TargetA shielding unshielding sidechain by event (integritee-network#…

…1502)

* enable target_a and _b syncing for sidechain mode and prepare new demo script. syncing target_a happening

* add shard vault proxy account on target A/B as well. derivation is deterministic, so the vault account is the same on all parentchains

* prepare event listener on target A and fix demoscript

* remove old enclave_bridge unshield call from trusted_call

* abstracting parentchain effect opaque_calls. stf can send to any parentchain. (only integritee implemented for now)

* sending stf extrinsics to all parentchains now

* WIP: triggering block import of target_a and b upon sidechain on_slot

* refactored aura to trigger target_a and target_b import

* shielding from target_a worked

* demo passes first and second rungit add -u!

* log cosmetics

* generic event display (fails). log cosmetics

* hack the fees. and more pimps

* recorded demo with this

* fixed cargo test

* clippy

* fixed enclave tests

* cleanup

* fix CI

* CI: introduce fee tolerance when assering balances

* fix evm tests

* fix

* clippy with test flag

* fix demo_sidechain with fee tolerance

* CI fixes

* review remarks fixed

Cargo.lock

@@ -2839,6 +2839,7 @@ dependencies = [
  "parse_duration",
  "primitive-types",
  "prometheus",
+ "regex 1.9.5",
  "scale-info",
  "serde 1.0.188",
  "serde_derive 1.0.188",
@@ -3892,6 +3893,7 @@ dependencies = [
  "itp-time-utils",
  "itp-top-pool-author",
  "itp-types",
+ "itp-utils",
  "its-block-composer",
  "its-block-verification",
  "its-consensus-common",

app-libs/parentchain-interface/src/integritee/event_handler.rs

@@ -69,8 +69,9 @@ where
 				.filter(|&event| event.to == *vault_account)
 				.try_for_each(|event| {
 					info!("found transfer_event to vault account: {}", event);
-					//call = IndirectCall::ShieldFunds(ShieldFundsArgs{ })
+					//debug!("shielding from Integritee suppressed");
 					Self::shield_funds(executor, &event.from, event.amount)
+					//Err(ParentchainError::FunctionalityDisabled)
 				})
 				.map_err(|_| ParentchainError::ShieldFundsFailure)?;
 		}

app-libs/parentchain-interface/src/lib.rs

@@ -22,6 +22,7 @@
 extern crate sgx_tstd as std;
 
 use codec::Decode;
+
 pub mod indirect_calls;
 pub mod integritee;
 pub mod target_a;

app-libs/parentchain-interface/src/target_a/event_handler.rs

@@ -15,27 +15,64 @@
 
 */
 
+use codec::Encode;
 pub use ita_sgx_runtime::{Balance, Index};
 
-use ita_stf::TrustedCallSigned;
+use ita_stf::{Getter, TrustedCall, TrustedCallSigned};
 use itc_parentchain_indirect_calls_executor::error::Error;
-use itp_stf_primitives::traits::IndirectExecutor;
-use itp_types::parentchain::{AccountId, FilterEvents, HandleParentchainEvents};
+use itp_stf_primitives::{traits::IndirectExecutor, types::TrustedOperation};
+use itp_types::parentchain::{AccountId, FilterEvents, HandleParentchainEvents, ParentchainError};
+use itp_utils::hex::hex_encode;
 use log::*;
 
