ST in output not checked

[v0d1ch]

fix #596

Why

We want to make sure that the ST token is present in the tx output of the head validator and that it has correct CurrencySymbol that uniquely identifies a Hydra Head instance. We can't tell if some arbitrary NFT with the valid TokenName is indeed our ST token we expect so to tackle this security hole we are enforcing the check for the actual CurrencySymbol we expect.

What

• Add CurrencySymbol to the datum and check the tx output for its existence in the head validators check for collectCom, close and contest.
• Add the same check into commit and initial validator scripts in the ViaAbort case
• Add Mutation tests for each of the affected validator checks

Note: This PR removes some of the tests that did exist previously. TxSpec ones are outdated, highy specialized and we have a coverage for the same properties already. It also removes the mutation tests tied to MutateHeadScriptInput since we are not using the head script output to check the datum contents.

To check before merging:

• CHANGELOG is up to date
• Up to date with master

[github-actions]

Transactions Costs

Sizes and execution budgets for Hydra protocol transactions. Note that unlisted parameters are currently using arbitrary values and results are not fully deterministic and comparable to previous runs.

Metadata
Generated at	2023-01-11 15:54:43.472582258 UTC
Max. memory units	14000000
Max. CPU units	10000000000
Max. tx size (kB)	16384

Cost of Init Transaction

Parties	Tx size	% max Mem	% max CPU	Min fee ₳
1	4986	10.07	3.98	0.48
2	5189	13.97	5.54	0.53
3	5394	13.20	5.17	0.53
5	5802	18.76	7.35	0.61
10	6828	28.89	11.26	0.77
46	14210	98.68	38.11	1.85

Cost of Commit Transaction

Currently only one UTxO per commit allowed (this is about to change soon)

UTxO	Tx size	% max Mem	% max CPU	Min fee ₳
1	629	20.50	8.27	0.40

Cost of CollectCom Transaction

Parties	Tx size	% max Mem	% max CPU	Min fee ₳
1	12785	23.44	9.22	0.97
2	13209	44.03	17.38	1.21
3	13347	63.00	24.95	1.43
4	13841	90.05	35.99	1.75

Cost of Close Transaction

Parties	Tx size	% max Mem	% max CPU	Min fee ₳
1	9355	7.88	3.27	0.65
2	9520	8.67	3.73	0.67
3	9719	9.83	4.33	0.69
5	10011	11.04	5.10	0.72
10	10943	16.12	7.84	0.82
30	14208	31.50	16.82	1.15
69	16138	40.94	15.70	1.30

Cost of Contest Transaction

Parties	Tx size	% max Mem	% max CPU	Min fee ₳
1	9352	7.69	3.19	0.65
2	9548	8.81	3.78	0.67
3	9683	9.27	4.10	0.68
5	10012	10.85	5.02	0.71
10	10868	15.18	7.46	0.80
30	14232	31.79	16.93	1.16
42	16221	41.37	22.47	1.36

Cost of Abort Transaction

Some variation because of random mixture of still initial and already committed outputs.

Parties	Tx size	% max Mem	% max CPU	Min fee ₳
1	13612	21.24	8.91	0.99
2	14039	36.96	15.96	1.18
3	14313	54.49	24.12	1.39
4	14423	71.66	31.57	1.59

Cost of FanOut Transaction

Involves spending head output and burning head tokens. Uses ada-only UTxO for better comparability.

UTxO	Tx size	% max Mem	% max CPU	Min fee ₳
1	13505	9.90	4.32	0.86
2	13607	12.10	5.47	0.89
3	13708	13.96	6.48	0.91
5	13844	17.13	8.28	0.96
10	13894	23.98	12.39	1.04
50	15458	85.96	48.02	1.87
59	15589	98.50	55.49	2.03

[github-actions]

Test Results

268 tests   - 2   262 ✔️  - 2   12m 21s ⏱️ - 3m 26s
  91 suites  - 1       6 💤 ±0 
    4 files   ±0       0 ❌ ±0 

Results for commit e780c01. ± Comparison against base commit 5ed00df.

This pull request removes 4 and adds 2 tests. Note that renamed tests count towards both.

Hydra.Chain.Direct.Tx/abortTx ‑ Ignore InitTx with wrong contestation period
Hydra.Chain.Direct.Tx/abortTx ‑ cover fee correctly handles redeemers
Hydra.Chain.Direct.Tx/abortTx ‑ validates
Hydra.Chain.Direct.Tx/collectComTx ‑ validates

Hydra.Chain.Direct.Tx/collectComTx ‑ Ignore InitTx with wrong contestation period
Hydra.Chain.Direct.Tx/collectComTx ‑ cover fee correctly handles redeemers

♻️ This comment has been updated with latest results.

[ch1bo]

I think we are missing the datum check in the commit validator. Other than that, some minor stuff in the mutations and I don't see where this is now enabling 8 parties to collect/abort a head?

[ch1bo]

We are still missing a lot of error traces in the scripts.

This is required before I can approve.

I already addressed some of the inconsistencies and oversights. In general, the PR really shows that it's open too long already. Messy.

[ch1bo]

👍

[ch1bo]

:(

[ch1bo]

:(

[ch1bo]

:(

[ch1bo]

Re-added some last traces in da1cdd9.. now it's good to go :)

[v0d1ch]

Re-added some last traces in da1cdd9.. now it's good to go :)

Nice but now our tx sizes grew bigger :) Shall I increase the limit or revert?

[v0d1ch]

We reduced the tx traces and hitting the button now!