fix(zoe): assert that amountKeywordRecord is a copyRecord

BREAKING CHANGE: must harden `amountKeywordRecord` before passing to ZCF objects
Agoric · Nov 15, 2021 · 8b9910e · 8b9910e
1 parent 5774824
commit 8b9910e
Show file tree

Hide file tree

Showing 47 changed files with 373 additions and 283 deletions.
diff --git a/packages/pegasus/src/pegasus.js b/packages/pegasus/src/pegasus.js
@@ -421,9 +421,10 @@ const makePegasus = (zcf, board, namesByAddress) => {
         board,
         namesByAddress,
         denomUri,
-        retain: (zcfSeat, amounts) => zcfMint.burnLosses(amounts, zcfSeat),
+        retain: (zcfSeat, amounts) =>
+          zcfMint.burnLosses(harden(amounts), zcfSeat),
         redeem: (zcfSeat, amounts) => {
-          zcfMint.mintGains(amounts, zcfSeat);
+          zcfMint.mintGains(harden(amounts), zcfSeat);
         },
       });
 
@@ -499,8 +500,8 @@ const makePegasus = (zcf, board, namesByAddress) => {
         winner,
       ) => {
         // Transfer the amount to our backing seat.
-        loser.decrementBy({ [loserKeyword]: amount });
-        winner.incrementBy({ [winnerKeyword]: amount });
+        loser.decrementBy(harden({ [loserKeyword]: amount }));
+        winner.incrementBy(harden({ [winnerKeyword]: amount }));
         zcf.reallocate(loser, winner);
       };
 

diff --git a/packages/treasury/src/burn.js b/packages/treasury/src/burn.js
@@ -10,7 +10,7 @@ import { E } from '@agoric/eventual-send';
  */
 export async function paymentFromZCFMint(zcf, zcfMint, amount) {
   const { zcfSeat, userSeat } = zcf.makeEmptySeatKit();
-  zcfMint.mintGains({ Temp: amount }, zcfSeat);
+  zcfMint.mintGains(harden({ Temp: amount }), zcfSeat);
   zcfSeat.exit();
   return E(userSeat).getPayout('Temp');
 }
diff --git a/packages/treasury/src/collectRewardFees.js b/packages/treasury/src/collectRewardFees.js
@@ -17,12 +17,16 @@ export const makeMakeCollectFeesInvitation = (
     await E.get(offerTo(zcf, invitation, {}, {}, transferSeat)).deposited;
 
     seat.incrementBy(
-      feeSeat.decrementBy({ RUN: feeSeat.getAmountAllocated('RUN', runBrand) }),
+      feeSeat.decrementBy(
+        harden({ RUN: feeSeat.getAmountAllocated('RUN', runBrand) }),
+      ),
     );
     seat.incrementBy(
-      transferSeat.decrementBy({
-        RUN: transferSeat.getAmountAllocated('RUN', runBrand),
-      }),
+      transferSeat.decrementBy(
+        harden({
+          RUN: transferSeat.getAmountAllocated('RUN', runBrand),
+        }),
+      ),
     );
     const totalTransferred = seat.getStagedAllocation().RUN;
 

diff --git a/packages/treasury/src/liquidation.js b/packages/treasury/src/liquidation.js
@@ -52,7 +52,7 @@ export async function liquidate(
 
   const isUnderwater = !AmountMath.isGTE(runProceedsAmount, runDebt);
   const runToBurn = isUnderwater ? runProceedsAmount : runDebt;
-  burnLosses({ RUN: runToBurn }, liquidationSeat);
+  burnLosses(harden({ RUN: runToBurn }), liquidationSeat);
   vaultKit.liquidated(AmountMath.subtract(runDebt, runToBurn));
 
