feat(solana): PR-484 review fixes + Treasury/Vault separation#490
Merged
Conversation
…vation, admin cancels, shared validation - consolidate tunables.rs into constants.rs (economic-levers section) - open_or_request: gate on 1.10x required_collateral at pool entry so an under-collateralized miner can't strand a user at vote_initiate (#1) - vote_deactivate: forbid deactivating a busy miner (busy => active invariant), so resolve_pool never arms a reservation on an inactive miner (#3) - restore admin cancel_pool / cancel_reservation, clearing busy_until (#4) - admin setters reject contradictory min/max bounds (#6) - set_quote charges the churn fee on creation too, closing the remove_quote + set_quote dodge (#7) - validate.rs: shared Config-field validators used by initialize + setters so the two write paths can't diverge (#8) - DEFAULT_FULFILLMENT_TIMEOUT_SECS = 14400 (4h) canonical deploy default - tests: 12 new (entry gate, busy deactivation, cancels, bounds, quote fee); LiteSVM 67/67, e2e.sh 24/24
…teral Vault
Collateral and subnet revenue no longer share an account. The Vault holds ONLY
miner collateral (trustless — leaves only via the owning miner's withdraw or a
slash to the wronged user); a new Treasury PDA holds ONLY subnet income.
- new Treasury { total, bump } PDA (seeds [b"treasury"]); Vault loses treasury_total
- confirm 1% fee, reservation fee, and quote churn fee all accrue to the Treasury
- timeout slash still pays the user from the Vault (never the treasury)
- withdraw_treasury drains the Treasury PDA (admin-only, caller-chosen recipient)
- split invariants: vault.lamports == rent + total_collateral;
treasury.lamports == rent + total
Anti-flash fee follows the #488 mechanism (creation free; charge on remove_quote):
- set_quote creation is free again; updates still pay the decaying churn fee
- remove_quote charges the same decaying fee -> Treasury, closing the
remove+recreate dodge without taxing first-time quotes
Tests updated for the split + new fee semantics. LiteSVM 67/67, e2e.sh 24/24.
# Conflicts: # smart-contracts/solana/programs/allways_swap_manager/src/tunables.rs
- cancel_reservation: require an active reservation (reserved_until != 0) so it can't clear busy_until on a miner whose pool is still open — that could let the miner be deactivated mid-contest and resolve_pool match a removed miner against a user (fund-safety regression caught in review) - resolve_pool: restore the inactive-miner backstop (reset pool, never arm a reservation or busy lock for an inactive miner) - vote_initiate: defensive active-miner check before initiating - remove_quote: document the deliberate "removal can cost the churn fee" stance - fix stale vault->treasury doc comments (confirm_swap, set_quote, lib, constants) - tests: cancel_reservation open-pool rejection + treasury lamport conservation LiteSVM 68/68, e2e.sh 24/24.
…lf-expiry No permanent stuck state exists: resolve_pool is permissionless (always progresses an open pool) and a reservation's reserved_until is always now + reservation_ttl, so a miner abandoned in a reservation self-frees at the TTL. The admin cancel ops were only early-clear accelerators and were the sole paths that cleared busy_until manually — the exact footgun behind the fund-safety bug. Removing them restores a clean busy => active invariant without a resolve_pool backstop. - remove cancel_pool / cancel_reservation instructions, their events + tests - resolve_pool: no active check (documented invariant); vote_initiate keeps its defensive active check as the funds-commit backstop LiteSVM 65/65, e2e.sh 24/24.
This was referenced Jun 22, 2026
LandynDev
approved these changes
Jun 22, 2026
LandynDev
left a comment
Collaborator
There was a problem hiding this comment.
Reviewed for correctness: Vault/Treasury split holds both invariants on every fund path; busy⟹active invariant sound; shared validate.rs wired into initialize + all setters. Approving. Follow-up: bump CONFIG_VERSION; fix stale vote_initiate comment.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #484 (merged): the review fixes that didn't make the squash, plus a Treasury/Vault separation and the consolidation of the closed #488. Branched off
contract-v2and ingests #489 (comment compression).Correctness / fund-safety
open_or_request): a miner must hold1.10xthe swap size up front. Collateral can't drop while busy, sovote_initiatecan no longer strand a user whose source funds are already committed. (484 review Synapse broadcasting to only interact with whitelisted validators #1)busy ⟹ activeinvariant:vote_deactivatenow refuses a busy miner (mirrors self-deactivate), so a miner mid-pool/reservation/swap can't be deactivated. Nothing clearsbusy_untilearly, so the invariant holds cleanly.cancel_pool/cancel_reservation(deleted in feat(solana): busy-model cleanup + state-based busy lock (Group 4) #485) but dropped them: no permanent stuck state exists —resolve_poolis permissionless (an open pool always progresses) and a reservation self-expires atreservation_ttl. They were only early-clear accelerators and the sole paths that clearedbusy_untilmanually (the footgun behind a fund-safety bug caught in review).resolve_poolneeds no active check (documented invariant);vote_initiatekeeps a defensiveactivecheck as the funds-commit backstop.set_min/max_swap_amount, collateral) via sharedvalidate.rs, used by bothinitializeand the setters so the two write paths can't diverge. (Verify dest transaction sender matches miner's posted address #6, Strengthen halt lockdown to block collateral deposits and activations #8)Treasury / Vault separation
Vaultholds only collateral (trustless — leaves only via the owning miner's withdraw or a slash to the wronged user); newTreasuryPDA holds only revenue (1% confirm fee, reservation fee, quote churn fee). Timeout slash still pays the user from the Vault. Split invariants:vault.lamports == rent + total_collateral,treasury.lamports == rent + total.set_quotewrite-lock on the collateral vault (a parallelism win).Anti-flash quote fee (supersedes #488)
remove_quotecharges the same decaying fee → Treasury, closing the remove+recreate dodge without taxing first-time quotes. (Adopted @LandynDev's remove-side mechanism from feat(solana): charge churn fee on remove_quote (close-recreate bypass) #488, routed to the new Treasury.) Removal can cost the fee by design — posting a quote affirms a commitment to honor it.Other
tunables.rsfolded intoconstants.rs(one home for economic levers);DEFAULT_FULFILLMENT_TIMEOUT_SECS = 14400(4h) canonical deploy default.Tests
e2e.sh24/24 against a live validator (build + deploy + on-chain).