feat(orchestration): deposit ERTP payment to ICA

[0xpatrickdev]

closes: #9193
closes: #9042

Description

• Adds .deposit() method to stakingAccountHolder to enable ERTP payment deposits to an Interchain Account. Flow:
  1. LocalChainAccount is created and Payment is deposited there
  2. LocalChainAccount sends ibc/MsgTransfer to ChainAccount
     • ChainTimerService is used to create a timeout timestamp. We take the current time and add five minutes to it
  3. If anything fails in the wallet offer flow:
     • Attempt is made to deposit live payment back to the user's seat
     • If payment is already in LCA, but failed to make it to the ICA, it is withdrawn back to the user's seat
• Adds .withdraw() method to LocalChainAccount
• Only accepts deposits of bondDenom until well known name handling for IBC denoms #9211, orchestration - chain - provide well-known chain #9063 (need to determine denom from Amount/Brand
• Hardcodes chain parameters in terms until orchestration - chain - provide well-known chain #9063, vat-orchestration expose client (chain) connection info #8879

Security Considerations

• Offer Safety: withdrawFromSeat is needed to retrieve a live payment from a seat. Offer safety is upheld because the user is not allowed to request a Want, but we need to proceed carefully. There is a chance the deposit fails along the way, and we need to ensure the payment can be recovered and deposited back to a users seat.

• chainTimerService is needed to create a timeout parameter for MsgTransfer

Scaling Considerations

• In order for a ChainAccount to have a deposit() functionality, a LocalChainAccount needs to be created. This could lead to a lot of LCA's

  • given the LCA is currently closed over in state, and might wind up with funds the holder needs to access, we might want to consider exposing interfaces for the LCA's (.withdraw, .executeTx, .query)

• TimerService is needed to create a MsgTransfer timeout parameter. See Orchestration: optimize timeoutHeight parameter for transactions, queries, and transfers #9324 for more details

Documentation Considerations

Testing Considerations

• I wanted to add more explicit tests for the functionality added to LocalChainAccount, but struggled to find a place to add them (and get access to a mint in bootstrap tests). Both deposit() and withdraw() are tested indirectly by tests in boot/../test-orchestration.ts

• I would like feedback on the imperative .deposit() flow - what happens if this throws? Can we assume the callers supplied payment is still live if it wasn't deposited to the LCA?

Upgrade Considerations

[cloudflare-pages]

Deploying agoric-sdk with    Cloudflare Pages

Latest commit:	37083e6
Status:	✅  Deploy successful!
Preview URL:	https://37ad759a.agoric-sdk.pages.dev
Branch Preview URL:	https://9193-deposit-to-ica.agoric-sdk.pages.dev

View logs

[0xpatrickdev]

My current (unsuccessful) attempt at this:

packages/cosmic-proto/src/helpers.ts

git diff packages/cosmic-proto/src/helpers.ts
diff --git a/packages/cosmic-proto/src/helpers.ts b/packages/cosmic-proto/src/helpers.ts
index ca192be60..00ebfea30 100644
--- a/packages/cosmic-proto/src/helpers.ts
+++ b/packages/cosmic-proto/src/helpers.ts
@@ -1,6 +1,15 @@
-import type { QueryAllBalancesRequest } from './codegen/cosmos/bank/v1beta1/query.js';
-import type { MsgSend } from './codegen/cosmos/bank/v1beta1/tx.js';
-import type { MsgDelegate } from './codegen/cosmos/staking/v1beta1/tx.js';
+import type {
+  QueryAllBalancesRequest,
+  QueryAllBalancesResponse,
+} from './codegen/cosmos/bank/v1beta1/query.js';
+import type {
+  MsgSend,
+  MsgSendResponse,
+} from './codegen/cosmos/bank/v1beta1/tx.js';
+import type {
+  MsgDelegate,
+  MsgDelegateResponse,
+} from './codegen/cosmos/staking/v1beta1/tx.js';
 import { RequestQuery } from './codegen/tendermint/abci/types.js';
 import type { Any } from './codegen/google/protobuf/any.js';
 import {
@@ -13,17 +22,32 @@ import {
  * `unknown` but it's actually this. The `value` string is a base64 encoding of
  * the bytes array.
  */
-export type AnyJson = { typeUrl: string; value: string };
-
-// TODO codegen this by modifying Telescope
+export type AnyJson = {
+  typeUrl: string;
+  value: string;
+};
 export type Proto3Shape = {
   '/cosmos.bank.v1beta1.MsgSend': MsgSend;
+  '/cosmos.bank.v1beta1.MsgSendResponse': MsgSendResponse;
   '/cosmos.bank.v1beta1.QueryAllBalancesRequest': QueryAllBalancesRequest;
+  '/cosmos.bank.v1beta1.QueryAllBalancesResponse': QueryAllBalancesResponse;
   '/cosmos.staking.v1beta1.MsgDelegate': MsgDelegate;
+  '/cosmos.staking.v1beta1.MsgDelegateResponse': MsgDelegateResponse;
   '/ibc.applications.transfer.v1.MsgTransfer': MsgTransfer;
   '/ibc.applications.transfer.v1.MsgTransferResponse': MsgTransferResponse;
 };