   // any remaining RUN plus anything else leftover from the sale are refunded

diff --git a/packages/treasury/src/stablecoinMachine.js b/packages/treasury/src/stablecoinMachine.js
@@ -121,9 +121,11 @@ export async function start(zcf, privateArgs) {
    */
   function reallocateReward(amount, fromSeat, otherSeat = undefined) {
     rewardPoolSeat.incrementBy(
-      fromSeat.decrementBy({
-        RUN: amount,
-      }),
+      fromSeat.decrementBy(
+        harden({
+          RUN: amount,
+        }),
+      ),
     );
     if (otherSeat !== undefined) {
       zcf.reallocate(rewardPoolSeat, fromSeat, otherSeat);
@@ -205,13 +207,13 @@ export async function start(zcf, privateArgs) {
       // tokens as Liquidity. These governance tokens are held by govSeat
       const { zcfSeat: govSeat } = zcf.makeEmptySeatKit();
       // TODO this should create the seat for us
-      govMint.mintGains({ Governance: govAmount }, govSeat);
+      govMint.mintGains(harden({ Governance: govAmount }), govSeat);
 
       // trade the governance tokens for collateral, putting the
       // collateral on Secondary to be positioned for Autoswap
-      seat.incrementBy(govSeat.decrementBy({ Governance: govAmount }));
-      seat.decrementBy({ Collateral: collateralIn });
-      govSeat.incrementBy({ Secondary: collateralIn });
+      seat.incrementBy(govSeat.decrementBy(harden({ Governance: govAmount })));
+      seat.decrementBy(harden({ Collateral: collateralIn }));
+      govSeat.incrementBy(harden({ Secondary: collateralIn }));
 
       zcf.reallocate(govSeat, seat);
       // the collateral is now on the temporary seat
@@ -221,7 +223,7 @@ export async function start(zcf, privateArgs) {
 
       // mint the new RUN to the Central position on the govSeat
       // so we can setup the autoswap pool
-      runMint.mintGains({ Central: runAmount }, govSeat);
+      runMint.mintGains(harden({ Central: runAmount }), govSeat);
 
       // TODO: check for existing pool, use its price instead of the
       // user-provided 'rate'. Or throw an error if it already exists.
@@ -356,9 +358,9 @@ export async function start(zcf, privateArgs) {
     } = zcf.makeEmptySeatKit();
     const bootstrapAmount = AmountMath.make(runBrand, bootstrapPaymentValue);
     runMint.mintGains(
-      {
+      harden({
         Bootstrap: bootstrapAmount,
-      },
+      }),
       bootstrapZCFSeat,
     );
     bootstrapZCFSeat.exit();

diff --git a/packages/treasury/src/vault.js b/packages/treasury/src/vault.js
@@ -201,12 +201,14 @@ export function makeVaultKit(
     // Return any overpayment
 
     const { zcfSeat: burnSeat } = zcf.makeEmptySeatKit();
-    burnSeat.incrementBy(seat.decrementBy({ RUN: runDebt }));
+    burnSeat.incrementBy(seat.decrementBy(harden({ RUN: runDebt })));
     seat.incrementBy(
-      vaultSeat.decrementBy({ Collateral: getCollateralAllocated(vaultSeat) }),
+      vaultSeat.decrementBy(
+        harden({ Collateral: getCollateralAllocated(vaultSeat) }),
+      ),
     );
     zcf.reallocate(seat, vaultSeat, burnSeat);
-    runMint.burnLosses({ RUN: runDebt }, burnSeat);
+    runMint.burnLosses(harden({ RUN: runDebt }), burnSeat);
     seat.exit();
     burnSeat.exit();
     vaultState = VaultState.CLOSED;
@@ -276,11 +278,11 @@ export function makeVaultKit(
     const proposal = seat.getProposal();
     if (proposal.want.Collateral) {
       seat.incrementBy(
-        vaultSeat.decrementBy({ Collateral: proposal.want.Collateral }),
+        vaultSeat.decrementBy(harden({ Collateral: proposal.want.Collateral })),
       );
     } else if (proposal.give.Collateral) {
       vaultSeat.incrementBy(
-        seat.decrementBy({ Collateral: proposal.give.Collateral }),
+        seat.decrementBy(harden({ Collateral: proposal.give.Collateral })),
       );
     }
   }
@@ -321,14 +323,16 @@ export function makeVaultKit(
   function transferRun(seat) {
     const proposal = seat.getProposal();
     if (proposal.want.RUN) {
-      seat.incrementBy(vaultSeat.decrementBy({ RUN: proposal.want.RUN }));
+      seat.incrementBy(
+        vaultSeat.decrementBy(harden({ RUN: proposal.want.RUN })),
+      );
     } else if (proposal.give.RUN) {
       // We don't allow runDebt to be negative, so we'll refund overpayments
       const acceptedRun = AmountMath.isGTE(proposal.give.RUN, runDebt)
         ? runDebt
         : proposal.give.RUN;
 
