[POC] SV weight management fully on-ledger#5567
Conversation
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Co-authored-by: Itai Segall <itai.segall@digitalasset.com> Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
|
@isegall-da |
|
Thanks @jose-velasco-ieu great work! |
…hts.daml Co-authored-by: Itai Segall <itai.segall@digitalasset.com> Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
…vRewardBeneficiaries with empty beneficiaries to the onboard flow of a hosted SV Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
…ry distribution Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
| with | ||
| newHostedSvParty : Party | ||
| newHostedSvName : Text | ||
| newHostedSv : Party |
There was a problem hiding this comment.
hmm, why did you remove the name? I believe we do want also a human-readable name in addition to the party.
There was a problem hiding this comment.
ok, I will add it
| pure DsoRules_UpdateHostedSvWeightResult with newDsoRules | ||
| hostedSv <- fetchAndArchive (ForDso with dso) hostedSvCid | ||
| newHostedSvCid <- create hostedSv with rewardWeight = newRewardWeight | ||
| pure DsoRules_UpdateHostedSvWeightResult with newHostedSvCid |
There was a problem hiding this comment.
Shouldn't we just have a consuming choice in HostedSv controlled by the dso, and call it from here?
There was a problem hiding this comment.
ok, I will add it
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
moritzkiefer-da
left a comment
moritzkiefer-da
left a comment
There was a problem hiding this comment.
Thanks, this looks directionally correct. But I think the vetting assumptions are not gonna work out.
We should aim to keep the property that non-SV node operators do not need to vet dso-governance and instead only need to vet amulet. Right now the way you have set observers this will not work in practice.
I'm also a bit unclear on the trust assumptions. It seems like we may be giving the SV operators a bit too much power here.
| -- ^ Voted action to instruct the update of the SV operator for a hosted SV. | ||
| | SRARC_AddSvNode DsoRules_AddSvNode | ||
| -- ^ Voted action to directly add an SV node. | ||
| | SRARC_OffboardSvNode DsoRules_OffboardSvNode |
There was a problem hiding this comment.
you added 3 new variants here but did not deprecate SRARC_AddSv, SRARC_offboard_SV and SRARC_ConfirmSvOnboarding. When will we use which of them?
There was a problem hiding this comment.
I've added some notes like this one:
-- Note: Deprecate in phase 2
choice DsoRules_AddSv : DsoRules_AddSvResult
Note that this is just a POC, not a final Daml PR
There was a problem hiding this comment.
Note that this is just a POC, not a final Daml PR
That's fine. What I would suggest is to add clear TODOs/FIXME comments for everything you're skipping over at this point.
| deriving (Eq, Show) | ||
|
|
||
|
|
||
| -- Note: Implement in phase 1 |
There was a problem hiding this comment.
Maybe add a TODO or FIXME here. I don't mind these phase comments for this PR but they should be gone in the final implementation.
| -- reward weight percentages. Each beneficiary party must be unique. | ||
| where | ||
| ensure | ||
| unique (map fst beneficiaries) |
There was a problem hiding this comment.
any reason not to make this a Map so you don't need the unique assertion?
Asked differently: Is the order significant?
There was a problem hiding this comment.
It makes sense
| && notElem hostedSv (map fst beneficiaries) | ||
|
|
||
| signatory dso | ||
| observer hostedSv |
There was a problem hiding this comment.
Let's please add comments in all the places where we add extra observers on why we need them. Generally we should aim to limit them as much as possible to avoid potential vetting issues.
There was a problem hiding this comment.
Given your comment
We should aim to keep the property that non-SV node operators do not need to vet dso-governance and instead only need to vet amulet. Right now the way you have set observers this will not work in practice.
I can remove hostedSv as an observer, since it is not necessary: the DSO controls all the flows.
There was a problem hiding this comment.
We need to keep it as the hostedSv needs to exercise HostedSv_UpdateBeneficiaries
| ensure rewardWeight > 0 | ||
|
|
||
| signatory dso | ||
| observer hostedSv |
There was a problem hiding this comment.
If you make the hostedSv an observer on this, each hostedSv needs to now have vetted the dso packages. Is that a valid assumption? It is definitely not given for how hosted SVs are used through beneficiaries today.
There was a problem hiding this comment.
I agree, I will remove it.
There was a problem hiding this comment.
