MIN-1115 and MIN-1116 | VULNERABILITY | Fix Update LBE issues

src/build-tx.ts

@@ -8,8 +8,8 @@ import {
   FactoryValidateFactory,
   FactoryValidateFactoryMinting,
   FeedTypeAmmPool,
-  FeedTypeOrder,
   ManagerValidateManagerSpending,
+  OrderValidateOrder,
   SellerValidateSellerSpending,
   TreasuryValidateTreasurySpending,
 } from "../plutus";
@@ -62,6 +62,7 @@ import type {
   UnixTime,
 } from "./types";
 import {
+  address2PlutusAddress,
   calculateInitialLiquidity,
   computeLPAssetName,
   plutusAddress2Address,
@@ -130,6 +131,22 @@ export type BuildCollectOrdersOptions = {
   validTo: UnixTime;
 };
 
+export type BuildUpdateLBEOptions = {
+  treasuryInput: UTxO;
+  validFrom: UnixTime;
+  validTo: UnixTime;
+  // updatable fields
+  startTime?: bigint;
+  endTime?: bigint;
+  owner?: Address;
+  minimumOrderRaise?: bigint;
+  minimumRaise?: bigint;
+  maximumRaise?: bigint;
+  reserveBase?: bigint;
+  isCancelable?: boolean;
+  penaltyConfig?: { penaltyStartTime: bigint; percent: bigint };
+};
+
 export type BuildCancelLBEOptions = {
   treasuryInput: UTxO;
   ammFactoryRefInput?: UTxO;
@@ -446,7 +463,7 @@ export class WarehouseBuilder {
     let outputPenaltyAmount = 0n;
     for (const o of orderInputs) {
       invariant(o.datum);
-      const datum = T.Data.from(o.datum, FeedTypeOrder._datum);
+      const datum = this.fromDatumOrder(o.datum);
       inputAmount += datum.amount;
       inputPenaltyAmount += datum.penaltyAmount;
     }
@@ -501,6 +518,56 @@ export class WarehouseBuilder {
     return this;
   }
 
+  public buildUpdateLBE(options: BuildUpdateLBEOptions): WarehouseBuilder {
+    const {
+      treasuryInput,
+      validFrom,
+      validTo,
+      startTime,
+      endTime,
+      owner,
+      minimumOrderRaise,
+      minimumRaise,
+      maximumRaise,
+      reserveBase,
+      isCancelable,
+      penaltyConfig,
+    } = options;
+    invariant(treasuryInput.datum);
+    const inDatum = this.fromDatumTreasury(treasuryInput.datum);
+    const treasuryOutDatum: TreasuryDatum = {
+      ...inDatum,
+      startTime: startTime ?? inDatum.startTime,
+      endTime: endTime ?? inDatum.endTime,
+      owner: owner ? address2PlutusAddress(owner) : inDatum.owner,
+      minimumOrderRaise: minimumOrderRaise ?? inDatum.minimumOrderRaise,
+      minimumRaise: minimumRaise ?? inDatum.minimumRaise,
+      maximumRaise: maximumRaise ?? inDatum.maximumRaise,
+      reserveBase: reserveBase ?? inDatum.reserveBase,
+      isCancelable: isCancelable ?? inDatum.isCancelable,
+      penaltyConfig: penaltyConfig ?? inDatum.penaltyConfig,
+    };
+    this.tasks.push(
+      () => {
+        this.treasuryInputs = [treasuryInput];
+        this.treasuryRedeemer = "UpdateLBE";
+      },
+      () => {
+        this.spendingTreasuryInput();
+      },
+      () => {
+        this.tx.addSigner(plutusAddress2Address(this.t.network, inDatum.owner));
+      },
+      () => {
+        this.payingTreasuryOutput({ treasuryOutDatum });
+      },
+      () => {
+        this.tx.validFrom(validFrom).validTo(validTo);
+      },
+    );
+    return this;
+  }
+
   public buildCancelLBE(options: BuildCancelLBEOptions): WarehouseBuilder {
     const { treasuryInput, validFrom, validTo, ammFactoryRefInput, reason } =
       options;
@@ -894,11 +961,11 @@ export class WarehouseBuilder {
   }
 
   fromDatumOrder(rawDatum: string): OrderDatum {
-    return T.Data.from(rawDatum, FeedTypeOrder._datum);
+    return T.Data.from(rawDatum, OrderValidateOrder.datum);
   }
 
   toDatumOrder(datum: OrderDatum): string {
-    return T.Data.to(datum, FeedTypeOrder._datum);
+    return T.Data.to(datum, OrderValidateOrder.datum);
   }
 
   fromDatumManager(rawDatum: string): ManagerDatum {
@@ -909,6 +976,18 @@ export class WarehouseBuilder {
     return T.Data.to(datum, ManagerValidateManagerSpending.managerInDatum);
   }
 