-      vaultSeat.incrementBy(seat.decrementBy({ RUN: acceptedRun }));
+      vaultSeat.incrementBy(seat.decrementBy(harden({ RUN: acceptedRun })));
     }
   }
 
@@ -402,13 +406,13 @@ export function makeVaultKit(
 
     // mint to vaultSeat, then reallocate to reward and client, then burn from
     // vaultSeat. Would using a separate seat clarify the accounting?
-    runMint.mintGains({ RUN: toMint }, vaultSeat);
+    runMint.mintGains(harden({ RUN: toMint }), vaultSeat);
     transferCollateral(clientSeat);
     transferRun(clientSeat);
     manager.reallocateReward(fee, vaultSeat, clientSeat);
 
     runDebt = newDebt;
-    runMint.burnLosses({ RUN: runAfter.vault }, vaultSeat);
+    runMint.burnLosses(harden({ RUN: runAfter.vault }), vaultSeat);
 
     assertVaultHoldsNoRun();
 
@@ -445,10 +449,12 @@ export function makeVaultKit(
     runDebt = AmountMath.add(wantedRun, fee);
     await assertSufficientCollateral(collateralAmount, runDebt);
 
-    runMint.mintGains({ RUN: runDebt }, vaultSeat);
+    runMint.mintGains(harden({ RUN: runDebt }), vaultSeat);
 
-    seat.incrementBy(vaultSeat.decrementBy({ RUN: wantedRun }));
-    vaultSeat.incrementBy(seat.decrementBy({ Collateral: collateralAmount }));
+    seat.incrementBy(vaultSeat.decrementBy(harden({ RUN: wantedRun })));
+    vaultSeat.incrementBy(
+      seat.decrementBy(harden({ Collateral: collateralAmount })),
+    );
     manager.reallocateReward(fee, vaultSeat, seat);
 
     updateUiState();

diff --git a/packages/treasury/src/vaultManager.js b/packages/treasury/src/vaultManager.js
@@ -205,7 +205,7 @@ export function makeVaultManager(
     );
     sortedVaultKits.updateAllDebts();
     reschedulePriceCheck();
-    runMint.mintGains({ RUN: poolIncrement }, poolIncrementSeat);
+    runMint.mintGains(harden({ RUN: poolIncrement }), poolIncrementSeat);
     reallocateReward(poolIncrement, poolIncrementSeat);
   }
 

diff --git a/packages/treasury/test/vault-contract-wrapper.js b/packages/treasury/test/vault-contract-wrapper.js
@@ -41,9 +41,11 @@ export async function start(zcf, privateArgs) {
 
   function reallocateReward(amount, fromSeat, otherSeat) {
     stableCoinSeat.incrementBy(
-      fromSeat.decrementBy({
-        RUN: amount,
-      }),
+      fromSeat.decrementBy(
+        harden({
+          RUN: amount,
+        }),
+      ),
     );
     if (otherSeat !== undefined) {
       zcf.reallocate(stableCoinSeat, fromSeat, otherSeat);

diff --git a/packages/zoe/src/cleanProposal.js b/packages/zoe/src/cleanProposal.js
@@ -4,6 +4,7 @@ import { assert, details as X, q } from '@agoric/assert';
 import { mustBeComparable } from '@agoric/same-structure';
 import { isNat } from '@agoric/nat';
 import { AmountMath, getAssetKind } from '@agoric/ertp';
+import { assertRecord } from '@agoric/marshal';
 import {
   isOnDemandExitRule,
   isWaivedExitRule,
@@ -61,10 +62,11 @@ const cleanKeys = (allowedKeys, record) => {
 export const getKeywords = keywordRecord =>
   harden(Object.getOwnPropertyNames(keywordRecord));
 
