Chore: Make a state entry to find total amount of native assets IBC'd out

[stackman27]

Description

Currently every channel has its own escrow bank account, which is a great design! So its very easy to see the amount of native assets IBC'd in or out on any IBC channel.

However, there are use cases that would like us to be able to reason about the total amount of a native asset that has been IBC'd out.

So if there are say three channels from Osmosis to Juno:

channel-1: 10 Osmo -> Juno
channel-2: 20 Osmo -> Juno
channel-3: 30 Osmo -> Juno

I would like to be find that its been 60 osmo IBC'd out, with no iteration.

closes: #2664
closes: #3187

Commit Message / Changelog Entry

Chore: Make a state entry to find total amount of native assets IBC'd out

see the guidelines for commit messages. (view raw markdown for examples)

---

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

• Targeted PR against correct branch (see CONTRIBUTING.md).
• Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• Code follows the module structure standards.
• Wrote unit and integration tests.
• Updated relevant documentation (docs/) or specification (x/<module>/spec/).
• Added relevant godoc comments.
• Provide a commit message to be used for the changelog entry in the PR description for review.
• Re-reviewed Files changed in the Github PR explorer.
• Review Codecov Report in the comment section below once CI passes.

[damiannolan]

Awesome! Thanks for the PR @stackman27, will try to review this soon!

[nicolaslara]

Added some comments about name changes for clarity.

Other than that and getting CI to pass, this looks good to me

[crodriguezvega]

Thanks for this contribution, @stackman27! I have a few of questions/remarks:

• It would be great to have some tests for this!
• The escrowed amount for a particular denom would be set on the first transfer of that denom. So until a transfer is done, the query would return 0, right? Would you consider adding a migration that calculates the amount in escrow and sets it beforehand?
• When native tokens return back to the source chain, the total amount in escrow would not be updated until there's a transfer. Should you maybe update the total amount in escrow in the OnRecvPacket callback as well? Similar comment in case the transfer times out or the acknowledgement received is an error, then the tokens are refunded, so maybe it's good to update the value as well in refundTokens. In general, I would try to think in what places this value needs to be updated so it doesn't get out of sync with the actual amount in escrow.
• Reading the original issue, I think the implementation is missing one requirement: Add a safety check if this value is ever attempted to be serialized to a negative value.
• Following on @nicolaslara comment about naming, I think it would be nice to keep it consistent and use TotalEscrow instead of IBCOut everywhere.

Another thing that maybe deserves some thinking: in case there are other applications or middleware (e.g. rate limiting) relying on this value, we should be careful that the value cannot be tampered with to fool those applications. For example: one possible situation that comes to mind is that a malicious actor could transfer native tokens directly to one of the escrow accounts for the denom, then the value that you calculate based on the balance doesn't exactly reflect the true amount of native tokens that have been transferred out of the chain.

[crodriguezvega]

Maybe I'm missing something, but I think that this is setting the total amount escrowed for token.Denom on a particular channel, not across all channels, right? In the example you mention in the description of the PR, I think this code would set the total amount in escrow in channel-1, channel-2 or channel-3 depending on what channel the transfer is going out at any given time. For example, if I do a transfer on channel-1 it sets the total amount in escrow for channel-1, but if afterwards I do a transfer on channel-2 then the previous vale would get overwritten with the total amount in escrow for channel-2...

[stackman27]

aah i see, i went with the assumption that all channels share same escrowAccount. So here, i'll probably have to get all the channel's escrow account balance sum it up and then store in every transfer right?

[crodriguezvega]

Yes, exactly. Tokens can be transferred out of a chain to the same destination chain through different channels, so you'll have add up the the balances of potentially multiple escrow accounts.

[stackman27]

sounds great. I have addressed most of it as per this comment

[crodriguezvega]

Maybe for naming consistency and in case in the future we want to have other queries related to denoms?

Suggested change

	option (google.api.http).get = "/ibc/apps/transfer/v1/total_native_ibc_out/{denom}";
	option (google.api.http).get = "/ibc/apps/transfer/v1/denoms/{denom}/total_escrow";

And would this work fine if the denom contains slashes?

[crodriguezvega]

Wondering also if the port_id should be part of the URI...

[nicolaslara]

Since the tracking is only happening for the transfer port, I think it makes sense to keep the port out of the uri or hard-code it to "transfer". Otherwise it seems like we could get this data for other channels, for which it just won't be available

[stackman27]

Thanks you for your feedback @crodriguezvega. I have few questions/comments

• It would be great to have some tests for this!

Finalizing some tests. Want to make sure I have approach ACK

• The escrowed amount for a particular denom would be set on the first transfer of that denom. So until a transfer is done, the query would return 0, right? Would you consider adding a migration that calculates the amount in escrow and sets it beforehand?

