new address#4
Merged
Merged
Conversation
LandynDev
approved these changes
Mar 26, 2026
3 tasks
LandynDev
pushed a commit
that referenced
this pull request
Jun 22, 2026
…olidation (on contract-v2) (#484) * feat(solana): over-collateralize failed swaps to 1.1x (v2 #4) Add a dedicated tunables.rs for economic knobs. COLLATERAL_REQUIREMENT_BPS (1.10x) is compile-time bounded to [1.0x, 2.0x] via a const assert plus a unit test; required_collateral(sol_amount) is the shared helper. - vote_initiate now gates on collateral >= required_collateral(sol_amount) (was 1:1), so a miner must hold 1.1x the swap size to take it. - timeout_swap slashes 1.1x and refunds the entire slash to the user (the 0.1x is a penalty paid to the victim; no treasury/burn split). Tests: 4 tunables unit tests, a vote_initiate boundary-rejection test (2.1 SOL < 2.2 needed), and the 1.1x slash assertion in test_swap. Also fixes test_initialize (version 4 -> 5) left stale by the halt commit. Full LiteSVM suite green (58 passed); e2e.sh 24/24. * feat(solana): decaying anti-flashing fee on quote updates set_quote now charges a treasury-bound fee when overwriting a standing quote (first creation stays free beyond rent). The fee decays stepwise the longer the prior quote stood: 0.01 SOL if updated within 5 min, 0.001 SOL within 10 min, 0 thereafter. Discourages rapid quote-flashing without deterring miners from joining. - New QUOTE_UPDATE_FEE_* tiers + quote_update_fee(elapsed) in tunables.rs, compile-time asserted to decay over increasing windows. - Fee moves miner -> vault treasury (system CPI), preserving the vault invariant. SetQuote gains a vault account; QuoteSet gains update_fee. - Tests: tunables tier unit test + a test_quote decay walk (create free -> tier-1 -> tier-2 -> free). Updated all SetQuote callers for the new vault account. Full LiteSVM suite green (60 passed); e2e.sh 24/24. * refactor(solana): consolidate all economic levers into tunables.rs Move FEE_DIVISOR, RESERVATION_FEE_LAMPORTS, POOL_WINDOW_SECS and WEIGHTS_UPDATE_MIN_INTERVAL_SECS out of constants.rs into tunables.rs, so every deploy-time economic/policy knob lives in one file alongside the collateral-requirement and quote-fee tunables. constants.rs keeps only structural values (PDA seeds, request-type bytes, max string lengths, and SLOT_MS as a chain fact). Pure code-organization move — identical values, no behavior change. Imports updated across instructions + tests. Full LiteSVM suite green (60 passed); e2e.sh 24/24. * feat(solana): 60s pool window + 0.02 SOL reservation fee defaults; tunables after v2 merge Merge origin/contract-v2 (#485 busy-model reservation rework, #486 runtime config setters) into the feature branch and reconcile with the economic-knob consolidation: - Keep all deploy-time economic levers in tunables.rs. The three values #486 promoted to runtime Config fields (reservation_fee_lamports, pool_window_secs, weights_update_min_interval_secs) live here as the initialize seed defaults; handlers read the live Config value. FEE_DIVISOR stays compile-time. - Set the deploy defaults: POOL_WINDOW_SECS 3 -> 60, RESERVATION_FEE_LAMPORTS 0.001 -> 0.02 SOL (both runtime-tunable via the #486 setters). - initialize.rs seeds from tunables; test_initialize version 5 -> 6. - integration_onchain: shrink the pool window to 3s in the shared setup via the new set_pool_window setter so the wall-clock on-chain tests don't each sleep a full minute (keeps the 60s deploy default; e2e ~2min not ~7min). Full LiteSVM suite green (60 passed); e2e.sh 24/24.
