Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject unexpected transfers #1241

Closed
wants to merge 13 commits into from
Closed

Reject unexpected transfers #1241

wants to merge 13 commits into from

Conversation

alexytsu
Copy link
Contributor

@alexytsu alexytsu commented Mar 6, 2023
edited
Loading

Closes #836

Adds payable to the runtime which must be called when funds are sent to a method.

It aborts the method if funds are received and payable was never called.

alexytsu
alexytsu commented Mar 6, 2023
View reviewed changes
Copy link
Contributor Author

@alexytsu alexytsu left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An alternate approach to structure the MockRuntime could look something like this https://github.com/helix-onchain/builtin-actors/pull/3. It might reduce boilerplate but requires drilling the value sent to the invocation of the call method.

actors/init/tests/init_actor_test.rs Outdated
Comment on lines 125 to 126
rt.set_value(balance.clone());
rt.expect_value(balance.clone());
Copy link
Contributor Author

@alexytsu alexytsu Mar 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps to reduce boilerplate, set_value could internally call expect_value. I can't think of a case where the values ought to be different though doing it implicitly is slightly more magical

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the reverse of having expect_value always set the value should work. There appear to be some test cases that use set_value without expect_value, but they're rather suspect so maybe we can remove set_value altogether?

actors/multisig/src/lib.rs Show resolved Hide resolved
@alexytsu alexytsu marked this pull request as ready for review March 6, 2023 12:09
@alexytsu alexytsu requested a review from anorth March 6, 2023 12:09
Stebalien
Stebalien reviewed Mar 6, 2023
View reviewed changes
Copy link
Member

@Stebalien Stebalien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we also need some storage provider methods to be payable:

  • Maybe SubmitWindowedPoSt? IIRC, storage providers may use this for top-up? But I'm not sure (cc @arajasek).
  • PreCommitSector/ProveCommitSector/ExtendSectorExpiration(2)/PreCommitSectorBatch(2)/ProveCommitAggregate/ProveREplicaUpdates(2) - To cover deposits.
  • DeclareFaults, DeclareFaultsRecovered, RepayDebt - to pay back fee debt.

actors/evm/src/lib.rs Outdated Show resolved Hide resolved
actors/multisig/src/lib.rs Show resolved Hide resolved
runtime/src/runtime/fvm.rs Show resolved Hide resolved
@alexytsu alexytsu mentioned this pull request Mar 7, 2023
Merged
@alexytsu
Copy link
Contributor Author

alexytsu commented Mar 7, 2023

I've marked the methods mentioned from the miner as payable but not sure if there are any others in this repo that need to be reviewed. Is payability documented somewhere? else, we should compile a list now and I'll update tests to enforce these expectations.

@Stebalien
Copy link
Member

I've marked the methods mentioned from the miner as payable but not sure if there are any others in this repo that need to be reviewed. Is payability documented somewhere? else, we should compile a list now and I'll update tests to enforce these expectations.

This never a concept before (by default, everything is "payable"), so no. The only reliable way to determine this would be to ask the sentinel team to tell us which methods tend to carry value.

Note: this will definitely require a FIP.

@codecov-commenter
Copy link

Codecov Report

Merging #1241 (095833c) into master (9cb8a6b) will decrease coverage by 0.11%.
The diff coverage is 89.83%.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1241      +/-   ##
==========================================
- Coverage   90.97%   90.87%   -0.11%     
==========================================
  Files         133      133              
  Lines       26633    26679      +46     
==========================================
+ Hits        24230    24245      +15     
- Misses       2403     2434      +31
Impacted Files Coverage Δ
runtime/src/runtime/mod.rs 89.28% <ø> (ø)
test_vm/src/lib.rs 83.08% <68.75%> (-0.16%) ⬇️
runtime/src/test_utils.rs 82.65% <93.33%> (+0.10%) ⬆️
actors/eam/src/lib.rs 93.30% <100.00%> (ø)
actors/evm/src/lib.rs 92.74% <100.00%> (+0.02%) ⬆️
actors/init/src/lib.rs 92.55% <100.00%> (+0.33%) ⬆️
actors/market/src/lib.rs 91.13% <100.00%> (ø)
actors/miner/src/lib.rs 83.31% <100.00%> (+0.07%) ⬆️
actors/multisig/src/lib.rs 94.80% <100.00%> (-0.04%) ⬇️
actors/power/src/lib.rs 83.36% <100.00%> (-1.30%) ⬇️
... and 7 more

@anorth
Copy link
Member

anorth commented Mar 7, 2023

Note: this will definitely require a FIP.

I'm not so sure about that (and sorry @alexytsu if it turns out it does, I shouldn't have lined it up for you yet). Perhaps we can open a FIP discussion to determine this though.

anorth
anorth reviewed Mar 7, 2023
View reviewed changes
Copy link
Member

@anorth anorth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the following should also be payable:

  • miner::terminate_sectors (top up after penalties)
  • miner::compact_partitions (no reason not to)
  • miner::compact_sector_numbers (ditto)
  • miner::apply_rewards (necessary, even though miner doesn't inspect the amount)

I could be argued into some more owner/worker-only ones too, though I think they would be quite rare.

actors/init/tests/init_actor_test.rs Outdated
Comment on lines 125 to 126
rt.set_value(balance.clone());
rt.expect_value(balance.clone());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the reverse of having expect_value always set the value should work. There appear to be some test cases that use set_value without expect_value, but they're rather suspect so maybe we can remove set_value altogether?

actors/miner/src/lib.rs Outdated Show resolved Hide resolved
actors/miner/tests/repay_debts.rs Outdated Show resolved Hide resolved
runtime/src/runtime/mod.rs Outdated Show resolved Hide resolved
runtime/src/test_utils.rs Outdated Show resolved Hide resolved
runtime/src/test_utils.rs Outdated Show resolved Hide resolved
runtime/src/test_utils.rs Outdated Show resolved Hide resolved
runtime/src/test_utils.rs Outdated Show resolved Hide resolved
test_vm/src/lib.rs Outdated Show resolved Hide resolved
@anorth anorth mentioned this pull request May 21, 2023
Open
@alexytsu alexytsu closed this Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Stebalien Stebalien Stebalien left review comments

@anorth anorth anorth left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reject unexpected transfers of value (was: Add an equivalent of "payable" to the runtime)
4 participants
@alexytsu @Stebalien @codecov-commenter @anorth