feat(node): support configurable staking collateral token

[cryptoAtwill]

This PR makes an effort to support configuration different token for collateral. Previously only native token is allowed, now ERC20 can be used, see #1024.

This PR introduces the following changes:

• Rename SupplySource to GenericToken, SupplySourceHelper to GenericTokenHelper.
• Introduced collateralSource parameter, this is where the token for collateral can be configured.
• Aligned preFund, preRelease and everything related to token to use GenericToken, removed all hardcoding of native tokens, including LibStaking and ReleaseQueue.

List of todos:

• Feature implementation
• Unit tests
• Integration tests
• Deployment script udpate
• ipc-cli update
• Calirabtion network tests

To test in calibration network, try the following ipc configuration:

gateway_addr = "0xA4dDECD395590765C8623F9B9c49160080046d3c"
registry_addr = "0x06c89f2Aa8b580a66F273053B23d0622e6f87a14"

Or you can deploy your own ipc-stack.

Deploy your own ERC20 token on calibration, obtain the address. Then build the ipc-cli, run:

# create the subnet with collateral source
./target/release/ipc-cli subnet create --parent /r314159 --min-validator-stake 0.01 --min-cross-msg-fee 0 --min-validators 0 --bottomup-check-period 50 --permission-mode collateral --supply-source-kind native --collateral-source-kind erc20 --collateral-source-address <YOUR ERC20 ADDRESS>

# approve ERC20 token to spend 1 fil by the SubnetActor

# perform collateral related operations
./target/release/ipc-cli subnet join --subnet /r314159/${SUBNET} --collateral 0.02
./target/release/ipc-cli subnet stake --subnet /r314159/${SUBNET} --collateral 0.02

[JulissaDantes]

if the supplySource is native user is still obligated to send the msg.value number in the amount? is there a piece of logic somewhere that auto populates this field is the supplysource is native?

[cryptoAtwill]

yep, have to do that. This just standardises the interface. So maybe one day nft can be used as well.

[JulissaDantes]

Could you clarify this sentence?

[cryptoAtwill]

nice catch

[JulissaDantes]

This else statement should also contain s.collateralSource.transferFunds(payable(msg.sender), amount); no? I ran a test that unstakes when the subnet is bootstrapped and the validator didnt get their erc20 back

[cryptoAtwill]

so after the subnet is bootstrapped, that means any validator stake withdraw should not have occurred immediately because of safety issues. It has to go through the checkpointing and confirmed by the current commitee.

[cryptoAtwill]

@JulissaDantes check this out:

ipc/contracts/contracts/lib/LibStaking.sol

Line 667 in 6d2cc3a

self.validators.confirmWithdraw(validator, amount);

It's buffered in a release queue.

See tests:

ipc/contracts/test/integration/SubnetActorDiamond.t.sol

Line 1902 in 6d2cc3a

saDiamond.rewarder().claim();

To withdraw stakes, a lot of checks have to go through.

[JulissaDantes]

oh, I think I'm little lost here,

• what is the current commitee.?
• does that mean there is somewhere else in the code where it gets check if any tokens are owed to a validator?
• or does that mean that at the checkpoint library this is handled where they check unstake request and perform the token transfers?

And Im not clear here, my understanding is that a bootstrapped subnet is an active subnet that has the minimum required collateral and validators amount to run. So I still think that there is a path for a validator to just want to unstake certain amount of their stake after a while, where there are several checkpoints being made, and they just wish to reduce their staked amount, although if this is handled elsewhere I understand why its not the case, depending on the answers to the previous questions I guess.

[cryptoAtwill]

Current committee refers to the current set of validators.

The main issue is not about token owed by the validator, this can be checked pretty easily. It's just that validator withdraw stake needs to be handled more carefully. I could be a malicious validator and I proposed a double spend or some malicious act. Then I immediately withdraw my collateral. If the withdraw go through immediately, then no punishment can be done. So this is just part of the protection mechanism. The current validators must "ack" this change through checkpointing. At the same time, the release queue holds the funds for a "challenge" period in case someone reports with misbehaviour. Keep things accountable.

[JulissaDantes]

AHH, thank you, Ive forgotten about the locking period, of course!

[karlem]

In general it looks good.

I just think that we do not have any tests with the collateral supply ERC20 source right?

[karlem]

I think I am missing the point of this function. Could you please explain?

[cryptoAtwill]

because different combination of collateral source and supply source will have different txn value, if that's the question?

[karlem]

Alright I get it now. It is a bit unclear at first sight. Maybe comment would do.

[cryptoAtwill]

comment added!

[cryptoAtwill]

@karlem what tests are you referring to? There are plenty of unit and integration tests for the contracts.

[karlem]

@karlem what tests are you referring to? There are plenty of unit and integration tests for the contracts.

@cryptoAtwill but they all use the native collateral source not the ERC20 right? Correct me if I'm wrong.

[cryptoAtwill]

@karlem not really, there are permutation and combination, say:

ipc/contracts/test/integration/SubnetActorDiamond.t.sol

Line 1942 in 012fa69

function testSubnetActorDiamond_CollateralERC20_SupplyERC20_SameToken_RegisteredInGateway() public {

[raulk]

Will submit a PR to:

1. Enclose the allowance-related complexity inside the AssetHelper.
2. Remove the unnecessary error types.
3. Use SafeERC20#safeIncreaseAllowance() instead of implementing this logic ourselves.

This approval is conditional to reviewing and merging the upcoming PR.

[raulk]

I would support dropping this feature entirely: #1142

[raulk]

This error type is not needed as it doesn't provide more information than a revert with a string message.

[raulk]

1. There is no "handling" here, just an extra assertion.
2. There is no "native token", but "native coins".
3. This can be an else if.
4. Why is this not an equals check?

[cryptoAtwill]

if msg.value == value, we should pass the check. If msg.value > value, someone wants to do charity, maybe can just take it... or maybe not, haha. I will change this to ==.

[raulk]

Best not to. It's stronger to have an invariant that gateway balance across all tokens and the native coin is zero for initialized subnets, than to have one where it can be non zero.

[cryptoAtwill]

Oh, I realized we have to use msg.value > value. The reason is caller might have msg.value more than just locked value, for other purposes as well. In that way, we can only enforce msg.value > value.

[raulk]

Just an unqualified revert with an error string is fine.

[raulk]

This is rather leaky. The AssetHelper is designed to hide the different asset kinds. I would refactor this as a new function AssetHelper#makeSpendable that makes an amount spendable by some party.

Note: even if you want to keep this conditional here, you don't need an isNative helper, you could just access the kind field of the Asset.

[raulk]

1. Just use SafeERC20#safeIncreaseAllowance()?
2. Singleton ifs like this are cleaner if written as a negative if with an early return.

[raulk]

Looks like we had a bug here, where we sent native coins representing the genesis circulating supply, even if the supply source was ERC20. Nice catch!

[raulk]

This is leaky as mentioned elsewhere. I'm going to take a stab to contain this complexity inside the AssetHelper.

[raulk]

Will submit a PR to:

1. Enclose the allowance-related complexity inside the AssetHelper.
2. Remove the unnecessary error types.
3. Use SafeERC20#safeIncreaseAllowance() instead of implementing this logic ourselves.

This approval is conditional to reviewing and merging the upcoming PR.

[raulk]

@cryptoAtwill all blocking review comments addressed in: #1147

Please review and merge if you agree, then feel free to merge this one.

@karlem when that's done, could you please make a release?