Addressed! here

• When native tokens return back to the source chain, the total amount in escrow would not be updated until there's a transfer. Should you maybe update the total amount in escrow in the OnRecvPacket callback as well? Similar comment in case the transfer times out or the acknowledgement received is an error, then the tokens are refunded, so maybe it's good to update the value as well in refundTokens. In general, I would try to think in what places this value needs to be updated so it doesn't get out of sync with the actual amount in escrow.

Addressed! transfer, onRecvPacket, refund I originally thought we were only tracking total channel's IBC out instead of tracking channel's total escrow amount so it got me a little confused

• Reading the original issue, I think the implementation is missing one requirement: Add a safety check if this value is ever attempted to be serialized to a negative value.

Addressed! here

• Following on @nicolaslara comment about naming, I think it would be nice to keep it consistent and use TotalEscrow instead of IBCOut everywhere.

Working on this, I still am unsure if native denoms contains slash("/") or not. I imagine it to be a standalone denomination like uosmo, uatom etc

Another thing that maybe deserves some thinking: in case there are other applications or middleware (e.g. rate limiting) relying on this value, we should be careful that the value cannot be tampered with to fool those applications. For example: one possible situation that comes to mind is that a malicious actor could transfer native tokens directly to one of the escrow accounts for the denom, then the value that you calculate based on the balance doesn't exactly reflect the true amount of native tokens that have been transferred out of the chain.

I didn't really think about this beforehand because i thought this security was already in place. If a random actor transfers $$ to channel-0 escrowAddress without proper transfer/refund, doesnot that violate current security gurantee as well

[crodriguezvega]

Thanks very much for addressing the comment so quickly, @stackman27! ❤️ I will give the PR another review in the next couple of days. To reply to your last comment:

I originally thought we were only tracking total channel's IBC out instead of tracking channel's total escrow amount so it got me a little confused

This is a good question. We both had different interpretations of the requirements :) I assumed that we wanted to track the total amount of native assets that are outside of the chain (and hence the total balance of the escrow accounts would give us), but your interpretation might as well be correct (track how many tokens have flowed out of the chain regardless of whether they came back). I think it would be good to hear @ValarDragon thoughts on what he originally wanted to track when he wrote the issue. I am also curious to hear @womensrights opinion on this.

Working on this, I still am unsure if native denoms contains slash("/") or not. I imagine it to be a standalone denomination like uosmo, uatom etc

Native denoms might contain slashes, so we should support this. We had an issue in the past that we didn't support denom with slashes correctly and it was not possible to transferred them.

If a random actor transfers $$ to channel-0 escrowAddress without proper transfer/refund, doesnot that violate current security gurantee as well

I think at the moment this doesn't pose any risk. The only thing is that the tokens will stay in the escrow account, probably locked forever (or until governance decides to take them out) since there will be no counterparty vouchers created for them in any other chain. So basically the user will waste their tokens without causing any risk to the application. But I think my point still stands: applications monitoring the total amount escrowed, might be fooled if this value is tampered with. I will discuss this with the rest of the team.

[stackman27]

This is a good question. We both had different interpretations of the requirements :) I assumed that we wanted to track the total amount of native assets that are outside of the chain (and hence the total balance of the escrow accounts would give us), but your interpretation might as well be correct (track how many tokens have flowed out of the chain regardless of whether they came back). I think it would be good to hear @ValarDragon thoughts on what he originally wanted to track when he wrote the issue. I am also curious to hear @womensrights opinion on this.

Hi @crodriguezvega had a chat with @nicolaslara about this and we are tracking "total amount of native assets that are outside of the chain (and hence the total balance of the escrow accounts would give us)". The new commit i pushed highlights those changes. Please lmk what you think about it

[crodriguezvega]

Thanks for continue working on this, @stackman27! I have left a few comments with for some things that I think still need some more work. Let me know what you think!

[stackman27]

@crodriguezvega @nicolaslara apologies for the delay, i was busy with some other work.

However, I've addressed all the comments and this PR is ready for re-review :))

[crodriguezvega]

@crodriguezvega @nicolaslara apologies for the delay, i was busy with some other work.

However, I've addressed all the comments and this PR is ready for re-review :))

Hi @stackman27, thanks for addressing the comments! I've started reviewing again and there's a few small changes that I would like to do, but if you don't mind, I think it would help to move this PR faster if I push the changes directly to your branch. Is that ok?

There's also a scenario that I think it's not covered yet. Imagine the following situation for tokens traveling from chain A (where the tokens are native) to chain C:

chains: chain A (channel-0) -> (channel-0) chain B (channel-1) -> (channel-1) chain C
denom:  stake                  transfer/channel-0/stake           transfer/channel-1/transfer/channel-0/stake

When the tokens are transferred from chain B to chain C, the SendChainIsSource check on sendTransfer will pass for tokens with denom transfer/channel-0/stake, because the source channel is channel-1 (since tokens are now being transferred to chain C). And because this check passes, then an escrow amount will be stored in state for denom transfer/channel-0/stake. But this would not be desired behavior, since we only want to track native denoms. I think similar behavior is happening also for the packet callbacks.