-const coerceAmountKeywordRecord = (
+export const coerceAmountKeywordRecord = (
   allegedAmountKeywordRecord,
   getAssetKindByBrand,
 ) => {
+  assertRecord(allegedAmountKeywordRecord, 'amountKeywordRecord');
   const keywords = getKeywords(allegedAmountKeywordRecord);
   keywords.forEach(assertKeywordName);
 
@@ -84,7 +86,7 @@ const coerceAmountKeywordRecord = (
   });
 
   // Recreate the amountKeywordRecord with coercedAmounts.
-  return arrayToObj(coercedAmounts, keywords);
+  return harden(arrayToObj(coercedAmounts, keywords));
 };
 
 export const cleanKeywords = keywordRecord => {

diff --git a/packages/zoe/src/contractFacet/zcfSeat.js b/packages/zoe/src/contractFacet/zcfSeat.js
@@ -9,6 +9,7 @@ import { Far } from '@agoric/marshal';
 import { isOfferSafe } from './offerSafety.js';
 import { assertRightsConserved } from './rightsConservation.js';
 import { addToAllocation, subtractFromAllocation } from './allocationMath.js';
+import { coerceAmountKeywordRecord } from '../cleanProposal.js';
 
 /** @type {CreateSeatManager} */
 export const createSeatManager = (
@@ -303,6 +304,10 @@ export const createSeatManager = (
       },
       incrementBy: amountKeywordRecord => {
         assertActive(zcfSeat);
+        amountKeywordRecord = coerceAmountKeywordRecord(
+          amountKeywordRecord,
+          getAssetKindByBrand,
+        );
         setStagedAllocation(
           zcfSeat,
           addToAllocation(getStagedAllocation(zcfSeat), amountKeywordRecord),
@@ -311,6 +316,10 @@ export const createSeatManager = (
       },
       decrementBy: amountKeywordRecord => {
         assertActive(zcfSeat);
+        amountKeywordRecord = coerceAmountKeywordRecord(
+          amountKeywordRecord,
+          getAssetKindByBrand,
+        );
         setStagedAllocation(
           zcfSeat,
           subtractFromAllocation(

diff --git a/packages/zoe/src/contractFacet/zcfZygote.js b/packages/zoe/src/contractFacet/zcfZygote.js
@@ -7,7 +7,7 @@ import { AssetKind, AmountMath } from '@agoric/ertp';
 import { makeNotifierKit, observeNotifier } from '@agoric/notifier';
 import { makePromiseKit } from '@agoric/promise-kit';
 
-import { cleanProposal } from '../cleanProposal.js';
+import { cleanProposal, coerceAmountKeywordRecord } from '../cleanProposal.js';
 import { evalContractBundle } from './evalContractCode.js';
 import { makeExitObj } from './exit.js';
 import { makeHandle } from '../makeHandle.js';
@@ -113,15 +113,6 @@ export const makeZCFZygote = (
     return { zcfSeat, userSeat: userSeatPromiseKit.promise };
   };
 
-  const assertAmountKeywordRecord = (amountKeywordRecord, name) => {
-    assert.typeof(
-      amountKeywordRecord,
-      'object',
-      X`${name} ${amountKeywordRecord} must be an amountKeywordRecord`,
-    );
-    assert(amountKeywordRecord !== null, X`${name} cannot be null`);
-  };
-
   // A helper for the code shared between MakeZCFMint and RegisterZCFMint
   const doMakeZCFMint = async (keyword, zoeMintP) => {
     const {
@@ -148,7 +139,7 @@ export const makeZCFZygote = (
         return mintyIssuerRecord;
       },
       mintGains: (gains, zcfSeat = undefined) => {
-        assertAmountKeywordRecord(gains, 'gains');
+        gains = coerceAmountKeywordRecord(gains, getAssetKindByBrand);
         if (zcfSeat === undefined) {
           zcfSeat = makeEmptySeatKit().zcfSeat;
         }
@@ -186,7 +177,7 @@ export const makeZCFZygote = (
         return zcfSeat;
       },
       burnLosses: (losses, zcfSeat) => {
-        assertAmountKeywordRecord(losses, 'losses');
+        losses = coerceAmountKeywordRecord(losses, getAssetKindByBrand);
         const totalToBurn = Object.values(losses).reduce(add, empty);
         assert(
           !zcfSeat.hasExited(),

