[Capacity] MinimumStakingAmount is not enforced if a stake already exists for a different provider #2136
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…pl' into audit-2024
…pl' into audit-2024
mattheworris
changed the title
mattheworris
commented
Aug 21, 2024
| @@ -255,6 +255,41 @@ pub enum Error<T> { | |||
| } | |||
| ``` | |||
|
|
|||
| ### NEW: Events | |||
There was a problem hiding this comment.
In updating the capacity events, noticed these events were added and this seemed like the best place to reference them.
mattheworris
commented
Aug 21, 2024
| @@ -23,89 +23,105 @@ Frequency explains how Capacity can be acquired through staking, refills, and us | |||
| - [Block space allocation for Capacity transactions](#block-space) | |||
| - [Implementation of spending Capacity to perform transactions](#capacity-transactions) | |||
|
|
|||
| **Implementation of how to acquire through staking:** <a id='staking'></a> | |||
| ### **Implementation of how to acquire Capacity through staking:** <a id='staking'></a> | |||
There was a problem hiding this comment.
markdown lint complains if there is no heading, so I tried to make the headings make sense.
mattheworris
commented
Aug 21, 2024
|
|
||
| ```rust | ||
| #[pallet::config] |
There was a problem hiding this comment.
Updated to the latest source code.
mattheworris
commented
Aug 21, 2024
| #[pallet::constant] | ||
| type CapacityPerToken: Get<Perbill>; | ||
|
|
||
| // ... |
There was a problem hiding this comment.
Provider Boosting additions detailed in provider boosting docs, so left out here.
mattheworris
commented
Aug 21, 2024
|
|
||
| LockIdentifier is an eight-character long identifier used to distinguish between different locks. | ||
| FreezeReason is an enum that defines the reason for freezing funds in an account. |
There was a problem hiding this comment.
There are many updates from the Currency->fungible changes from locks to freezes
mattheworris
commented
Aug 21, 2024
|
|
||
| Unstaking tokens allow you to schedule a number of tokens to be unlocked from your balance. There is no limit on the amount that you can schedule to be unlocked (up to the amount staked), but there is a limit on how many scheduled requests you can make. After scheduling tokens to be unlocked using **`unstake`**, you can withdraw those tokens after a thaw period has elapsed by using the **`withdraw_unstaked`** extrinsic. If the call is successful, all thawed tokens become unlocked and increase the ability to make more scheduled requests. | ||
| Unstaking tokens allow you to schedule a number of tokens to be unfrozen from your balance. There is no limit on the amount that you can schedule to be unfrozen (up to the amount staked), but there is a limit on how many scheduled requests you can make. After scheduling tokens to be unfrozen using **`unstake`**, you can withdraw those tokens after a thaw period has elapsed by using the **`withdraw_unstaked`** extrinsic. If the call is successful, all thawed tokens become unfrozen and increase the ability to make more scheduled requests. |
There was a problem hiding this comment.
Note: I tried to be consistent and use the verb unfreeze when referring to unlock and keeping thaw to reference the period of time required before unfreezing.
thaw is also the verb used by fungible traits for unfreezing, previously unlocking.
There was a problem hiding this comment.
Good catch since this was written before the Fungible trait change.
…ce() -> reducible_balance() as per fungible
mattheworris
changed the title
mattheworris
commented
Aug 21, 2024
| @@ -831,7 +830,8 @@ impl<T: Config> Pallet<T> { | |||
| staker: &T::AccountId, | |||
| proposed_amount: BalanceOf<T>, | |||
| ) -> BalanceOf<T> { | |||
| let account_balance = T::Currency::balance(&staker); | |||
| let account_balance = | |||
| T::Currency::reducible_balance(&staker, Preservation::Preserve, Fortitude::Polite); | |||
There was a problem hiding this comment.
This should have been changed with fungible, polkadot-sdk comments indicate that balance() is really only useful for testing and reducible_balance() is recommended.
mattheworris
commented
Aug 21, 2024
| @@ -255,10 +255,10 @@ fn stake_when_staking_amount_is_greater_than_free_balance_it_stakes_maximum() { | |||
| assert_ok!(Capacity::stake(RuntimeOrigin::signed(account), target, amount)); | |||
|
|
|||
| // Check that StakingAccountLedger is updated. | |||
| assert_eq!(StakingAccountLedger::<Test>::get(account).unwrap().active, 190); | |||
| assert_eq!(StakingAccountLedger::<Test>::get(account).unwrap().active, 189); | |||
There was a problem hiding this comment.
reducible_balance requires +1 for Existential Deposit, so these values are updated in the tests.
