Enforce reserve when creating trust line or MPToken in VaultWithdraw

[Bronek]

High Level Overview of Change

Similarly to other transaction typed which can create a trust line or MPToken for the transaction submitter (e.g. CashCheck #5285 , EscrowFinish #5185 ), VaultWithdraw should enforce reserve before creating a new object.

Additionally, enforce lsfRequireDestTag account flag for the transaction submitter.

Context of Change

This fixes #5837 and improves consistency with other transaction types.

Type of Change

• Bug fix (non-breaking change which fixes an issue)

[codecov]

Codecov Report

❌ Patch coverage is 95.65217% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 79.5%. Comparing base (afb6e0e) to head (0763af9).
⚠️ Report is 4 commits behind head on develop.

Files with missing lines	Patch %	Lines
src/xrpld/app/tx/detail/VaultWithdraw.cpp	94.7%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##           develop   #5857     +/-   ##
=========================================
- Coverage     79.5%   79.5%   -0.0%     
=========================================
  Files          816     816             
  Lines        72185   72176      -9     
  Branches      8297    8273     -24     
=========================================
- Hits         57372   57362     -10     
- Misses       14813   14814      +1     

Files with missing lines	Coverage Δ
include/xrpl/protocol/detail/transactions.macro	100.0% <ø> (ø)
src/libxrpl/ledger/View.cpp	94.6% <100.0%> (+0.2%)	⬆️
src/xrpld/app/tx/detail/VaultDeposit.cpp	97.7% <100.0%> (+0.7%)	⬆️
src/xrpld/app/tx/detail/VaultWithdraw.cpp	97.9% <94.7%> (+1.2%)	⬆️

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dangell7]

It's hard to tell with your test case/suite structure but do you have tests where the issuer is the depositor? Also you test frozen but I don't see deep freeze or auth or no ripple?

[Bronek]

In this branch, there is withdrawal to 3rd party which happens to be issuer

rippled/src/test/app/Vault_test.cpp

Line 376 in fd178c5

testcase(prefix + " withdraw to issuer");

However this branch does not allow the issuer to be also depositor. This is fixed in #5518 and the test to match is

rippled/src/test/app/Vault_test.cpp

Line 399 in 42be446

testcase(prefix + " issuer deposits");

[ximinez]

I'm going to suggest a little reorganization here.

Suggested change

	auto const sleAcct = view().read(keylet::account(dstAcct));
	if (!sleAcct)
	return tecINTERNAL; // LCOV_EXCL_LINE
	if (auto const sleLine =
	view().read(keylet::line(dstAcct, vaultAsset.get<Issue>()));
	sleLine == nullptr)
	{
	// This should be enforced by `requireAuth` called in `preclaim`
	if (dstAcct != account_)
	return tecINTERNAL; // LCOV_EXCL_LINE
	// Can the account cover the trust line's reserve ?
	std::uint32_t const ownerCount = sleAcct->at(sfOwnerCount);
	if (mPriorBalance < view().fees().accountReserve(ownerCount + 1))
	return tecNO_LINE_INSUF_RESERVE;
	}
	if (auto const sleLine =
	view().read(keylet::line(dstAcct, vaultAsset.get<Issue>()));
	sleLine == nullptr)
	{
	// This should be enforced by `requireAuth` called in `preclaim`
	if (dstAcct != account_)
	return tecINTERNAL; // LCOV_EXCL_LINE
	auto const sleAcct = view().read(keylet::account(account_));
	if (!sleAcct)
	return tecINTERNAL; // LCOV_EXCL_LINE
	// Can account_ cover the trust line's reserve ?
	std::uint32_t const ownerCount = sleAcct->at(sfOwnerCount);
	if (mPriorBalance < view().fees().accountReserve(ownerCount + 1))
	return tecNO_LINE_INSUF_RESERVE;
	}

Basically, don't load the AccountRoot SLE until after you've verified that the line doesn't exist, and then when you do, specify it as account_, so it's clearer which account you're dealing with.

Even though computing the Keylet for the line is slightly more expensive than computing the Keylet for the account, if the line already exists, or if dstAcct != account_, you'll skip computing the account key entirely, and loading the object entirely.

[Bronek]

Thanks, this is good.

[Bronek]

While writing this I've realised that VaultWithdraw should also create MPToken when the submitter is also the destination account, and the MPToken for an MPT asset does not exist but otherwise would be authorized. I will add this change here.

This is similar to what the TokenEscrow amendment has done for MPT in EscrowFinish transaction.

[Bronek]

this change is for consistency with other transaction types

[ximinez]

this change is for consistency with other transaction types

This code is basically duplicated from the account != dstAccount block, other than the result for a missing account.

Would it make more sense to take this code out of the if statement, and check which account before deciding which TER to return?