anderdc
added a commit
that referenced
this pull request
Jun 22, 2026
…vation, admin cancels, shared validation - consolidate tunables.rs into constants.rs (economic-levers section) - open_or_request: gate on 1.10x required_collateral at pool entry so an under-collateralized miner can't strand a user at vote_initiate (#1) - vote_deactivate: forbid deactivating a busy miner (busy => active invariant), so resolve_pool never arms a reservation on an inactive miner (#3) - restore admin cancel_pool / cancel_reservation, clearing busy_until (#4) - admin setters reject contradictory min/max bounds (#6) - set_quote charges the churn fee on creation too, closing the remove_quote + set_quote dodge (#7) - validate.rs: shared Config-field validators used by initialize + setters so the two write paths can't diverge (#8) - DEFAULT_FULFILLMENT_TIMEOUT_SECS = 14400 (4h) canonical deploy default - tests: 12 new (entry gate, busy deactivation, cancels, bounds, quote fee); LiteSVM 67/67, e2e.sh 24/24
LandynDev
pushed a commit
that referenced
this pull request
Jun 22, 2026
* fix(solana): PR review — entry over-collateral gate, busy-lock deactivation, admin cancels, shared validation - consolidate tunables.rs into constants.rs (economic-levers section) - open_or_request: gate on 1.10x required_collateral at pool entry so an under-collateralized miner can't strand a user at vote_initiate (#1) - vote_deactivate: forbid deactivating a busy miner (busy => active invariant), so resolve_pool never arms a reservation on an inactive miner (#3) - restore admin cancel_pool / cancel_reservation, clearing busy_until (#4) - admin setters reject contradictory min/max bounds (#6) - set_quote charges the churn fee on creation too, closing the remove_quote + set_quote dodge (#7) - validate.rs: shared Config-field validators used by initialize + setters so the two write paths can't diverge (#8) - DEFAULT_FULFILLMENT_TIMEOUT_SECS = 14400 (4h) canonical deploy default - tests: 12 new (entry gate, busy deactivation, cancels, bounds, quote fee); LiteSVM 67/67, e2e.sh 24/24 * refactor(solana): separate subnet-revenue Treasury PDA from the collateral Vault Collateral and subnet revenue no longer share an account. The Vault holds ONLY miner collateral (trustless — leaves only via the owning miner's withdraw or a slash to the wronged user); a new Treasury PDA holds ONLY subnet income. - new Treasury { total, bump } PDA (seeds [b"treasury"]); Vault loses treasury_total - confirm 1% fee, reservation fee, and quote churn fee all accrue to the Treasury - timeout slash still pays the user from the Vault (never the treasury) - withdraw_treasury drains the Treasury PDA (admin-only, caller-chosen recipient) - split invariants: vault.lamports == rent + total_collateral; treasury.lamports == rent + total Anti-flash fee follows the #488 mechanism (creation free; charge on remove_quote): - set_quote creation is free again; updates still pay the decaying churn fee - remove_quote charges the same decaying fee -> Treasury, closing the remove+recreate dodge without taxing first-time quotes Tests updated for the split + new fee semantics. LiteSVM 67/67, e2e.sh 24/24. * fix(solana): address pre-PR code-review findings - cancel_reservation: require an active reservation (reserved_until != 0) so it can't clear busy_until on a miner whose pool is still open — that could let the miner be deactivated mid-contest and resolve_pool match a removed miner against a user (fund-safety regression caught in review) - resolve_pool: restore the inactive-miner backstop (reset pool, never arm a reservation or busy lock for an inactive miner) - vote_initiate: defensive active-miner check before initiating - remove_quote: document the deliberate "removal can cost the churn fee" stance - fix stale vault->treasury doc comments (confirm_swap, set_quote, lib, constants) - tests: cancel_reservation open-pool rejection + treasury lamport conservation LiteSVM 68/68, e2e.sh 24/24. * refactor(solana): drop cancel_pool/cancel_reservation; rely on TTL self-expiry No permanent stuck state exists: resolve_pool is permissionless (always progresses an open pool) and a reservation's reserved_until is always now + reservation_ttl, so a miner abandoned in a reservation self-frees at the TTL. The admin cancel ops were only early-clear accelerators and were the sole paths that cleared busy_until manually — the exact footgun behind the fund-safety bug. Removing them restores a clean busy => active invariant without a resolve_pool backstop. - remove cancel_pool / cancel_reservation instructions, their events + tests - resolve_pool: no active check (documented invariant); vote_initiate keeps its defensive active check as the funds-commit backstop LiteSVM 65/65, e2e.sh 24/24.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.