Further, I think the existing tests cover the changes, as the code is now more strict, so there are no additional tests to add.
mattheworris
commented
Aug 21, 2024
| tokens::fungible::{Inspect as InspectFungible, InspectFreeze, Mutate, MutateFreeze}, | ||
| tokens::{ | ||
| fungible::{Inspect as InspectFungible, InspectFreeze, Mutate, MutateFreeze}, | ||
| Fortitude, Preservation, |
There was a problem hiding this comment.
Required for reducible_balance() changes
mattheworris
changed the base branch from
audit-2024
to
feat/capacity-staking-rewards-impl
mattheworris
requested review from
shannonwells,
enddynayn,
aramikm,
claireclark1 and
JoeCap08055
mattheworris
changed the title
designdocs/capacity.md
Outdated
|
|
||
| /// The available Capacity for an MSA account. | ||
| fn balance(msa_id: MessageSourceId) -> Result<Balance, DispatchError>; | ||
| /// The balance Capacity for an MSA. |
There was a problem hiding this comment.
Capacity balance? balance of Capacity?
There was a problem hiding this comment.
Comments were copied from the code. I've updated both comments to read as the original:
/// The available Capacity for an MSA.
shannonwells
requested changes
Aug 22, 2024
| @@ -532,15 +573,15 @@ pub type CurrentBlockUsedCapacity<T: Config> = StorageValue<_, BalanceOf<T>, Val | |||
|
|
|||
| ``` | |||
|
|
|||
| **Prioritization of Capacity transactions** <a id='priority'></a> | |||
| ### **Prioritization of Capacity transactions** <a id='priority'></a> | |||
There was a problem hiding this comment.
nit: Do we need both boldface and header markup?
| amount: BalanceOf<T>, | ||
| }, | ||
| /// Tokens have been staked on the network for Provider Boosting | ||
| ProviderBoosted { |
There was a problem hiding this comment.
The Provider Boost branch updates the Design Docs; let's keep those updates there instead of causing conflicts.
shannonwells
approved these changes
Aug 23, 2024
JoeCap08055
approved these changes
Aug 23, 2024
Co-authored-by: Shannon Wells <[email protected]>
mattheworris
deleted the
2135-capacity-minimumstakingamount-is-not-enforced-if-a-stake-already-exists-for-a-different-provider
branch
shannonwells
added a commit
that referenced
this pull request
Oct 9, 2024
…ists for a different provider (#2136) A user can stake to multiple providers, but the minimum staking amount is enforced only for the first staking action that the user submits. During the staking process, both for the `stake` and `provider_boost` extrinsics, a minimum staking amount should be enforced by the `Runtime::MinimumStakingAmount` parameter. The current implementation of [ensure_can_stake](https://github.com/frequency-chain/frequency/blob/9ef58185f2230aaf92dc166fb8eade56a78e4cf3/pallets/capacity/src/lib.rs#L638) verifies if the amount that the account is staking in total (the current active staking and the new staking amount) is greater than the `MinimumStakingAmount`: ```rust let new_active_staking_amount = staking_details .active .checked_add(&stakable_amount) .ok_or(ArithmeticError::Overflow)?; ensure!( new_active_staking_amount >= T::MinimumStakingAmount::get(), Error::<T>::StakingAmountBelowMinimum ); ``` This implies that the user has to stake the `MinimumStakingAmount` only when they first submit a stake for a provider, all the subsequent staking requests being accepted even with the amount of 1. The current implementation does not follow the intended use-case, as described in the design documentation. An attacker could stake the minimum required amount to a provider, and then stake 1 token to each of the other available providers, underpaying for the storage that they use. This can cause a storage bloating, slowing down the network in the long run. The `ensure_can_stake` function should verify that the `stakable_amount` is greater than `MinimumStakingAmount`, instead of verifying the `new_active_staking_amount`. Closes #2135 - `ensure_can_stake` updated to remove the addition of the existing stakes and check `stakable_amount` - `get_stakable_amount_for` updated to use `reducible_balance` as recommended by parity when using the `fungible` trait. `reducible_balance` requires an Existential Deposit, so the unit test values were updated. - `/designdocs/capacity.md` updated to the latest code, and reflects changes in language due to replacing `lock`s with `freeze`s. - CI Checks are not running on this branch, but the unit tests and e2e tests passed in local. - [ ] Updated Pallet Readme? - [ ] Updated js/api-augment for Custom RPC OR Runtime API? - [x] Design doc(s) updated? - [ ] Unit Tests added? - [ ] e2e Tests added? - [ ] Benchmarks added? - [x] Spec version incremented? --------- Co-authored-by: Wil Wade <[email protected]> Co-authored-by: Shannon Wells <[email protected]>
shannonwells
added a commit
that referenced
this pull request
Oct 10, 2024