 pub struct ParentchainEventHandler {}
 
+impl ParentchainEventHandler {
+	fn shield_funds<Executor: IndirectExecutor<TrustedCallSigned, Error>>(
+		executor: &Executor,
+		account: &AccountId,
+		amount: Balance,
+	) -> Result<(), Error> {
+		trace!("[TargetA] shielding for {:?} amount {}", account, amount,);
+		let shard = executor.get_default_shard();
+		let trusted_call =
+			TrustedCall::balance_shield(executor.get_enclave_account()?, account.clone(), amount);
+		let signed_trusted_call = executor.sign_call_with_self(&trusted_call, &shard)?;
+		let trusted_operation =
+			TrustedOperation::<TrustedCallSigned, Getter>::indirect_call(signed_trusted_call);
+
+		let encrypted_trusted_call = executor.encrypt(&trusted_operation.encode())?;
+		executor.submit_trusted_call(shard, encrypted_trusted_call);
+
+		Ok(())
+	}
+}
+
 impl<Executor> HandleParentchainEvents<Executor, TrustedCallSigned, Error>
 	for ParentchainEventHandler
 where
 	Executor: IndirectExecutor<TrustedCallSigned, Error>,
 {
 	fn handle_events(
-		_executor: &Executor,
-		_events: impl FilterEvents,
-		_vault_account: &AccountId,
+		executor: &Executor,
+		events: impl FilterEvents,
+		vault_account: &AccountId,
 	) -> Result<(), Error> {
-		debug!("not handling any events for target A");
+		let filter_events = events.get_transfer_events();
+		trace!(
+			"[TargetA] filtering transfer events to shard vault account: {}",
+			hex_encode(vault_account.encode().as_slice())
+		);
+		if let Ok(events) = filter_events {
+			events
+				.iter()
+				.filter(|&event| event.to == *vault_account)
+				.try_for_each(|event| {
+					std::println!("⣿TargetA⣿ 🛡 found transfer event to shard vault account: {} will shield to {}", event.amount, hex_encode(event.from.encode().as_ref()));
+					Self::shield_funds(executor, &event.from, event.amount)
+				})
+				.map_err(|_| ParentchainError::ShieldFundsFailure)?;
+		}
 		Ok(())
 	}
 }

app-libs/parentchain-interface/src/target_a/mod.rs

@@ -37,7 +37,7 @@ use itc_parentchain_indirect_calls_executor::{
 };
 use itp_node_api::metadata::pallet_balances::BalancesCallIndexes;
 use itp_stf_primitives::traits::IndirectExecutor;
-use log::trace;
+use log::{debug, trace};
 
 /// The default indirect call (extrinsic-triggered) of the Target-A-Parachain.
 #[derive(Debug, Clone, Encode, Decode, Eq, PartialEq)]
@@ -48,11 +48,16 @@ pub enum IndirectCall {
 impl<Executor: IndirectExecutor<TrustedCallSigned, Error>>
 	IndirectDispatch<Executor, TrustedCallSigned> for IndirectCall
 {
-	fn dispatch(&self, executor: &Executor) -> Result<()> {
+	fn dispatch(&self, _executor: &Executor) -> Result<()> {
+		debug!("shielding from TargetA extrinsic to Alice suppressed");
+		/*
 		trace!("dispatching indirect call {:?}", self);
 		match self {
 			IndirectCall::TransferToAliceShieldsFunds(args) => args.dispatch(executor),
 		}
+
+		 */
+		Ok(())
 	}
 }
 
@@ -89,19 +94,17 @@ where
 		};
 		let index = xt.call_index;
 		let call_args = &mut &xt.call_args[..];
-		log::trace!("[TransferToAliceShieldsFundsFilter] attempting to execute indirect call with index {:?}", index);
+		trace!("[TransferToAliceShieldsFundsFilter] attempting to execute indirect call with index {:?}", index);
 		if index == metadata.transfer_call_indexes().ok()?
 			|| index == metadata.transfer_keep_alive_call_indexes().ok()?
 			|| index == metadata.transfer_allow_death_call_indexes().ok()?
 		{
-			log::debug!(
-				"found `transfer` or `transfer_allow_death` or `transfer_keep_alive` call."
-			);
+			debug!("found `transfer` or `transfer_allow_death` or `transfer_keep_alive` call.");
 			let args = decode_and_log_error::<TransferToAliceShieldsFundsArgs>(call_args)?;
 			if args.destination == ALICE_ACCOUNT_ID.into() {
 				Some(IndirectCall::TransferToAliceShieldsFunds(args))
 			} else {
-				log::debug!("Parentchain transfer was not for Alice; ignoring...");
+				debug!("Parentchain transfer extrinsic was not for Alice; ignoring...");
 				// No need to put it into the top pool if it isn't executed in the first place.
 				None
 			}

