Deep freeze (#5187)

[vvysokikh1]

High Level Overview of Change

This PR implements Deep Freeze feature described in this specification: XLS-77d

Context of Change

Added new flags and functionality allowing trust lines to be deep-frozen.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Performance (increase or change in throughput and/or latency)
• Tests (you added tests for code that already exists, or your new feature included in this PR)
• Documentation update
• Chore (no impact to binary, e.g. .gitignore, formatting, dropping support for older tooling)
• Release

API Impact

• Public API: New feature (new methods and/or new fields)
• Public API: Breaking change (in general, breaking changes should only impact the next api_version)
• libxrpl change (any change that may affect libxrpl or dependents of libxrpl)
• Peer protocol change (must be backward compatible or bump the peer protocol version)

[ximinez]

Partial review. I didn't go through all the tests.

[ximinez]

Partial review

[gregtatcam]

Don't need to repeat the code. Just add a conditional error:

auto const err = features[featureDeepFreeze] ? ter(tecPATH_DRY) : ter(tesSUCCESS)

And then use it in pay:

env(pay(alice, carol, USD(1)),
            path(~USD),
            sendmax(XRP(10)),
            txflags(tfNoRippleDirect | tfPartialPayment),
            err);

[gregtatcam]

Actually, you shouldn't test here and other updated unit-tests if the feature is disabled because trust is going to fail. You need a separate test for disabled feature in SetTrust and also add to SetTrust tests for invalid combination of the flags. Also need to add OfferCreate and offer crossing, if not added yet, to Offer.

[vvysokikh1]

Build fails in Freeze_test.cpp with a number of errors:
src/test/app/Freeze_test.cpp:1462:17: error: reference to ‘path’ is ambiguous 1462 | path(~USD),

Weird, builds and runs on my end. What's your environment?

MAC M1 Sequoia 15.1.1, Apple clang version 16.0.0 (clang-1600.0.26.4) Linux g++ (Ubuntu 13.1.0-8ubuntu1~22.04) 13.1.0

I'm on M3 Sequoia 15.2, same clang version

The issue is related to unity build, working on a fix

[codecov]

Codecov Report

Attention: Patch coverage is 57.20524% with 98 lines in your changes missing coverage. Please review.

Project coverage is 77.9%. Comparing base (ebd8e63) to head (c1778e5).
Report is 2 commits behind head on develop.

Files with missing lines	Patch %	Lines
src/xrpld/app/tx/detail/InvariantCheck.cpp	13.9%	93 Missing ⚠️
src/xrpld/app/tx/detail/NFTokenAcceptOffer.cpp	84.0%	4 Missing ⚠️
src/xrpld/app/tx/detail/CreateOffer.cpp	87.5%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##           develop   #5187     +/-   ##
=========================================
- Coverage     78.0%   77.9%   -0.1%     
=========================================
  Files          789     789             
  Lines        66955   67164    +209     
  Branches      8132    8166     +34     
=========================================
+ Hits         52223   52325    +102     
- Misses       14732   14839    +107     

Files with missing lines	Coverage Δ
include/xrpl/protocol/Feature.h	100.0% <ø> (ø)
src/xrpld/app/paths/TrustLine.h	100.0% <100.0%> (ø)
src/xrpld/app/paths/detail/StepChecks.h	100.0% <100.0%> (ø)
src/xrpld/app/tx/detail/CashCheck.cpp	87.9% <ø> (ø)
src/xrpld/app/tx/detail/InvariantCheck.h	100.0% <ø> (ø)
src/xrpld/app/tx/detail/NFTokenAcceptOffer.h	100.0% <ø> (ø)
src/xrpld/app/tx/detail/OfferStream.cpp	81.6% <100.0%> (+1.3%)	⬆️
src/xrpld/app/tx/detail/SetTrust.cpp	90.9% <100.0%> (+1.3%)	⬆️
src/xrpld/ledger/View.h	100.0% <ø> (ø)
src/xrpld/ledger/detail/View.cpp	91.3% <100.0%> (+0.2%)	⬆️
... and 4 more

... and 4 files with indirect coverage changes

[shawnxie999]

these tests only exercise when someone accepts a sell offer from the owner. have we considered adding tests where the NFT owner accepts a buy offer? (where the potential buyer is deep frozen)

[vvysokikh1]

if buyer is deep frozen, he's normally frozen. His accountHolds check will not let this transaction through. Such tests exist in nft tests.