+  toRedeemerOrder(redeemer: OrderRedeemer): string {
+    return T.Data.to(redeemer, OrderValidateOrder.redeemer);
+  }
+
+  toRedeemerTreasury(redeemer: TreasuryRedeemer): string {
+    return T.Data.to(redeemer, TreasuryValidateTreasurySpending.redeemer);
+  }
+
+  toRedeemerManager(redeemer: ManagerRedeemer): string {
+    return T.Data.to(redeemer, ManagerValidateManagerSpending.redeemer);
+  }
+
   toRedeemerSellerSpend(redeemer: SellerRedeemer): string {
     return T.Data.to(redeemer, SellerValidateSellerSpending.redeemer);
   }
@@ -976,10 +1055,7 @@ export class WarehouseBuilder {
       .readFrom([this.deployedValidators["managerValidator"]])
       .collectFrom(
         this.managerInputs,
-        T.Data.to(
-          this.managerRedeemer,
-          ManagerValidateManagerSpending.redeemer,
-        ),
+        this.toRedeemerManager(this.managerRedeemer),
       );
   }
 
@@ -1016,22 +1092,9 @@ export class WarehouseBuilder {
       return;
     }
     invariant(this.orderRedeemer);
-    // const cases: Record<OrderRedeemer, () => void> = {
-    //   UpdateOrder: () => {
-    //     this.withdrawFromSeller();
-    //   },
-    //   CollectOrder: () => {
-    //     this.withdrawFromTreasury();
-    //   },
-    //   RedeemOrder: () => { },
-    // };
-    // cases[this.orderRedeemer]();
     this.tx
       .readFrom([this.deployedValidators["orderValidator"]])
-      .collectFrom(
-        this.orderInputs,
-        T.Data.to(this.orderRedeemer, FeedTypeOrder._redeemer),
-      );
+      .collectFrom(this.orderInputs, this.toRedeemerOrder(this.orderRedeemer));
   }
 
   spendingTreasuryInput() {
@@ -1043,10 +1106,7 @@ export class WarehouseBuilder {
       .readFrom([this.deployedValidators["treasuryValidator"]])
       .collectFrom(
         this.treasuryInputs,
-        T.Data.to(
-          this.treasuryRedeemer,
-          TreasuryValidateTreasurySpending.redeemer,
-        ),
+        this.toRedeemerTreasury(this.treasuryRedeemer),
       );
   }
 
@@ -1139,7 +1199,7 @@ export class WarehouseBuilder {
         throw Error("not implement!");
       },
       CancelLBE: defaultAssets,
-      UpdateLBE: defaultAssets,
+      UpdateLBE: createTreasury,
       CreateAmmPool: createPoolAssets,
       CollectOrders: collectOrders,
     };

src/tests/example.test.ts

@@ -4,7 +4,6 @@ import { beforeEach, expect, test } from "bun:test";
 import { FactoryValidatorValidateFactory as AmmValidateFactory } from "../../amm-plutus";
 import {
   FeedTypeAmmPool,
-  FeedTypeOrder,
   TreasuryValidateTreasurySpending,
 } from "../../plutus";
 import {
@@ -425,7 +424,7 @@ test("example flow", async () => {
     )
       .filter((u) => !u.scriptRef)
       .filter((u) => {
-        const datum = T.Data.from(u.datum!, FeedTypeOrder._datum);
+        const datum = builder.fromDatumOrder(u.datum!);
         return datum.isCollected == false;
       }) as UTxO[];
     maxCount = maxCount ?? orderUtxos.length;