app-libs/sgx-runtime/src/lib.rs

@@ -71,7 +71,7 @@ pub use frame_support::{
 	StorageValue,
 };
 pub use pallet_balances::Call as BalancesCall;
-pub use pallet_parentchain::Call as ParentchainCall;
+pub use pallet_parentchain::Call as ParentchainPalletCall;
 pub use pallet_timestamp::Call as TimestampCall;
 #[cfg(any(feature = "std", test))]
 pub use sp_runtime::BuildStorage;

app-libs/stf/src/getter.rs

@@ -171,7 +171,7 @@ impl ExecuteGetter for TrustedGetterSigned {
 				let info = System::account(&who);
 				debug!("TrustedGetter free_balance");
 				debug!("AccountInfo for {} is {:?}", account_id_to_string(&who), info);
-				debug!("Account free balance is {}", info.data.free);
+				std::println!("⣿STF⣿ 🔍 TrustedGetter query: free balance for ⣿⣿⣿ is ⣿⣿⣿",);
 				Some(info.data.free.encode())
 			},
 			TrustedGetter::reserved_balance(who) => {

app-libs/stf/src/lib.rs

@@ -44,3 +44,6 @@ pub mod test_genesis;
 pub mod trusted_call;
 
 pub(crate) const ENCLAVE_ACCOUNT_KEY: &str = "Enclave_Account_Key";
+
+// fixme: this if  a temporary hack only
+pub const STF_TX_FEE: Balance = 100000000;

app-libs/stf/src/stf_sgx.rs

@@ -31,10 +31,7 @@ use itp_stf_interface::{
 };
 use itp_stf_primitives::{error::StfError, traits::TrustedCallVerification};
 use itp_storage::storage_value_key;
-use itp_types::{
-	parentchain::{AccountId, ParentchainId},
-	OpaqueCall,
-};
+use itp_types::parentchain::{AccountId, ParentchainCall, ParentchainId};
 use itp_utils::stringify::account_id_to_string;
 use log::*;
 use sp_runtime::traits::StaticLookup;
@@ -147,7 +144,7 @@ where
 	fn execute_call(
 		state: &mut State,
 		call: TCS,
-		calls: &mut Vec<OpaqueCall>,
+		calls: &mut Vec<ParentchainCall>,
 		node_metadata_repo: Arc<NodeMetadataRepository>,
 	) -> Result<(), Self::Error> {
 		state.execute_with(|| call.execute(calls, node_metadata_repo))

app-libs/stf/src/test_genesis.rs

@@ -42,9 +42,9 @@ const ENDOWED_SEED: Seed = *b"12345678901234567890123456789012";
 const SECOND_ENDOWED_SEED: Seed = *b"22345678901234567890123456789012";
 const UNENDOWED_SEED: Seed = *b"92345678901234567890123456789012";
 
-const ALICE_FUNDS: Balance = 1000000000000000;
-pub const ENDOWED_ACC_FUNDS: Balance = 2000;
-pub const SECOND_ENDOWED_ACC_FUNDS: Balance = 1000;
+const ALICE_FUNDS: Balance = 10_000_000_000_000_000;
+pub const ENDOWED_ACC_FUNDS: Balance = 2_000_000_000_000;
+pub const SECOND_ENDOWED_ACC_FUNDS: Balance = 1_000_000_000_000;
 
 pub fn endowed_account() -> ed25519::Pair {
 	ed25519::Pair::from_seed(&ENDOWED_SEED)