We need to keep it as the hostedSv needs to exercise HostedSv_UpdateBeneficiaries
choice HostedSv_UpdateBeneficiaries : HostedSv_UpdateBeneficiariesResult
with
newBeneficiaries : Map Party Decimal
controller hostedSv
Do you think we still need a comment about why we need hostedSv to be an observer?
|
|
||
| return DsoRules_OffboardSvResult with .. | ||
|
|
||
| -- Note: Implement in phase 2 |
There was a problem hiding this comment.
don't really understand the comment if you're already implementing it.
There was a problem hiding this comment.
Ok, I will remove all the comments regarding phases.
| svOperator : Party | ||
| controller dso | ||
| do | ||
| require "There is more than one sv node" (Map.size svs > 1) |
There was a problem hiding this comment.
related to my comment above on deprecating the other choices, it's not obvious to me how this is different from the other offboard choice
There was a problem hiding this comment.
It is just about naming.
@isegall-da requested this
There was a problem hiding this comment.
A whole new choice just for changing the name? @isegall-da that seems pretty questionable to me.
There was a problem hiding this comment.
Ha? I don't think I requested this.
I only requested that in new choices we are explicit and consistent in naming, and said "unfortunately we cannot fix this in existing choices". Did not mean to suggest that we should reimplement the existing ones for this.
There was a problem hiding this comment.
My bad, I misunderstood your suggestion.
| -- ^ The full beneficiary distribution to set. | ||
| svOperator : Party | ||
| -- ^ The SV node operator hosting the hosted SV whose beneficiary distribution is being managed. | ||
| controller svOperator |
There was a problem hiding this comment.
so a hosted SV gets unilateral control over the beneficiaries? So if I'm hosting 10 SVs I can just change all their beneficiaries to myself and get their rewards until someone notices? That seems kinda bad. You do have to trust an SV operator for availability so if it's down (malciously or not) you don't mint but giving them the power to just mint everything to themselves seems much worse.
There was a problem hiding this comment.
The SV node operator has control over their hosted SV beneficiaries. This was a requirement and trust assumption raised by @isegall-da and @waynecollier-da.
There was a problem hiding this comment.
@isegall-da @waynecollier-da can you expand why we want this? It makes sense that each hosted SV can configure their beneficiaries. But the fact that an SV operator can configure the beneficiaries of all SV hosted on them seems super dodgy. The whole point of the on-ledger weights is to have this properly governed and not just fully under the control of the operator. This essentially fully undoes that and the SV operator can again freely chose how it splits the minted rewards for SVs hosted on its node.
There was a problem hiding this comment.
AFAICT the requirement was that the hosted SV (not the operator) can change beneficiaries without a vote.
We accepted the trust assumption that "the hosted SV fully trusts the operator anyway, so might as well trust them to set the beneficiaries for them", but I wouldn't call that a requirement.
The problem is that currently we don't plan to have a UI for hosted SVs which is why I thought "just send an email to your operator to do it for you" is acceptable for now.
There was a problem hiding this comment.
More than happy for better ideas how not to require this strong of a trust.
There was a problem hiding this comment.
Can you please confirm this?
HostedSv template will live in splice-amulet, HostedSv_UpdateBeneficiaries is controlled by hostedSv, and HostedSv_UpdateBeneficiaries is exercised directly via the contract.
The rest will be managed via DsoRules.
template HostedSv
with
dso : Party
-- ^ The DSO party.
hostedSv : Party
-- ^ The hosted SV party whose reward coupons are created by the SV operator.
svOperator : Party
-- ^ The SV node operator party responsible for creating reward coupons for
-- 'hostedSv'.
rewardWeight : Int
-- ^ The hosted SV reward weight. Must be strictly greater than 0.
hostedSvName : Text
-- ^ Human-readable name of the hosted SV.
beneficiaries : [(Party, Decimal)]
-- ^ Beneficiary parties, excluding 'hostedSv', and their corresponding positive
-- reward weight percentages. Each beneficiary party must be unique.
where
ensure
rewardWeight > 0
&& unique (map fst beneficiaries)
&& all (> 0.0) (map snd beneficiaries)
&& sum (map snd beneficiaries) <= 1.0
&& notElem hostedSv (map fst beneficiaries)
signatory dso
observer hostedSv
choice HostedSv_UpdateRewardWeight : HostedSv_UpdateRewardWeightResult
with
newRewardWeight : Int
controller dso
do
hostedSvCid <- create this with rewardWeight = newRewardWeight
pure HostedSv_UpdateRewardWeightResult with hostedSvCid
choice HostedSv_UpdateBeneficiaries : HostedSv_UpdateBeneficiariesResult
with
newBeneficiaries : [(Party, Decimal)]
controller hostedSv
do
hostedSvCid <- create this with beneficiaries = newBeneficiaries
pure HostedSv_UpdateBeneficiariesResult with hostedSvCid
There was a problem hiding this comment.