[shawnxie999]

i thought of another scenario:

1. alice mints NFT
2. alice creates a sell offer using USD
3. bob creates a buy offer using USD
4. carol (broker) accepts the two offers and earns some USD (if buy offer amount is higher than sell offer, broker has the oppportunity to earn buy offer amt - sell offer amt) You can find unit tests by searching for brokerOffers.

we would need to make sure that at step 4, carol cannot broker the offers if she is deep frozen

[ximinez]

This comment is incorrect. A2 has indicated that they want to receive the currency by creating the offer. Any affirmative action by the account receiving funds can override the "limit" set on the trust line, or create a trust line if one doesn't exist. The same is true of offers on the DEX.

[vvysokikh1]

We had this case discussed during last call. It's a part of 'missing checks if account is allowed to receive currency'. I'm not convinced this is correct behavior, normal offers behave differently. Also I see the use-case where currency holder would want to freeze the trustline to stop inflow of certain currency instead of cancelling all existing nft offers.

[vvysokikh1]

The only exception here would actually be acceptance of check, which is really an indication of acceptance. But even this is not currently possible.

[gregtatcam]

I'm curious, why not keep the original code and just add || isDeepFrozen?

else if (
    (zeroIfFrozen == fhZERO_IF_FROZEN) &&
    (isFrozen(view, account, currency, issuer) ||
     isDeepFrozen(view, account, currency, issuer)))

Unless there is a good reason to change, IMO fewer changes is less risk and easier to review.

[vvysokikh1]

I just couldn't help myself to change the previous version.

[gregtatcam]

I don't see much benefit in this change. It's one line change vs. a bunch of changes. But it's just my opinion.

[vvysokikh1]

I find it a bit easier to understand and read, that's the only reason for this change. I can roll back if you insist. I has good test coverage though, so I don't find it risky

[gregtatcam]

Why returning tesSUCCESS? Shouldn't this be similar to a few lines above:

if (!trustLine)
{
    return (flags & tapRETRY) ? TER{terNO_LINE} : TER{tecNO_LINE};
}

If returning an error then the code also has to be amendment gated.

[vvysokikh1]

Here it's simply checking if trust line exists. If it doesn't exist, there's no freeze/deep freeze flags there so we just exit

[gregtatcam]

Why?

[vvysokikh1]

When holder freezes trust line, his intention is to avoid receiving this token. So it might be incorrect behavior because in this case he actually receives those.

[gregtatcam]

Why?

[gregtatcam]

Why "LongerPaths"? It's the same number of steps, just a payment is used instead of an offer.

[vvysokikh1]

Why is it the same number? These tests have book step and xrp step at the very least?

[gregtatcam]

With the offer crossing tests you are exchanging XRP for USD or USD for XRP. Payment does the same thing. The payment engine steps are slightly different. In case of the offer crossing the steps are:

XRPEndpointOfferCrossingStep
BookOfferCrossingStep
DirectIOfferCrossingStep

and in case of the payment the steps are:

XRPEndpointPaymentStep
BookPaymentStep
DirectIPaymentStep

A longer path is something like this: exchange XRP for USD and then exchange USD for GBP as part of the same payment. Or as a unit test something like this:

env(pay(carol, bob, USD(1)),
        test::jtx::path(~USD, ~GBP),
        sendmax(XRP(1)), txflags(tfNoRippleDirect));

[ckeshava]

What is the difference between this test and the one above? (Both of them are prefaced by the same comment // Set flags on gw2 trust lines so we can look for them.)
Are any of the pre-conditions different in these tests?

[vvysokikh1]

different RPC formats seem to be the difference

[ckeshava]

A normal frozen trust line could increase its balance (another counter-party could send IOUs to increase the frozen account's balance). Is this a different case?

[ckeshava]

Are there unit tests which exercise this invariant?

[vvysokikh1]

working on them at the moment.

[ckeshava]

Does the ledger_entry RPC command return deep_freeze flags (provided, it is set appropriately on the trust line) ? Can you add unit tests for the same?