…ists for a different provider (#2136) A user can stake to multiple providers, but the minimum staking amount is enforced only for the first staking action that the user submits. During the staking process, both for the `stake` and `provider_boost` extrinsics, a minimum staking amount should be enforced by the `Runtime::MinimumStakingAmount` parameter. The current implementation of [ensure_can_stake](https://github.com/frequency-chain/frequency/blob/9ef58185f2230aaf92dc166fb8eade56a78e4cf3/pallets/capacity/src/lib.rs#L638) verifies if the amount that the account is staking in total (the current active staking and the new staking amount) is greater than the `MinimumStakingAmount`: ```rust let new_active_staking_amount = staking_details .active .checked_add(&stakable_amount) .ok_or(ArithmeticError::Overflow)?; ensure!( new_active_staking_amount >= T::MinimumStakingAmount::get(), Error::<T>::StakingAmountBelowMinimum ); ``` This implies that the user has to stake the `MinimumStakingAmount` only when they first submit a stake for a provider, all the subsequent staking requests being accepted even with the amount of 1. The current implementation does not follow the intended use-case, as described in the design documentation. An attacker could stake the minimum required amount to a provider, and then stake 1 token to each of the other available providers, underpaying for the storage that they use. This can cause a storage bloating, slowing down the network in the long run. The `ensure_can_stake` function should verify that the `stakable_amount` is greater than `MinimumStakingAmount`, instead of verifying the `new_active_staking_amount`. Closes #2135 - `ensure_can_stake` updated to remove the addition of the existing stakes and check `stakable_amount` - `get_stakable_amount_for` updated to use `reducible_balance` as recommended by parity when using the `fungible` trait. `reducible_balance` requires an Existential Deposit, so the unit test values were updated. - `/designdocs/capacity.md` updated to the latest code, and reflects changes in language due to replacing `lock`s with `freeze`s. - CI Checks are not running on this branch, but the unit tests and e2e tests passed in local. - [ ] Updated Pallet Readme? - [ ] Updated js/api-augment for Custom RPC OR Runtime API? - [x] Design doc(s) updated? - [ ] Unit Tests added? - [ ] e2e Tests added? - [ ] Benchmarks added? - [x] Spec version incremented? --------- Co-authored-by: Wil Wade <[email protected]> Co-authored-by: Shannon Wells <[email protected]>
shannonwells
added a commit
that referenced
this pull request
Oct 18, 2024
…ists for a different provider (#2136) A user can stake to multiple providers, but the minimum staking amount is enforced only for the first staking action that the user submits. During the staking process, both for the `stake` and `provider_boost` extrinsics, a minimum staking amount should be enforced by the `Runtime::MinimumStakingAmount` parameter. The current implementation of [ensure_can_stake](https://github.com/frequency-chain/frequency/blob/9ef58185f2230aaf92dc166fb8eade56a78e4cf3/pallets/capacity/src/lib.rs#L638) verifies if the amount that the account is staking in total (the current active staking and the new staking amount) is greater than the `MinimumStakingAmount`: ```rust let new_active_staking_amount = staking_details .active .checked_add(&stakable_amount) .ok_or(ArithmeticError::Overflow)?; ensure!( new_active_staking_amount >= T::MinimumStakingAmount::get(), Error::<T>::StakingAmountBelowMinimum ); ``` This implies that the user has to stake the `MinimumStakingAmount` only when they first submit a stake for a provider, all the subsequent staking requests being accepted even with the amount of 1. The current implementation does not follow the intended use-case, as described in the design documentation. An attacker could stake the minimum required amount to a provider, and then stake 1 token to each of the other available providers, underpaying for the storage that they use. This can cause a storage bloating, slowing down the network in the long run. The `ensure_can_stake` function should verify that the `stakable_amount` is greater than `MinimumStakingAmount`, instead of verifying the `new_active_staking_amount`. Closes #2135 - `ensure_can_stake` updated to remove the addition of the existing stakes and check `stakable_amount` - `get_stakable_amount_for` updated to use `reducible_balance` as recommended by parity when using the `fungible` trait. `reducible_balance` requires an Existential Deposit, so the unit test values were updated. - `/designdocs/capacity.md` updated to the latest code, and reflects changes in language due to replacing `lock`s with `freeze`s. - CI Checks are not running on this branch, but the unit tests and e2e tests passed in local. - [ ] Updated Pallet Readme? - [ ] Updated js/api-augment for Custom RPC OR Runtime API? - [x] Design doc(s) updated? - [ ] Unit Tests added? - [ ] e2e Tests added? - [ ] Benchmarks added? - [x] Spec version incremented? --------- Co-authored-by: Wil Wade <[email protected]> Co-authored-by: Shannon Wells <[email protected]>
