it start out as the current time? Won't it charge interest from the unix epoch to the current time the first time it reaches calculateReportingPeriod.
The tests all run with times around zero

[turadg]

Yes! d2560ba

[Chris-Hibbert]

If the style guide asks us to avoid ++, there isn't a good reason to violate that rule here. Doing what the style guide wants is at least as concise and understandable as the work to disable it.

Suggested change

	// eslint-disable-next-line no-plusplus
	const vaultId = String(vaultCounter++);
	vaultCounter += 1;
	const vaultId = String(vaultCounter);

[turadg]

Agree completely about not violating style rules. I had a PR to remove this as a rule but it's closed and this is the right way.

[Chris-Hibbert]

Isn't this a bug? Shouldn't something complain if the debt doesn't grow at all?

[turadg]

I lost the context for this but the underlying buggy draft code is gone anyway.

[Chris-Hibbert]

I'm not done with this pass, but these are what I've found so far. I'll be away for a bit, so I thought I should update with interim results.

[Chris-Hibbert]

Suggested change

	// A store for of vaultKits prioritized by their collaterization ratio.
	// A store for vaultKits prioritized by their collaterization ratio.

[Chris-Hibbert]

Should this be a TODO? I don't understand the point that it's making. Can you clarify?

[turadg]

I chose XXX to say "here's a known issue" but I don't think we necessarily have to schedule addressing it. I've updated the comment to clarify:

// XXX misleading mutability and confusing flow control; could be refactored with a listener

[Chris-Hibbert]

That's clearer, though I guess I'm not familiar with listeners. Could you say a bit more? [in this thread; I doubt it needs to be added to the comment.]

And I don't see the update here.

[turadg]

Yeah, didn't implement it yet. I've got some more refactoring tasks coming and it might fit into one of those.

Gist is that right now we're delaying construction of A until the callback B is available that need A in scope. What we can do instead is wire up the listening after they're both created.

const A = makeA();
const B = makeB();
A.onEventBCaresAbout(B);

[Chris-Hibbert]

I thought we were converting to ts-expect-error. Should this use that convention?

[turadg]

Yes, though unfortunately we can't until #4560

[Chris-Hibbert]

Isn't this addressed by declaring Ratio to use only Nat Amounts?

[turadg]

Yes, when the value is known to be Amount<NatValue>. However this function declaration is only, {Amount} which can be any kind of amount. Really this function should take only Amount<NatValue> but making that change reduces what this function takes and necessitates updates to every upstream declaration. Out of scope.

[Chris-Hibbert]

A few more things to clean up. Mostly comments and renamings.

[Chris-Hibbert]

Suggested change

	[250n, BASIS_POINTS, M, 100, 11813903n, 5], // 2.5% APR over 10 year yields 1181%
	[250n, BASIS_POINTS, M, 100, 11813903n, 5], // 2.5% APR over 100 year yields 1181%

[Chris-Hibbert]

obsolete comment

[Chris-Hibbert]

Suggested change

	* Snapshot of the debt and compouneded interest when the principal was last changed
	* Snapshot of the debt and compounded interest when the principal was last changed

[Chris-Hibbert]

whenever principal or debt changes? i.e. in adjustBalancesHook.

[Chris-Hibbert]

"though" isn't right. Should it be "to" or "through"?

[turadg]

yeah typo for "through". corrected.

[Chris-Hibbert]

I'm surprised eslint allows this. All if bodies should have braces.

All Errors should have a message.

Is this necessary? I expected Zoe to ensure the want amount in a proposal should be value for the issuer.

[turadg]

Not necessary. Maybe leftover from a type safety excursion. Removed now.

[Chris-Hibbert]

runDebt was the old name for the amount that's now in debtSnapshot. Here it should be newDebt or stagedDebt to reflect that it won't be updated in debtSnapshot until we perform a couple of checks.

[Chris-Hibbert]

That's clearer, though I guess I'm not familiar with listeners. Could you say a bit more? [in this thread; I doubt it needs to be added to the comment.]

And I don't see the update here.

[Chris-Hibbert]

Is this something other than what we call a facet?

Suggested change

	const managerFacade = harden({
	const managerFacet = harden({

[dtribble]

"in any vault"

[dtribble]

This could be expensive if we delete individual entries in order. It would be too much to make it computed lazily I expect until we see the actual perf though. So just a note for the future

[dtribble]

could use a comment about the method :)

[dtribble]

the old name seems better since it aligns with the offer "give/want" terminology.

[turadg]

I agree give/want are terms to use reliably, which is why I think the use of "want" here is an error. "Want" is for a particular transaction and this proposedRunDebt is cumulative. I.e. the total debt if wanted RUN were to be provided.

[dtribble]

this should define a local constant for the runDebt. It's both less churn and properly makes it clear that the value is expected to be the same.

[dtribble]

Why isn't totalDebt an Amount? There's no reason not to have it be a checked value where our units math is doing the right thing.

[dtribble]

(I don't think that's blocking but something we should discuss)

[turadg]

Let's do discuss. This is where @Chris-Hibbert and I arrived. My position for why to have it a bigint here is this makes the arithmetic easier to follow and the Amount wrapper didn't provide any extra assurances within this module because debt brand is invariant.

Totally open to changing back, just want to save it for the virtual objects refactor.

[turadg]

The bug fixed in in d2560ba I think wouldn't have happened if not for wrapping amount values for totalDebt. So I'm convinced you're right that it's better to keep it as an amount: e71db04

[dtribble]

why the funky absolute value?

const newTotal = totalDebt += delta;
assert(newTotal > 0n), 'Negative delta greater than total debt');
// TODO here we will call the factory machine to apply the delta to it
totalDebt = newTotal;

[dtribble]

Should be fixed?

[turadg]

I agree with the simplification. I don't recall why it's like this and have simplified to,

   totalDebt += delta;
    assert(totalDebt >= 0n, 'Negative delta greater than total debt');

I think the "call the factory machine" element is out of scope.

[dtribble]

I was trying to be clear that it's closely held (inner), but YMMV

[turadg]

Punting on this topic as it's going to get refactored more by the vault transfer and virtual objects work.

[dtribble]

It's perfectly reasonable for this to remain getDebtAmount. The caller doesn't care that it's calculated. the only reason to rename is if it was doing side-effects, which it's not.

[turadg]

Agree that caller doesn't (and shouldn't) care. But I do think that since there is getNormalizedDebt exists it would help the caller to distinguish this as actual debt.

[dtribble]

LGTM except the one change

[dtribble]

This assert needs to be before the totalDebt gets updated, I think. Hence compute a temporary, assert, then assign.

[turadg]

Agree the lines commented have the bug that if the assert fails totalDebt will have been updated. I thought the thrown error would break more things but that's not a valid assumption; something could catch it and believe the totalDebt that was left.

However, the lines highlighted were removed in e71db04 . That amountMath call will throw if the negative delta was greater than total debt (because the result wouldn't be a natural number, which is really what this is enforcing). totalDebt won't update.

[Chris-Hibbert]

makeEmpty is preferred, even when we know it's a Nat.

[turadg]

I'll get that into #4581 when I rebase it onto master.