[ckeshava]

I am referring to retrieval of trust-line ledger objects using the ledger_entry RPC

[vvysokikh1]

ledger_entry doesn't return anything related to trustline flags, so in a nutshell, it doesn't return information about either normal freeze or deep freeze.

[ckeshava]

ledger_entry does return a Flags field in the response. But it does not explicitly specify a boolean value for the deep_freeze field (unlike the account_lines rpc)

Here is an example: https://xrpl.org/resources/dev-tools/websocket-api-tool?server=wss%3A%2F%2Fs1.ripple.com%2F&req=%7B%20%20%22id%22%3A%20%22example_get_ripplestate%22%2C%0A%20%20%22command%22%3A%20%22ledger_entry%22%2C%0A%20%20%22ripple_state%22%3A%20%7B%0A%20%20%20%20%22accounts%22%3A%20%5B%0A%20%20%20%20%20%20%22rf1BiGeXwwQoi8Z2ueFYTEXSwuJYfV2Jpn%22%2C%0A%20%20%20%20%20%20%22rsA2LpzuawewSBQXkiju3YQTMzW13pAAdW%22%0A%20%20%20%20%5D%2C%0A%20%20%20%20%22currency%22%3A%20%22USD%22%0A%20%20%7D%2C%0A%20%20%22ledger_index%22%3A%20%22validated%22%0A%7D

Perhaps, it does not warrant a unit test. I'll leave that up to your discretion.

[vvysokikh1]

Oh I see. I probably looked into wrong implementation.

But anyway, since raw flags are provided, there's no reason to add deep_freeze flag specific test in my opinion.

[ximinez]

The name is supposed to indicate what you're testing, not what failed.

Suggested change

	XRPL_ASSERT(
	after, "ripple::BalanceChangeNotFrozen::visitEntry : invalid after.");
	XRPL_ASSERT(
	after, "ripple::BalanceChangeNotFrozen::visitEntry : valid after.");

[ximinez]

Suggested change

	STAmount amt =
	line ? line->at(sfBalance) : line->at(sfBalance).zeroed();
	STAmount amt =
	line ? line->at(sfBalance) : other->at(sfBalance).zeroed();

[ximinez]

Suggested change

	XRPL_ASSERT(
	change.balanceChangeSign,
	"ripple::BalanceChangeNotFrozen::recordBalance : invalid trust "
	"line balance sign.");
	XRPL_ASSERT(
	change.balanceChangeSign,
	"ripple::BalanceChangeNotFrozen::recordBalance : valid trust "
	"line balance sign.");

[ximinez]

High and low sign handling is a consistent source of confusion. Some comments here would be helpful. Something like:

Suggested change

	recordBalance(
	after->at(sfHighLimit).getIssuer(),
	currency,
	{after, balanceChangeSign});
	recordBalance(
	after->at(sfLowLimit).getIssuer(),
	currency,
	{after, -balanceChangeSign});
	// Change from low account's perspective, which is trust line default
	recordBalance(
	after->at(sfHighLimit).getIssuer(),
	currency,
	{after, balanceChangeSign});
	// Change from high account's perspective, which reverses the sign.
	recordBalance(
	after->at(sfLowLimit).getIssuer(),
	currency,
	{after, -balanceChangeSign});

[ximinez]

Suggested change

	XRPL_ASSERT(
	enforce,
	"ripple::BalanceChangeNotFrozen::validateFrozenState : Attempting to "
	"move frozen funds.");
	XRPL_ASSERT(
	enforce,
	"ripple::BalanceChangeNotFrozen::validateFrozenState : enforce invariant.");

[ximinez]

Suggested change

	XRPL_ASSERT(
	enforce,
	"ripple::BalanceChangeNotFrozen::finalize : Issuer not found.");
	XRPL_ASSERT(
	enforce,
	"ripple::BalanceChangeNotFrozen::finalize : enforce invariant.");

[ximinez]

Suggested change

	XRPL_ASSERT(
	!isXRP(issue.currency),
	"NFTokenAcceptOffer::checkAcceptAsset : input is not XRP");
	XRPL_ASSERT(
	!isXRP(issue.currency) && view.rules().enabled(featureDeepFreeze) ,
	"NFTokenAcceptOffer::checkAcceptAsset : valid to check");