src/tests/update-event.test.ts

@@ -0,0 +1,113 @@
+import { WarehouseBuilder, type BuildUpdateLBEOptions } from "../build-tx";
+import { TREASURY_MIN_ADA } from "../constants";
+import type { TreasuryDatum, UTxO } from "../types";
+import { toUnit } from "../utils";
+import { assertValidator, assertValidatorFail, loadModule } from "./utils";
+import { genWarehouse } from "./warehouse";
+
+let W: GenTestWarehouse;
+type GenTestWarehouse = Awaited<ReturnType<typeof genTestWarehouse>>;
+
+async function genTestWarehouse() {
+  let warehouse = await genWarehouse();
+  let { minswapTokenRaw, defaultTreasuryDatum, warehouseOptions, t, emulator } =
+    warehouse;
+  let builder = new WarehouseBuilder(warehouseOptions);
+  const treasuryDatum: TreasuryDatum = {
+    ...defaultTreasuryDatum,
+  };
+  const treasuryInput: UTxO = {
+    txHash: "00".repeat(32),
+    outputIndex: 1,
+    assets: {
+      [builder.treasuryToken]: 1n,
+      [minswapTokenRaw]: treasuryDatum.reserveBase,
+      lovelace: TREASURY_MIN_ADA,
+    },
+    address: builder.treasuryAddress,
+    datum: builder.toDatumTreasury(treasuryDatum),
+  };
+  let options: BuildUpdateLBEOptions = {
+    treasuryInput,
+    validFrom: t.utils.slotToUnixTime(emulator.slot),
+    validTo: t.utils.slotToUnixTime(emulator.slot + 100),
+  };
+  return {
+    ...warehouse,
+    treasuryInput,
+    treasuryDatum,
+    options,
+    builder,
+  };
+}
+
+beforeAll(async () => {
+  await loadModule();
+});
+
+beforeEach(async () => {
+  W = await genTestWarehouse();
+});
+
+test("Update LBE | PASS | update startTime", async () => {
+  let { options, builder, treasuryDatum } = W;
+  options = {
+    ...options,
+    startTime: treasuryDatum.startTime + BigInt(24 * 60 * 60 * 1000),
+  };
+  builder.buildUpdateLBE(options);
+  assertValidator(builder, "");
+});
+
+test("Update LBE | FAIL | update when LBE is cancelled", async () => {
+  let { options, builder, treasuryDatum, treasuryInput } = W;
+  treasuryDatum = {
+    ...treasuryDatum,
+    isCancelled: true,
+  };
+  treasuryInput = {
+    ...treasuryInput,
+    datum: builder.toDatumTreasury(treasuryDatum),
+  };
+  options = {
+    ...options,
+    treasuryInput,
+    startTime: treasuryDatum.startTime + BigInt(24 * 60 * 60 * 1000),
+  };
+  builder.buildUpdateLBE(options);
+  assertValidatorFail(builder);
+});
+
+test("Update LBE | FAIL | update LBE ID", async () => {
+  let { options, builder, treasuryDatum } = W;
+  options = {
+    ...options,
+    startTime: treasuryDatum.startTime + BigInt(24 * 60 * 60 * 1000),
+  };
+  let address = await W.t.wallet.address();
+  builder.buildUpdateLBE(options);
+  builder.tasks[3] = () => {
+    let treasuryOutDatum: TreasuryDatum = {
+      ...treasuryDatum,
+      baseAsset: {
+        policyId: "e16c2dc8ae937e8d3790c7fd7168d7b994621ba14ca11415f39fed72",
+        assetName: "",
+      },
+    };
+    let dummyUTxO: UTxO = {
+      txHash: "00".repeat(32),
+      outputIndex: 123,
+      assets: {
+        lovelace: 1_000_000_000n,
+        [toUnit(
+          treasuryOutDatum.baseAsset.policyId,
+          treasuryOutDatum.baseAsset.assetName,
+        )]: treasuryOutDatum.reserveBase,
+      },
+      address,
+    };
+    builder.tx.collectFrom([dummyUTxO]);
+    builder.payingTreasuryOutput({ treasuryOutDatum });
+  };
+  assertValidatorFail(builder);
+});

src/types.ts

@@ -3,8 +3,8 @@ import type {
   FactoryValidateFactory,
   FactoryValidateFactoryMinting,
   FeedTypeAmmPool,
-  FeedTypeOrder,
   ManagerValidateManagerSpending,
+  OrderValidateOrder,
   SellerValidateSellerSpending,
   TreasuryValidateTreasurySpending,
 } from "../plutus";
@@ -32,13 +32,13 @@ export type UTxO = T.UTxO;
 export type AmmPoolDatum = FeedTypeAmmPool["_datum"];
 export type FactoryDatum = FactoryValidateFactory["datum"];
 export type ManagerDatum = ManagerValidateManagerSpending["managerInDatum"];
-export type OrderDatum = FeedTypeOrder["_datum"];
+export type OrderDatum = OrderValidateOrder["datum"];
 export type SellerDatum = SellerValidateSellerSpending["sellerInDatum"];
 export type TreasuryDatum = TreasuryValidateTreasurySpending["treasuryInDatum"];
 
 export type FactoryRedeemer = FactoryValidateFactory["redeemer"];
 export type ManagerRedeemer = ManagerValidateManagerSpending["redeemer"];
 export type MintRedeemer = FactoryValidateFactoryMinting["redeemer"];
-export type OrderRedeemer = FeedTypeOrder["_redeemer"];
+export type OrderRedeemer = OrderValidateOrder["redeemer"];
 export type SellerRedeemer = SellerValidateSellerSpending["redeemer"];
 export type TreasuryRedeemer = TreasuryValidateTreasurySpending["redeemer"];

validators/feed_type.ak

@@ -1,20 +1,9 @@
 use aiken/transaction.{ScriptContext}
-use lb_v2/types.{OrderDatum, OrderRedeemer, PoolDatum}
+use lb_v2/types.{PoolDatum}
 
 // this is unused, only used to access the type in blueprints
 validator {
   fn amm_pool(_datum: PoolDatum, _redeemer: Data, _ctx: ScriptContext) -> Bool {
     False
   }
 }
-
-// this is unused, only used to access the type in blueprints
-validator {
-  fn order(
-    _datum: OrderDatum,
-    _redeemer: OrderRedeemer,
-    _ctx: ScriptContext,
-  ) -> Bool {
-    False
-  }
-}

validators/treasury.ak

@@ -100,6 +100,7 @@ validator {
           owner,
           start_time,
           seller_hash,
+          is_cancelled,
           ..
         } = treasury_in_datum
         let Address { payment_credential: owner_payment_credential, .. } = owner
@@ -112,6 +113,8 @@ validator {
         and {
           // before discovery phase
           end_valid_time_range < start_time,
+          // prevent updating the LBE when it has been cancelled.
+          is_cancelled == False,
           // Authorize by owner
           validation.validate_authorize_by_owner(
             owner_payment_credential: owner_payment_credential,