Ah I missed the fact that we now also merged the templates. In that case, maybe let's actually keep it in dso-governance. Moving everything seems like a bit of a mess. Let's be clear in the design doc though that this will require changes to the validator app to support configuring it such that it vets dso governance packages.
There was a problem hiding this comment.
we now also merged the templates
Sorry, I suggested that yesterday, missed these potential implications.
changes to the validator app to support configuring it
Maybe add a button/checkbox in the same new wallet UI tab that we discussed above that triggers that vetting, something like "enable hosted SV functionality" or some better wording ?
There was a problem hiding this comment.
Maybe add a button/checkbox in the same new wallet UI tab that we discussed above that triggers that vetting, something like "enable hosted SV functionality" or some better wording ?
I would just make it a validator config setting. I don't think you want an end user to allow controlling this.
There was a problem hiding this comment.
done
I will add a note about that in the design doc.
| -- Note: Implement in phase 1 | ||
| -- Note: Deprecate in phase 2. | ||
| -- | ||
| -- Trust assumption: |
There was a problem hiding this comment.
why would we trust the SV operator to do that and not make it a vote?
There was a problem hiding this comment.
Yeah, we might have a temporary vote for the migration.
Please let me know if I should implement that.
cc: @isegall-da
There was a problem hiding this comment.
I honestly don't see a big problem trusting the operators to trigger this once, we can manage this through sv-ops procedures and make it mandatory to comply, this doesn't need to be simultaneous for everyone. But also wouldn't object to a vote if you want to go through the trouble of implementing one.
There was a problem hiding this comment.
Please let me know how you'd like me to proceed.
@isegall-da @moritzkiefer-da
There was a problem hiding this comment.
The part I somewhat dislike is that we're introducing governed on-ledger state but then the introduction of that state is not done through governance but unilaterally. That just feels a bit fishy to me compared to an explicit step where you vote on it. And given that it's a one-time action the overhead in terms of votes seems irrelevant and maybe even desired as everyone needs to review the state the SV set unilaterally anyway.
So I'd still lean towards the vote. @isegall-da what exactly do you mean by "the trouble of implementing one"? From a Daml perspective this adds very little extra. I guess the UI work does have a bit of overhead?
There was a problem hiding this comment.
Or maybe we should modify the existing DsoRules_MigrateHostedSvs choice so that it migrates all hosted SVs.
There was a problem hiding this comment.
It would be a one-time action for each SV node operator.
sure but that's 13. Not that crazy of a number.
I'd still lean towards a vote but happy to be overruled here.
There was a problem hiding this comment.
We'll need to support this vote type everywhere, external explorers will need to parse it, etc.
There was a problem hiding this comment.
I also don't feel super strongly against. @jose-velasco-ieu want to be the tie breaker? ;)
There was a problem hiding this comment.
In my opinion, as I mentioned in the “trust assumption” section, this just extends the hosted SVs’ trust slightly.
Notice that DsoRules_MigrateHostedSvs checks that the overall weight is not modified.
-- This is consistent with the current model, where the SV operator already configures
-- the reward weights and beneficiary distribution in its SV app. Therefore, the SVs
-- operated by this SV operator already rely on it to use the correct reward
-- distribution.
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
…es HostedSv_UpdateBeneficiaries directly) Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
…(the contract may change when the vote is effective) Signed-off-by: Jose Velasco <jose.velasco@intellecteu.com>
|
Let's review and discuss in the Monday governance call. @isegall-da can you put this on the agenda? |
@waynecollier-da Sorry, are you referring to something specific here, or are you proposing a walkthrough of the entire current state? |
|
The question of whether to require all hosted SVs to vet governance changes. My preference would be to avoid doing that, but I don't understand all the tradeoffs just by reading the discussion above. |
5 participants
Summary
This PR adds a Daml draft for the new on-ledger hosted SV weight model. The goal is to represent SV reward weights fully on-ledger, including SV beneficiary distributions. Additionally, a new SV node onboarding flow is implemented.
The actual implementation will consist of two phases:
Phase 1
TODO
Phase 2
TODO
Pull Request Checklist
Cluster Testing
/cluster_teston this PR to request it, and ping someone with access to the DA-internal system to approve it./hdm_teston this PR to request it, and ping someone with access to the DA-internal system to approve it./lsu_teston this PR to request it, and ping someone with access to the DA-internal system to approve it.PR Guidelines
Fixes #n, and mention issues worked on using#nMerge Guidelines