app-libs/stf/src/trusted_call.rs

@@ -24,7 +24,7 @@ use std::vec::Vec;
 #[cfg(feature = "evm")]
 use crate::evm_helpers::{create_code_hash, evm_create2_address, evm_create_address};
 use crate::{
-	helpers::{ensure_enclave_signer_account, get_storage_by_key_hash},
+	helpers::{enclave_signer_account, ensure_enclave_signer_account, get_storage_by_key_hash},
 	Getter,
 };
 use codec::{Compact, Decode, Encode};
@@ -44,7 +44,10 @@ use itp_stf_primitives::{
 	traits::{TrustedCallSigning, TrustedCallVerification},
 	types::{AccountId, KeyPair, ShardIdentifier, Signature, TrustedOperation},
 };
-use itp_types::{parentchain::ProxyType, Address, OpaqueCall};
+use itp_types::{
+	parentchain::{ParentchainCall, ProxyType},
+	Address, OpaqueCall,
+};
 use itp_utils::stringify::account_id_to_string;
 use log::*;
 use sp_core::{
@@ -214,7 +217,7 @@ where
 
 	fn execute(
 		self,
-		calls: &mut Vec<OpaqueCall>,
+		calls: &mut Vec<ParentchainCall>,
 		node_metadata_repo: Arc<NodeMetadataRepository>,
 	) -> Result<(), Self::Error> {
 		let sender = self.call.sender_account().clone();
@@ -259,12 +262,26 @@ where
 			},
 			TrustedCall::balance_transfer(from, to, value) => {
 				let origin = ita_sgx_runtime::RuntimeOrigin::signed(from.clone());
-				debug!(
-					"balance_transfer({}, {}, {})",
+				std::println!("⣿STF⣿ 🔄 balance_transfer from ⣿⣿⣿ to ⣿⣿⣿ amount ⣿⣿⣿");
+				// endow fee to enclave (self)
+				let fee_recipient: AccountId = enclave_signer_account();
+				// fixme: apply fees through standard frame process and tune it
+				let fee = crate::STF_TX_FEE;
+				info!(
+					"from {}, to {}, amount {}, fee {}",
 					account_id_to_string(&from),
 					account_id_to_string(&to),
-					value
+					value,
+					fee
 				);
+				ita_sgx_runtime::BalancesCall::<Runtime>::transfer {
+					dest: MultiAddress::Id(fee_recipient),
+					value: fee,
+				}
+				.dispatch_bypass_filter(origin.clone())
+				.map_err(|e| {
+					Self::Error::Dispatch(format!("Balance Transfer error: {:?}", e.error))
+				})?;
 				ita_sgx_runtime::BalancesCall::<Runtime>::transfer {
 					dest: MultiAddress::Id(to),
 					value,
@@ -276,28 +293,36 @@ where
 				Ok(())
 			},
 			TrustedCall::balance_unshield(account_incognito, beneficiary, value, shard) => {
-				debug!(
-					"balance_unshield({}, {}, {}, {})",
+				std::println!(
+					"⣿STF⣿ 🛡👐 balance_unshield from ⣿⣿⣿ to {}, amount {}",
+					account_id_to_string(&beneficiary),
+					value
+				);
+				// endow fee to enclave (self)
+				let fee_recipient: AccountId = enclave_signer_account();
+				// fixme: apply fees through standard frame process and tune it. has to be at least two L1 transfer's fees
+				let fee = crate::STF_TX_FEE * 3;
+
+				info!(
+					"balance_unshield(from (L2): {}, to (L1): {}, amount {} (+fee: {}), shard {})",
 					account_id_to_string(&account_incognito),
 					account_id_to_string(&beneficiary),
 					value,
+					fee,
 					shard
 				);
-				unshield_funds(account_incognito, value)?;
 