shannonwells
added a commit
that referenced
this pull request
Oct 25, 2024
…ists for a different provider (#2136) A user can stake to multiple providers, but the minimum staking amount is enforced only for the first staking action that the user submits. During the staking process, both for the `stake` and `provider_boost` extrinsics, a minimum staking amount should be enforced by the `Runtime::MinimumStakingAmount` parameter. The current implementation of [ensure_can_stake](https://github.com/frequency-chain/frequency/blob/9ef58185f2230aaf92dc166fb8eade56a78e4cf3/pallets/capacity/src/lib.rs#L638) verifies if the amount that the account is staking in total (the current active staking and the new staking amount) is greater than the `MinimumStakingAmount`: ```rust let new_active_staking_amount = staking_details .active .checked_add(&stakable_amount) .ok_or(ArithmeticError::Overflow)?; ensure!( new_active_staking_amount >= T::MinimumStakingAmount::get(), Error::<T>::StakingAmountBelowMinimum ); ``` This implies that the user has to stake the `MinimumStakingAmount` only when they first submit a stake for a provider, all the subsequent staking requests being accepted even with the amount of 1. The current implementation does not follow the intended use-case, as described in the design documentation. An attacker could stake the minimum required amount to a provider, and then stake 1 token to each of the other available providers, underpaying for the storage that they use. This can cause a storage bloating, slowing down the network in the long run. The `ensure_can_stake` function should verify that the `stakable_amount` is greater than `MinimumStakingAmount`, instead of verifying the `new_active_staking_amount`. Closes #2135 - `ensure_can_stake` updated to remove the addition of the existing stakes and check `stakable_amount` - `get_stakable_amount_for` updated to use `reducible_balance` as recommended by parity when using the `fungible` trait. `reducible_balance` requires an Existential Deposit, so the unit test values were updated. - `/designdocs/capacity.md` updated to the latest code, and reflects changes in language due to replacing `lock`s with `freeze`s. - CI Checks are not running on this branch, but the unit tests and e2e tests passed in local. - [ ] Updated Pallet Readme? - [ ] Updated js/api-augment for Custom RPC OR Runtime API? - [x] Design doc(s) updated? - [ ] Unit Tests added? - [ ] e2e Tests added? - [ ] Benchmarks added? - [x] Spec version incremented? --------- Co-authored-by: Wil Wade <[email protected]> Co-authored-by: Shannon Wells <[email protected]>
shannonwells
added a commit
that referenced
this pull request
Oct 29, 2024
…ists for a different provider (#2136) A user can stake to multiple providers, but the minimum staking amount is enforced only for the first staking action that the user submits. During the staking process, both for the `stake` and `provider_boost` extrinsics, a minimum staking amount should be enforced by the `Runtime::MinimumStakingAmount` parameter. The current implementation of [ensure_can_stake](https://github.com/frequency-chain/frequency/blob/9ef58185f2230aaf92dc166fb8eade56a78e4cf3/pallets/capacity/src/lib.rs#L638) verifies if the amount that the account is staking in total (the current active staking and the new staking amount) is greater than the `MinimumStakingAmount`: ```rust let new_active_staking_amount = staking_details .active .checked_add(&stakable_amount) .ok_or(ArithmeticError::Overflow)?; ensure!( new_active_staking_amount >= T::MinimumStakingAmount::get(), Error::<T>::StakingAmountBelowMinimum ); ``` This implies that the user has to stake the `MinimumStakingAmount` only when they first submit a stake for a provider, all the subsequent staking requests being accepted even with the amount of 1. The current implementation does not follow the intended use-case, as described in the design documentation. An attacker could stake the minimum required amount to a provider, and then stake 1 token to each of the other available providers, underpaying for the storage that they use. This can cause a storage bloating, slowing down the network in the long run. The `ensure_can_stake` function should verify that the `stakable_amount` is greater than `MinimumStakingAmount`, instead of verifying the `new_active_staking_amount`. Closes #2135 - `ensure_can_stake` updated to remove the addition of the existing stakes and check `stakable_amount` - `get_stakable_amount_for` updated to use `reducible_balance` as recommended by parity when using the `fungible` trait. `reducible_balance` requires an Existential Deposit, so the unit test values were updated. - `/designdocs/capacity.md` updated to the latest code, and reflects changes in language due to replacing `lock`s with `freeze`s. - CI Checks are not running on this branch, but the unit tests and e2e tests passed in local. - [ ] Updated Pallet Readme? - [ ] Updated js/api-augment for Custom RPC OR Runtime API? - [x] Design doc(s) updated? - [ ] Unit Tests added? - [ ] e2e Tests added? - [ ] Benchmarks added? - [x] Spec version incremented? --------- Co-authored-by: Wil Wade <[email protected]> Co-authored-by: Shannon Wells <[email protected]>