Something like

    auto const sleDst = ctx.view.read(keylet::account(dstAcct));
    if (sleDst == nullptr)
        return account == dstAcct : tecINTERNAL : tecNO_DST;

    if (sleDst->isFlag(lsfRequireDestTag) &&
        !ctx.tx.isFieldPresent(sfDestinationTag))
        return tecDST_TAG_NEEDED;  // Cannot send without a tag

    // If sending to Account (i.e. not a transfer), we will also create
    // (only if authorized) a trust line or MPToken as needed, in doApply().
    AuthType authType = AuthType::WeakAuth;
    if (account != dstAcct)
    {
        if (sleDst->isFlag(lsfDepositAuth))
        {
            if (!ctx.view.exists(keylet::depositPreauth(dstAcct, account)))
                return tecNO_PERMISSION;
        }
        // The destination account must have consented to receive the asset by
        // creating a RippleState or MPToken
        authType = AuthType::StrongAuth;
    }

[gregtatcam]

Shouldn't also check if dstAcct == account_? A trusdtline or MPToken only should be created if that condition is true.

[Bronek]

Good idea, I will do it.

[gregtatcam]

Don't need this. Can just let it fall through.

[gregtatcam]

Don't need this. Can just let it fall through.

[gregtatcam]

dstAcct may be different from account_. I think should only execute std::visit if dstAcct == account_.

[Bronek]

Agree, however this condition is not faulty - it just relies on check performed in preclaim. But I like your idea better.

[gregtatcam]

I think can simplify testSequence and testCases by defining the accounts once at the start of teseSequences:

void
testSequences()
{
    using namespace test::jtx;
     Account const issuer{"issuer"};
     Account const owner{"owner"};
     Account const depositor{"depositor"};
     Account const charlie{"charlie"};  // authorized 3rd party
     Account const dave{"dave"};

    auto const testSequence = [this](
                                  std::string const& prefix,
                                  Env& env,
                                  Vault& vault,
                                  PrettyAsset const& asset)

[gregtatcam]

This could be true for some other code when the passed accounts are always the same. For instance, issuer is always `Account{"issuer"}'.

[Bronek]

Good idea

[Bronek]

@gregtatcam your feedback is addressed in 7a55863 - thank you !

[gregtatcam]

This is more efficient:

 if (!view().exists(keylet::line(dstAcct, issue)))

[Bronek]

also more explicit - thanks !

[gregtatcam]

This is more efficient:

 if (!view().exists(keylet::mptoken(issue.getMptID(), account_)))

[gregtatcam]

👍 LGTM

[ximinez]

If this list of Account params ever gets too unwieldy, you can simply "recreate" them inside the function. The values are deterministic and cached, so you don't have to worry about wasting resources either.

[ximinez]

If this list of Account params ever gets too unwieldy, you can simply "recreate" them inside the function. The values are deterministic and cached, so you don't have to worry about wasting resources either.

I see you have already rewritten them to have the accounts be in an outer scope, which is even simpler.

[ximinez]

this change is for consistency with other transaction types

This code is basically duplicated from the account != dstAccount block, other than the result for a missing account.

Would it make more sense to take this code out of the if statement, and check which account before deciding which TER to return?

Something like

    auto const sleDst = ctx.view.read(keylet::account(dstAcct));
    if (sleDst == nullptr)
        return account == dstAcct : tecINTERNAL : tecNO_DST;

    if (sleDst->isFlag(lsfRequireDestTag) &&
        !ctx.tx.isFieldPresent(sfDestinationTag))
        return tecDST_TAG_NEEDED;  // Cannot send without a tag

    // If sending to Account (i.e. not a transfer), we will also create
    // (only if authorized) a trust line or MPToken as needed, in doApply().
    AuthType authType = AuthType::WeakAuth;
    if (account != dstAcct)
    {
        if (sleDst->isFlag(lsfDepositAuth))
        {
            if (!ctx.view.exists(keylet::depositPreauth(dstAcct, account)))
                return tecNO_PERMISSION;
        }
        // The destination account must have consented to receive the asset by
        // creating a RippleState or MPToken
        authType = AuthType::StrongAuth;
    }

[dangell7]

This could/should return tesSUCCESS if the line already exists imo.

Also you call isGlobalFrozen here but also call it in preclaim too right? canAddHolding does the same checks as this but I don't see canAddHolding called? Does that mean that this function can return internal?

[ximinez]

This could/should return tesSUCCESS if the line already exists imo.

There are callers where it would be a weird problem if the holding already exists. For example, the transactions that create new accounts.

[Bronek]

Normally I would suggest an additional flag as a function input parameter to choose the semantics of duplicates handling. In this case, if we want to go this way, #5270 would be a better fit to make a change (I would not want this small PR to be an obstacle for the larger PR to trip on).

[shawnxie999]

LGTM 👍

[ximinez]

Post merge approval 👍