+export type ResponseType<T> =
+  T extends '/ibc.applications.transfer.v1.MsgTransfer'
+    ? '/ibc.applications.transfer.v1.MsgTransferResponse'
+    : T extends '/cosmos.bank.v1beta1.MsgSend'
+      ? '/cosmos.bank.v1beta1.MsgSendResponse'
+      : T extends '/cosmos.staking.v1beta1.MsgDelegate'
+        ? '/cosmos.staking.v1beta1.MsgDelegateResponse'
+        : T extends '/cosmos.bank.v1beta1.QueryAllBalancesRequest'
+          ? '/cosmos.bank.v1beta1.QueryAllBalancesResponse'
+          : never;
+
 /**
  * The encoding introduced in Protobuf 3 for Any that can be serialized to JSON.
  *

packages/vats/src/localchain.js

git diff packages/vats/src/localchain.js
diff --git a/packages/vats/src/localchain.js b/packages/vats/src/localchain.js
index 5a07e8ad3..6ab60c379 100644
--- a/packages/vats/src/localchain.js
+++ b/packages/vats/src/localchain.js
@@ -5,6 +5,8 @@ import { AmountShape } from '@agoric/ertp';

 const { Fail, bare } = assert;

+/** @import {TypedJson, ResponseType, Proto3Shape} from '@agoric/cosmic-proto'; */
+
 /**
  * @typedef {{
  *   system: import('./types.js').ScopedBridgeManager;
@@ -82,8 +84,9 @@ const prepareLocalChainAccount = zone =>
         return E(purse).withdraw(amount);
       },
       /**
-       * @param {import('@agoric/cosmic-proto').TypedJson<unknown>[]} messages
-       * @returns {Promise<import('@agoric/cosmic-proto').TypedJson[]>}
+       * @template {keyof Proto3Shape} T
+       * @param {TypedJson<T>[]} messages
+       * @returns {Promise<TypedJson<ResponseType<T>>[]>}
        */
       async executeTx(messages) {
         const { address, powers } = this.state;
@@ -178,8 +181,8 @@ const prepareLocalChain = (zone, makeAccount) =>
          * the query fails. Otherwise, return the response as a JSON-compatible
          * object.
          *
-         * @param {import('@agoric/cosmic-proto').TypedJson} request
-         * @returns {Promise<import('@agoric/cosmic-proto').TypedJson>}
+         * @param {TypedJson} request
+         * @returns {Promise<TypedJson>}
          */
         async query(request) {
           const requests = harden([request]);
@@ -197,11 +200,11 @@ const prepareLocalChain = (zone, makeAccount) =>
          * system error, will return all results to indicate their success or
          * failure.
          *
-         * @param {import('@agoric/cosmic-proto').TypedJson[]} requests
+         * @param {TypedJson[]} requests
          * @returns {Promise<
          *   {
          *     error?: string;
-         *     reply: import('@agoric/cosmic-proto').TypedJson;
+         *     reply: TypedJson;
          *   }[]
          * >}
          */

[turadg]

#9351

[0xpatrickdev]

Was expecting to see a bigint or string here. Surprised to see a number, but this is what I observed with local chains.

[dckc]

is that observed data captured in a unit test?

[0xpatrickdev]

It's currently captured in packages/boot/tools/supports.ts: https://github.com/Agoric/agoric-sdk/pull/9342/files#diff-5f4f231637e90b9cdfecc29b28c80beb222607ad154bbc266cbf52c6a7c246e9R438-R446

I considered adding a new type helper to @agoric/cosmic-proto that's like JsonSafe, but wanted to be sure of this behavior before proceeding. @michaelfig - do you have any insights here? Are bigints cast to numbers for the LocalChainAccount implementation?

[0xpatrickdev]

Given Scaling Considerations, we may want to reconsider including deposit() on ChainAccount.

[0xpatrickdev]

Suggested change

	/** @import {TypedJson, ResponseType, Proto3Shape} from '@agoric/cosmic-proto'; */
	/** @import {TypedJson, Proto3Shape} from '@agoric/cosmic-proto'; */

[turadg]

i wouldn't worry about extra types for now. especially because ambients can make it look like imports that aren't used that actually are during build time

[0xpatrickdev]

set true for tests, where query responses are mocked, but won't work on a local simulated chain

[0xpatrickdev]

Suggested change

	let icaExecuteTxSequence = 0;
	let lcaExecuteTxSequence = 0;

[0xpatrickdev]

Currently only simulating failed LCA -> ICA transfer. This captures the last nested block of the Deposit() try / catch, but we have nothing testing the first depositToSeat, which depends on await Object.values(payments)[0]. Suggestions on how to simulate this welcome.

