feat(x/provider): consumer fee pool deposits with per-depositor shares#46
feat(x/provider): consumer fee pool deposits with per-depositor shares#46giunatale wants to merge 30 commits into
Conversation
…merFeePool with ValidateBasic
…r sentinels, withdraw_path
giunatale
requested review from
clockworkgr,
giuliostramondo,
julienrbrt and
tbruyelle
as code owners
|
Allowing the depositor to arbitrarily withdraw their funds could deceive others thinking they are enough funded for validation. The depositor could pull out the funds and basically censor the chain until someone else re-add funds. |
governance should not get involved here. |
giunatale
changed the title
|
My point was about the share tracking, which I don't think is necessary. Governance should not overfund a chain, that isn't capital efficient. Governance could be allowed to claw it back on shutdown. By censoring I mean, if a depositor deceived everyone to believe the chain was well funded and pull out liquidity for enabling the ante handler that blocks all txs, imho it is censoring the chain. I know we are talking about a super edge case requiring social engineering, but that was my first thought 😅 so I had to mention it. I do agree that is it quite far fetched. Generally I just find the system more complex while we could keep it KISS. If we do go with that, the code lgtm, we should make sure to have a minimum deposit to prevent state bloating because of dust |
|
I don't disagree that this system is not necessarily simple, and I appreciate the pushback. The approach taken here is the result of discussions started in #37 and then in a call with @tbruyelle. Regarding
governance moves slowly, so preemptive (larger) allocation isn't necessarily out of the question. Moreover, auto-sweep (claw back) on shutdown is not the use case I was thinking, but before a shutdown. and in any case, there needs to be some form of accounting because otherwise we are handing power either to the owner of the consumer or the provider governance over all funds, and to me neither is correct. Believe me I also am not happy with the implementation here, it's definitely not KISS. But as I wrote in #37 the more I thought about it the more I got convinced that "the simple solution is a bad solution". We should have an open-ended discussion with you and Thomas. I am not against scrapping all-or-part of this solution, but I want to be convinced a simpler alternative is better (not from an engineering standpoint). |
tbruyelle
left a comment
tbruyelle
left a comment
There was a problem hiding this comment.
This is a first round of review before the next changes related to our discussions
|
added locks for withdraw/sweep if chain is launched. In any other state funds can still be withdrawn (so a little different than just allowing when stopped, but imho logically more sound). Authority has a bypass and can still withdraw at launched state added minimum deposit check with a param multiplier used to compute the min deposit when multiplied by the fees_per_block. Preferably better to merge #47 first so this PR can be updated to match the changes in #47. Also addressed @tbruyelle feedback (lmk if looks good) and merged master |
3 participants
closes #37
supersedes #37 with a share-based per-depositor design: every deposit mints shares for the signer (or, for gov-authority deposits - meaning funding from community pool, for the distribution module account). Each depositor controls their own withdraw, the consumer owner can trigger a pro-rata sweep. Auto-sweep on consumer delete settles the pool.
A
bank.SendRestrictionrejects bank transfers to fee pools so the share accounting can never drift from the pool balance.See
docs/consumer-fee-pool.mdfor more details.