I am writing some tests to confirm this, and if my reasoning is not wrong, then I will implement the necessary changes in the code to handle this scenario and I will also push them to your branch. I hope this is also ok. I will comment on the PR, as soon as I push the changes, so that you can also review.

I think I will be able to push to your branch, in case I can, I will also comment here to ask you to give me permissions.

Thanks a lot for all this work so far!

[crodriguezvega]

@stackman27 I made some changes (most notably adding checks to e2e test, genesis migration) so this PR is ready for another review now. There are a few items pending that I will work on in a follow up PR.

[crodriguezvega]

This is zero because the tokens are back from chain B.

[colin-axner]

should this be added as an in code comment?

[crodriguezvega]

I refactored this to make it more table-test like.

[colin-axner]

Can we pull these changes out into a separate pr to main?

[crodriguezvega]

After discussing with @colin-axner, we can merge this API breaking change to main and in the backport revert it and add an extra constructor that takes the extra parameter.

[colin-axner]

Thanks for all the followup fixes! First pass, will continue reviewing next week

[colin-axner]

I think I'd prefer it to be one key, I don't find the pattern used for channel/port id path's to be equivalent. In referenced case, channelEnds is a key for the 04-channel keeper. Here the totalEscrow and denoms are referencing the same key, is there a scenario when we use totalEscrow as a prefix for a different key? Otherwise I'd prefer it to just be totalEscrow/{denom}

[colin-axner]

Can we pull these changes out into a separate pr to main?

[colin-axner]

Almost done! Thanks for all the work! I only have a few files left to review (migrations). I left many suggestions/comments. Let me know if you have any questions

[colin-axner]

Maybe we can update the comments to indicate why we are doing this as opposed to what the function means. Maybe something like:

Suggested change

	// get the existing total amount in escrow
	currentTotalEscrow := k.GetTotalEscrowForDenom(ctx, token.GetDenom())
	newTotalEscrow := currentTotalEscrow.Add(token.Amount)
	// store the new total amount in escrow
	k.SetTotalEscrowForDenom(ctx, token.GetDenom(), newTotalEscrow)
	// track the total amount in escrow keyed by denomination to allow for efficient iteration
	currentTotalEscrow := k.GetTotalEscrowForDenom(ctx, token.GetDenom())
	newTotalEscrow := currentTotalEscrow.Add(token.Amount)
	k.SetTotalEscrowForDenom(ctx, token.GetDenom(), newTotalEscrow)

I wonder if we should dump the attached issue into an ADR and then reference the ADR number. If there's an architectural change a few years from now that makes this extra storing unnecessary, it might help to have context of why we made this decision

[colin-axner]

What is this test doing that TestSendTransfer isn't? I think this could be a test case of TestSendTransfer which uses a helper function to generate an IBC token that is sent to the third chain (or different channel in this case)?

[crodriguezvega]

Yes, I could look into that, but to be honest in my opinion the TestSendTransfer is a bit overloaded already (I was actually thinking of opening a PR with a suggestion to split it, since every time I have to come back to it I have a hard time understanding the tests cases)...

[colin-axner]

Simplifying the tests makes sense to me, I agree these tests are hard to follow. My concern is just having 1 test per test case. Did you open an issue?

[colin-axner]

What's the reasoning for this test case?

[crodriguezvega]

If I send back the full amount I wouldn't be sure of whether the subtraction happened correctly when the tokens are sent back or something else is wrong in the code, since there could be a situation where we have a bug in setting the escrow amount both on send and recv and the result would be the same as if it worked (the total amount in escrow at the end is 0).

[colin-axner]

Ah, this is true because recvIsSource. Should we add a comment?

[colin-axner]

should this be added as an in code comment?

[damiannolan]

Just flagging import grouping nits as I expect you would like to merge and complete the remainder with follow ups.

Awesome work on this! Thanks @stackman27 @crodriguezvega

[crodriguezvega]

Thanks a lot for all your work, @stackman27. We will continue with #3368 to wrap up the feature.

[colin-axner]

Is there an issue for these? Why are they commented out?

[chatton]

There is a proto deserialisation issue. See: this thread

[colin-axner]

typo? pathAndEscrowAmount?

[colin-axner]

Is there a test for InitGenesis?

[colin-axner]

what is this test case checking? The total escrow is empty for this denom

[colin-axner]

ditto

[colin-axner]

Simplifying the tests makes sense to me, I agree these tests are hard to follow. My concern is just having 1 test per test case. Did you open an issue?

[colin-axner]

Oh this is only true because recvIsSource is set to true. Should we add a comment?

[colin-axner]

Ah, this is true because recvIsSource. Should we add a comment?

[colin-axner]

I don't think this needs separate declaration?

[colin-axner]

I find tests to be more maintainable when we use transfer logic to setup the state we want to test from. This code seems to be manually inserting ibc tokens rather then sending them between channels. If a feature is added, it'd need to modify this setup logic even if this test doesn't test the feature