-				calls.push(OpaqueCall::from_tuple(&(
-					node_metadata_repo
-						.get_from_metadata(|m| m.unshield_funds_call_indexes())
-						.map_err(|_| StfError::InvalidMetadata)?
-						.map_err(|_| StfError::InvalidMetadata)?,
-					shard,
-					beneficiary.clone(),
-					value,
-					call_hash,
-				)));
-				// todo: the following is a placeholder dummy which will replace the above with #1257.
-				// the extrinsic will be sent and potentially deplete the vault at the current state which
-				// is nothing to worry about before we solve mentioned issue.
+				let origin = ita_sgx_runtime::RuntimeOrigin::signed(account_incognito.clone());
+				ita_sgx_runtime::BalancesCall::<Runtime>::transfer {
+					dest: MultiAddress::Id(fee_recipient),
+					value: fee,
+				}
+				.dispatch_bypass_filter(origin)
+				.map_err(|e| {
+					Self::Error::Dispatch(format!("Balance Unshielding error: {:?}", e.error))
+				})?;
+				burn_funds(account_incognito, value)?;
+
 				let vault_pubkey: [u8; 32] = get_storage_by_key_hash(SHARD_VAULT_KEY.into())
 					.ok_or_else(|| {
 						StfError::Dispatch("shard vault key hasn't been set".to_string())
@@ -320,7 +345,7 @@ where
 					None::<ProxyType>,
 					vault_transfer_call,
 				));
-				calls.push(proxy_call);
+				calls.push(ParentchainCall::TargetA(proxy_call));
 				Ok(())
 			},
 			TrustedCall::balance_shield(enclave_account, who, value) => {
@@ -329,15 +354,15 @@ where
 				shield_funds(who, value)?;
 
 				// Send proof of execution on chain.
-				calls.push(OpaqueCall::from_tuple(&(
+				calls.push(ParentchainCall::Integritee(OpaqueCall::from_tuple(&(
 					node_metadata_repo
 						.get_from_metadata(|m| m.publish_hash_call_indexes())
 						.map_err(|_| StfError::InvalidMetadata)?
 						.map_err(|_| StfError::InvalidMetadata)?,
 					call_hash,
 					Vec::<itp_types::H256>::new(),
 					b"shielded some funds!".to_vec(),
-				)));
+				))));
 				Ok(())
 			},
 			#[cfg(feature = "evm")]
@@ -476,7 +501,7 @@ where
 	}
 }
 
-fn unshield_funds(account: AccountId, amount: u128) -> Result<(), StfError> {
+fn burn_funds(account: AccountId, amount: u128) -> Result<(), StfError> {
 	let account_info = System::account(&account);
 	if account_info.data.free < amount {
 		return Err(StfError::MissingFunds)
@@ -487,15 +512,30 @@ fn unshield_funds(account: AccountId, amount: u128) -> Result<(), StfError> {
 		new_free: account_info.data.free - amount,
 	}
 	.dispatch_bypass_filter(ita_sgx_runtime::RuntimeOrigin::root())
-	.map_err(|e| StfError::Dispatch(format!("Unshield funds error: {:?}", e.error)))?;
+	.map_err(|e| StfError::Dispatch(format!("Burn funds error: {:?}", e.error)))?;
 	Ok(())
 }
 
 fn shield_funds(account: AccountId, amount: u128) -> Result<(), StfError> {
+	//fixme: make fee configurable and send fee to vault account on L2
+	let fee = amount / 571; // approx 0.175%
+
+	// endow fee to enclave (self)
+	let fee_recipient: AccountId = enclave_signer_account();
+
+	let account_info = System::account(&fee_recipient);
+	ita_sgx_runtime::BalancesCall::<Runtime>::force_set_balance {
+		who: MultiAddress::Id(fee_recipient),
+		new_free: account_info.data.free + fee,
+	}
+	.dispatch_bypass_filter(ita_sgx_runtime::RuntimeOrigin::root())
+	.map_err(|e| StfError::Dispatch(format!("Shield funds error: {:?}", e.error)))?;
+
+	// endow shieding amount - fee to beneficiary
 	let account_info = System::account(&account);
 	ita_sgx_runtime::BalancesCall::<Runtime>::force_set_balance {
 		who: MultiAddress::Id(account),
-		new_free: account_info.data.free + amount,
+		new_free: account_info.data.free + amount - fee,
 	}
 	.dispatch_bypass_filter(ita_sgx_runtime::RuntimeOrigin::root())
 	.map_err(|e| StfError::Dispatch(format!("Shield funds error: {:?}", e.error)))?;