program: move to lamport-based accounting

[2501babe]

in #580 we made the onramp mandatory in deposit and withdraw, after six months where it was added as an optional account. in #582 we changed from "1sol locked stake, hidden from calculations" to "1sol locked stake, used in calculations, alongside 1b fake tokens." in #586 we used stake history to fully ban deposits into any pool that is not fully active or newly activating, to eliminate thinking about weird edge cases

now this pr changes the fundamental unit of value for svsp from "active or activating stake in the main account" to "non-rent lamport in either the main or the onramp account." this clears the way to implement DepositSol as described in #46, since liquid sol deposits will immediately become accountable value

closes #581

[2501babe]

note the calculate_deposit_amount() and calculate_withdraw_amount() changes are just renaming variables

[2501babe]

these changes to replenish are mostly just style to align with the other functions, though moving get_minimum_delegation() after check_stake_program() is technically a correctness improvement

[2501babe]

this is like the third version of the user_excess_lamports calculation and while it feels strange to calculate from the user rather than from the pool i can find no reason this isnt correct

[joncinque]

It's a little strange, but we should be able to trust the stake program to do the right thing.

The only use-case that could be worrying is a multi-epoch activation, but those don't allow merges anyway.

[2501babe]

because of #586 we know via stake history the pool account is either 100% activating or 100% active, and the user account is 100% active (with pool active), or 100% activating or inactive (with pool activating), otherwise we abort before we call Merge. so this is perhaps less complicated than it feels and we dont rely on Merge to reject it

[2501babe]

the new deposit math feels straightforward to me but this is an important thing to scrutinize

we have already asserted the pool is fully active or newly activating. then we get NEV ie stakeable lamport sum of both pool accounts. we assert user stake is in a happy state and merge. we simply get pool stake delegation delta by subtracting pre from post. and then user excess lamports are pre-user lamports minus new stake. we then use new stake to calculate pool tokens

[2501babe]

this is quite touchy but i believe it to be correct. if there is any activating, deactivating, or effective stake then the delegation is meaningful, and its full value is always used, so we calculate off delegation. for a fully inactive stake we must calculate off lamports

the withdraw process gets pool NEV and uses that to calculate the amount to pass to the stake program, which does not depend on stake delegation. "withdrawable value" is just a guard for friendly error messages

[joncinque]

This looks correct to me -- there's weirdness in the activating case, since in some situations we do treat those as normal lamports, like merge, but split doesn't do that.

[2501babe]

@joncinque @grod220 id appreciate if you could both review since this pr is definitely the highest risk change of the various things ive done the past couple weeks to this program

[joncinque]

Looks great overall! Just a question on the accounting in the test

[joncinque]

It's a little strange, but we should be able to trust the stake program to do the right thing.

The only use-case that could be worrying is a multi-epoch activation, but those don't allow merges anyway.

[joncinque]

This looks correct to me -- there's weirdness in the activating case, since in some situations we do treat those as normal lamports, like merge, but split doesn't do that.

[joncinque]

Certainly can't hurt to check!

[joncinque]

I wonder if it's worth outputting some message in this case, so that people know that their funds aren't locked, and what they need to do.

That could also be addressed in the future whenever there's a WithdrawSol instruction

[joncinque]

Sorry, I'm having a hard time with these:

• why does prior_deposit reduce the expected deposit by 1 token? Is it due to truncation during calculation?
• the one token difference between the last two branches makes sense -- if it's active, then you don't get tokens for your refunded rent, which probably gives that 1 token difference. Why does !prior_deposit && pool_extra_lamports != 0 reduce the tokens received by 10 though? Does the truncation just get bigger because there are fewer tokens in the pool?

Do you think you could add some comments for these or (arguably) better, rewrite these situations in terms of a match statement?

[grod220]

how about we go for a ReplenishRequired error here?

[grod220]

I guess a large donation could also prevent a withdraw here and delay it to the next epoch?

[2501babe]

more importantly a large DepositSol when that is added in the next pr, its highly unlikely this would be hit any other way (youd need a huge transfer in or a pool with nearly no value, since mev rewards are such a small fraction of stake). i plan for sol deposit to require post hoc replenish

we discussed a bit here #46, i had the idea of capping sol deposits to a % of nev to prevent the most annoying case, a large deposit that is instantly withdrawn, delaying other withdrawals an epoch. but i think jon is right to just not overcomplicate things by introducing that

essentially the problem is unavoidable in some form or another since by introducing DepositSol the pool begins selling instant activation as a service. but i also noted this is probably not that big a deal since:

• after realizing this i decided to charge 10x more for DepositSol
• the service on offer is instant activation, not instant deactivation. you can imagine the market paying any price for the latter during a high volatility event, but its hard to imagine something that would make people say "shit!! xyz just happened!!! i need my sol to get more illiquid NOW!!!"

[grod220]

Can we get a test for this?

[grod220]

Can we get tests for these err exit paths?