Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ability to terminate an incarnation without terminating the contract #10684

Open
turadg opened this issue Dec 11, 2024 · 0 comments
Open

ability to terminate an incarnation without terminating the contract #10684

turadg opened this issue Dec 11, 2024 · 0 comments
Labels
enhancement New feature or request needs-design SwingSet package: SwingSet

Comments

@turadg
Copy link
Member

turadg commented Dec 11, 2024

What is the Problem Being Solved?

Presently if a contract reaches an invalid state, it can invoke "death before confusion" with zcf.shutdownWithFailure.

The problem is that kills the vat permanently.

There are cases in which the vat would want to stop until it can be upgraded with repair.

Description of the Design

Something like zcf.suspendWithFailure.

That will require lower level support in SwingSet (probably liveslots).

Security Considerations

Scaling Considerations

Test Plan

Upgrade Considerations
@turadg turadg added enhancement New feature or request needs-design labels Dec 11, 2024
@mhofman mhofman added the SwingSet package: SwingSet label Dec 12, 2024
@dckc dckc mentioned this issue Dec 12, 2024
Merged
0xpatrickdev added a commit that referenced this issue Dec 12, 2024
@0xpatrickdev
chore: do not call shutdownWithFailure() if atomicRearrange() fails
81517e2 
- wait until #10684, where we can terminate an incarnation without terminating the contract
- see #10659 (comment)
- note: try/catch/finally remains for `borrow()` and `deposit()` so we can exit seats
@samsiegart samsiegart mentioned this issue Dec 31, 2024
Merged
mergify bot added a commit that referenced this issue Jan 2, 2025
@mergify
fix(fast-usdc): recover from bad lp proposal (#10787)
7750fde 
closes https://github.com/Agoric/agoric-private/issues/234

## Description

See issue for context. It also seems related to #10684 because the code path that was triggering the bad state was this:

https://github.com/Agoric/agoric-sdk/blob/ca25dd59f43f27451fad685207086a9be87860c7/packages/fast-usdc/src/exos/liquidity-pool.js#L272-L285

As you can see, we were updating the pool state, but then the `atomicRearrange` failed, so the pool state was left invalid. This PR makes it so that the bad proposal shape is caught by the type guard earlier, so this code path never happens.

The withdraw path was already being handled correctly because the typeguard was specific enough.

If the proposal shape is correct, but the amounts are incorrect, the contract already handles that fine by failing before the state update.

### Security Considerations
The bug would allow anyone to send an offer that breaks the liquidity pool.

### Scaling Considerations
None

### Documentation Considerations
None

### Testing Considerations
Added a bootstrap test that fails accordingly without the fix.

### Upgrade Considerations
None
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request needs-design SwingSet package: SwingSet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@turadg @mhofman