diff --git a/packages/zoe/src/contractSupport/zoeHelpers.js b/packages/zoe/src/contractSupport/zoeHelpers.js
@@ -54,11 +54,11 @@ export const satisfies = (zcf, seat, update) => {
 /** @type {Swap} */
 export const swap = (zcf, leftSeat, rightSeat) => {
   try {
-    rightSeat.decrementBy(leftSeat.getProposal().want);
-    leftSeat.incrementBy(leftSeat.getProposal().want);
+    rightSeat.decrementBy(harden(leftSeat.getProposal().want));
+    leftSeat.incrementBy(harden(leftSeat.getProposal().want));
 
-    leftSeat.decrementBy(rightSeat.getProposal().want);
-    rightSeat.incrementBy(rightSeat.getProposal().want);
+    leftSeat.decrementBy(harden(rightSeat.getProposal().want));
+    rightSeat.incrementBy(harden(rightSeat.getProposal().want));
 
     zcf.reallocate(leftSeat, rightSeat);
   } catch (err) {
@@ -75,11 +75,11 @@ export const swap = (zcf, leftSeat, rightSeat) => {
 /** @type {SwapExact} */
 export const swapExact = (zcf, leftSeat, rightSeat) => {
   try {
-    rightSeat.decrementBy(rightSeat.getProposal().give);
-    leftSeat.incrementBy(leftSeat.getProposal().want);
+    rightSeat.decrementBy(harden(rightSeat.getProposal().give));
+    leftSeat.incrementBy(harden(leftSeat.getProposal().want));
 
-    leftSeat.decrementBy(leftSeat.getProposal().give);
-    rightSeat.incrementBy(rightSeat.getProposal().want);
+    leftSeat.decrementBy(harden(leftSeat.getProposal().give));
+    rightSeat.incrementBy(harden(rightSeat.getProposal().want));
 
     zcf.reallocate(leftSeat, rightSeat);
   } catch (err) {
@@ -178,8 +178,8 @@ export async function depositToSeat(zcf, recipientSeat, amounts, payments) {
     // exit the temporary seat. Note that the offerResult is the return value of this
     // function, so this synchronous trade must happen before the
     // offerResult resolves.
-    tempSeat.decrementBy(amounts);
-    recipientSeat.incrementBy(amounts);
+    tempSeat.decrementBy(harden(amounts));
+    recipientSeat.incrementBy(harden(amounts));
     zcf.reallocate(tempSeat, recipientSeat);
     tempSeat.exit();
     return depositToSeatSuccessMsg;
@@ -213,8 +213,8 @@ export async function depositToSeat(zcf, recipientSeat, amounts, payments) {
 export async function withdrawFromSeat(zcf, seat, amounts) {
   assert(!seat.hasExited(), 'The seat cannot have exited.');
   const { zcfSeat: tempSeat, userSeat: tempUserSeatP } = zcf.makeEmptySeatKit();
-  seat.decrementBy(amounts);
-  tempSeat.incrementBy(amounts);
+  seat.decrementBy(harden(amounts));
+  tempSeat.incrementBy(harden(amounts));
   zcf.reallocate(tempSeat, seat);
   tempSeat.exit();
   return E(tempUserSeatP).getPayouts();

diff --git a/packages/zoe/src/contracts/attestation/expiring/extendExpiration.js b/packages/zoe/src/contracts/attestation/expiring/extendExpiration.js
@@ -72,8 +72,8 @@ const extendExpiration = (
 
   // commit point within updateLienedAmount
   valueToMint.forEach(updateLienedAmount);
-  zcfMint.burnLosses(seat.getCurrentAllocation(), seat);
-  zcfMint.mintGains({ Attestation: amountToMint }, seat);
+  zcfMint.burnLosses(harden(seat.getCurrentAllocation()), seat);
+  zcfMint.mintGains(harden({ Attestation: amountToMint }), seat);
   seat.exit();
 };
 harden(extendExpiration);