Add fixAMMv1_3 amendment

[gregtatcam]

High Level Overview of Change

• Add AMM bid/create/deposit/swap/withdraw/vote invariants:
  • Deposit, Withdrawal invariants: sqrt(asset1Balance * asset2Balance) >= LPTokens.
  • Bid: sqrt(asset1Balance * asset2Balance) > LPTokens and the pool balances don't change.
  • Create: sqrt(asset1Balance * assetBalance2) == LPTokens.
  • Swap: asset1BalanceAfter * asset2BalanceAfter >= asset1BalanceBefore * asset2BalanceBefore
    and LPTokens don't change.
  • Vote: LPTokens and pool balances don't change.
  • All AMM and swap transactions: amounts and tokens are greater than zero, except on withdrawal if all tokens
    are withdrawn.
• Add AMM deposit and withdraw rounding to ensure AMM invariant:
  • On deposit, tokens out are rounded downward and deposit amount is rounded upward.
  • On withdrawal, tokens in are rounded upward and withdrawal amount is rounded downward.
• Add Order Book Offer invariant to verify consumed amounts. Consumed amounts are less than the offer.
• Fix Bid validation. AuthAccount can't have duplicate accounts or the submitter account.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Performance (increase or change in throughput and/or latency)
• Tests (you added tests for code that already exists, or your new feature included in this PR)
• Documentation update
• Chore (no impact to binary, e.g. .gitignore, formatting, dropping support for older tooling)
• Release

Test Plan

AMM, AMMExtended, AMMClawback, AMMInfo unit-tests are updated

[vvysokikh1]

@gregtatcam could you please merge latest develop so it would be easier to review? Also build seems to be broken

[vvysokikh1]

Initial review of the invariant implementation

[vvysokikh1]

I would actually split these if blocks into 4 separate functions, each checking their own condition. When named properly that would improve readability.

[gregtatcam]

IMO it's a lot of code repetition. I added comments and broke the if expression, which checks the invariant. It should be a lot better now.

[gregtatcam]

@gregtatcam could you please merge latest develop so it would be easier to review? Also build seems to be broken

done

[vvysokikh1]

Is this a separate invariant from usual ones? Why?

[vvysokikh1]

Maybe should add //clang-format off for this file and revert this change? I personally don't really see this as a problem though

[Bronek]

This file does not have an extension expected by clang-format, so it will not be automatically formatted by it. No need for //clang-format off here.

[vvysokikh1]

My VS code setup has application of clang-format on save. So when I add new feature to this file, it reformats it on save regardless of it's extension.

[vvysokikh1]

Maybe worth to put on the top of the file (same as other free functions)?

[vvysokikh1]

maybe worth using auto const& to avoid copying the rules?

[vvysokikh1]

nit: this comment doesn't bring any value

[vvysokikh1]

I appreciate deduplication, but I find this code too difficult to read. Lambda + callback is too much for my taste.

I'd suggest something like this:

void
ValidAMM::visitEntry(
    bool isDelete,
    std::shared_ptr<SLE const> const& before,
    std::shared_ptr<SLE const> const& after)
{
    if (isDelete)
        return;

    // Check if pool changed
    auto ammPoolChanged = [&](std::shared_ptr<SLE const> const& sle) {
        auto const type = sle->getType();
        return sle->isFieldPresent(sfBalance) &&
            ((type == ltRIPPLE_STATE && sle->getFlags() & lsfAMMNode) ||
             (type == ltACCOUNT_ROOT && sle->isFieldPresent(sfAMMID)));
    };

    // Check if entry is AMM
    auto isAMM = [](std::shared_ptr<SLE const> const& sle) {
        auto const type = after->getType();
        return type == ltAMM;
    };

    if (after)
    {
        if (isAMM(after))
        {
            ammAccount_ = after->getAccountID(sfAccount);
            lptAMMBalanceAfter_ = after->getFieldAmount(sfLPTokenBalance);
        }
        else if (ammPoolChanged(after))
        {
            ammPoolChanged_ = true;
        }
    }

    if (before)
    {
        if (isAMM(before))
        {
            lptAMMBalanceBefore_ = before->getFieldAmount(sfLPTokenBalance);
        }
        else if (ammPoolChanged(before))
        {
            ammPoolChanged_ = true;
        }
    }
}

I also wonder if ammPoolChanged should be checked for before. To me it seems like both lsfAMMNode and sfAMMID flags can be only set and not removed. And if this is a deletion, we shortcut early. Also I've not found a single occurence of isFieldPresent(sfBalance), whole codebase assumes it's always present.

So I assume it's sufficient to check these flags only for after and not check sfBalance flag existence (assuming it's always present for both trust line and amm node), thus we could simplify the code further

[vvysokikh1]

I'd suggest a shortcut here.
if (result != tesSUCCESS)
return true;

[vvysokikh1]

ammAccount_ is checked on every if/else statement, maybe take it out? Is that even possible to have a situation where ammAccount_ would not be present? Should it be an assert of some sort?

[vvysokikh1]

I'm not convinced that these callbacks are required here. Callback is not even a correct term here.

All those callbacks are either identical or calculable from one another:

auto amtNoRoundCb = [&] { return tokensAdj / ePrice; };
    auto amtProdCb = [&] { return tokensAdj / ePrice; };

or

auto tokNoRoundCb = [&] {
        return lptAMMBalance * **(lptAMMBalance + ae * (f - 2)) /
            (lptAMMBalance * f - ae);**
    };
    auto tokProdCb = [&] {
        return **(lptAMMBalance + ae * (f - 2)) / (lptAMMBalance * f - ae)**;
    };
where tokNoRoundCb() == tokProdCb() * lptAMMBalance;

So if we don't want to do calculation twice, we can do that without lambdas relatively easy.

Overall I would suggest revisiting all such callback taking functions. They're probably not needed and could be simplified/refactored into more easy readable code

[vvysokikh1]

I would like to see unit tests checking this invariant. I understand it's probably going to take a lot of effort thought.

While the current version of the code is definitely much more readable that previous, I would still suggest splitting finalize into a couple of different functions each covering certain scenario (or group of scenarios). That would make writing and reading tests much easier for this invariant

[Bronek]

@gregtatcam I want to bring this commit 1e565e8 in a different PR #5224 to your attention. You might (or might not - up to you) want to copy & alter it to check the fixAMMv1_3 feature.