shannonwells
added a commit
that referenced
this pull request
Oct 30, 2024
…ists for a different provider (#2136) A user can stake to multiple providers, but the minimum staking amount is enforced only for the first staking action that the user submits. During the staking process, both for the `stake` and `provider_boost` extrinsics, a minimum staking amount should be enforced by the `Runtime::MinimumStakingAmount` parameter. The current implementation of [ensure_can_stake](https://github.com/frequency-chain/frequency/blob/9ef58185f2230aaf92dc166fb8eade56a78e4cf3/pallets/capacity/src/lib.rs#L638) verifies if the amount that the account is staking in total (the current active staking and the new staking amount) is greater than the `MinimumStakingAmount`: ```rust let new_active_staking_amount = staking_details .active .checked_add(&stakable_amount) .ok_or(ArithmeticError::Overflow)?; ensure!( new_active_staking_amount >= T::MinimumStakingAmount::get(), Error::<T>::StakingAmountBelowMinimum ); ``` This implies that the user has to stake the `MinimumStakingAmount` only when they first submit a stake for a provider, all the subsequent staking requests being accepted even with the amount of 1. The current implementation does not follow the intended use-case, as described in the design documentation. An attacker could stake the minimum required amount to a provider, and then stake 1 token to each of the other available providers, underpaying for the storage that they use. This can cause a storage bloating, slowing down the network in the long run. The `ensure_can_stake` function should verify that the `stakable_amount` is greater than `MinimumStakingAmount`, instead of verifying the `new_active_staking_amount`. Closes #2135 - `ensure_can_stake` updated to remove the addition of the existing stakes and check `stakable_amount` - `get_stakable_amount_for` updated to use `reducible_balance` as recommended by parity when using the `fungible` trait. `reducible_balance` requires an Existential Deposit, so the unit test values were updated. - `/designdocs/capacity.md` updated to the latest code, and reflects changes in language due to replacing `lock`s with `freeze`s. - CI Checks are not running on this branch, but the unit tests and e2e tests passed in local. - [ ] Updated Pallet Readme? - [ ] Updated js/api-augment for Custom RPC OR Runtime API? - [x] Design doc(s) updated? - [ ] Unit Tests added? - [ ] e2e Tests added? - [ ] Benchmarks added? - [x] Spec version incremented? --------- Co-authored-by: Wil Wade <[email protected]> Co-authored-by: Shannon Wells <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
A user can stake to multiple providers, but the minimum staking amount is enforced only for the first staking action that the user submits.
Issue details
During the staking process, both for the
stakeandprovider_boostextrinsics, a minimum staking amount should be enforced by theRuntime::MinimumStakingAmountparameter.The current implementation of ensure_can_stake verifies if the amount that the account is staking in total (the current active staking and the new staking amount) is greater than the
MinimumStakingAmount:This implies that the user has to stake the
MinimumStakingAmountonly when they first submit a stake for a provider, all the subsequent staking requests being accepted even with the amount of 1.Risk
The current implementation does not follow the intended use-case, as described in the design documentation.
An attacker could stake the minimum required amount to a provider, and then stake 1 token to each of the other available providers, underpaying for the storage that they use. This can cause a storage bloating, slowing down the network in the long run.
Mitigation
The
ensure_can_stakefunction should verify that thestakable_amountis greater thanMinimumStakingAmount, instead of verifying thenew_active_staking_amount.Closes #2135
Discussion
ensure_can_stakeupdated to remove the addition of the existing stakes and checkstakable_amountget_stakable_amount_forupdated to usereducible_balanceas recommended by parity when using thefungibletrait.reducible_balancerequires an Existential Deposit, so the unit test values were updated./designdocs/capacity.mdupdated to the latest code, and reflects changes in language due to replacinglocks withfreezes.Checklist