[dckc]

time for a meeting; better share my notes so far

[dckc]

there's a NatValueShape? even though it's the same as M.nat()? odd.

[dckc]

it's not obvious why camelcase should be disabled. is it easy to add a few words? no big deal for test code, I guess

[dckc]

consider turning such comments into t.log() calls.

odd... makeAcountInvitationMaker? with 1 c? oops!

[dckc]

I/we really should fix that. the getBoardId() kludge is a bad idea. the mapping from value to slot (board id) belongs in a table external to the object; we learned this in makeClientMarshaller but we haven't back-ported it all the way to here.

IOU an issue, I guess.

[dckc]

Hm. I'd like to see a check that the money got there. Can we capture calls across the bridge and check for a suitable one here?

[0xpatrickdev]

The best we can do in this environment is mock, which doesn't give the highest confidence or seem worth the cost. I am going to pursue better unit testing at the exo level per your suggestion to get more confidence around these failure cases

[dckc]

again, it would be good to have evidence that the right vbank messages went over the bridge

ah... but we do have payouts below

[dckc]

it would be nice to get this from hashing... or to test that this matches what we get from hashing

[0xpatrickdev]

Agree. Something i think we'll tackle as part of #9211

[dckc]

a durable store is over-kill for this. it costs a syscall for each access.

[dckc]

Maybe it's ok by the new await safety style, but I've picked up an aversion to code that sometimes represents a turn boundary and sometimes doesn't.

Suggested change

	const icqConnection = icqEnabled
	? await E(orchestration).provideICQConnection(controllerConnectionId)
	: undefined;
	const icqConnection = await (icqEnabled
	? E(orchestration).provideICQConnection(controllerConnectionId)
	: undefined);

[dckc]

I'm also reminded to check for a clear commit point, as in the prepare / commit pattern.

If makeAccount() succeeds but provideICQConnection() fails, should we release the account?

[turadg]

Suggested change

	export const NatAmountShape = harden({
	/** @see {makeNatAmountShape} to match a specific brand */
	export const NatAmountShape = harden({

[turadg]

Suggested change

	numerator: AmountShape,
	denominator: AmountShape,
	numerator: NatAmountShape,
	denominator: NatAmountShape,

[turadg]

success is independent of the offer identity

Suggested change

	id: 'request-deposit-success',
	id: 'request-deposit',

reading further I see you have other variants. Still I think success or failure are independent of identity. E.g.

request-deposit
request-deposit-bad-want
request-deposit-two-gives

[dckc]

I tripped over that name/id on 1st reading too.

[turadg]

good to have these validation tests, but they don't need to integrate with smart-wallet. Spinning up a contract in isolation is a bit of work, I don't know that they even need to integrate with stakeAtom. Could these just be tests of the StakingAccountKit exo? Those would run very fast

[0xpatrickdev]

Acknowledged and agree: #9342 (comment)

[turadg]

reminds me to revive #8653

[turadg]

this is a conditional await. I think it's safe because of the await above it, but please add a // @jessie-check at the top to be sure. all modules that run in a vat should pass jessie-check

[turadg]

#9351

[turadg]

why not pipeline?

Suggested change

	const chainTimerService = await chainTimerServiceP;
	const chainTimerBrand = await E(chainTimerService).getTimerBrand();
	const chainTimerBrand = await E(chainTimerServiceP).getTimerBrand();

[turadg]

@dtribble wants to review changes to this API

[turadg]

i wouldn't worry about extra types for now. especially because ambients can make it look like imports that aren't used that actually are during build time

[dckc]

I'm running out of steam for today.

But at least the bankManager change is critical.

[dckc]

Contracts can rely on Zoe to ensure that brands in proposals are registered.

[dckc]

Our style for errors and control flow is to not peek at errors.

Why do we care what sort of error it is?

[dckc]

Also, are we testing all these failure modes?

I wonder if it would help to hoist much of this logic to a function that we can unit test.

[dckc]

waived: null merits some explanation: once somebody makes such an offer, undoing it may be infeasible, so the client can't honor exit requests; clients must waive their right to exit.

docs should bear a WARNING notice about lack of offer safety

maybe the name should be scarier too... GiveAndHope :)

maybe these docs belong on the deposit() method and/or the Deposit invitationMaker.

[dckc]

This getBankForAddress() call should happen before this account object is created. No account should have access to everybody else's purses. critical

(Didn't I give this feedback a while ago? hm.)