client: bond reserves

[chappjc]

Requires #2036. In draft until that's settled.

This PR is the commits starting with client/{asset,core}: RefundBond broadcasts too.

Commit messages (but there are a ton of "fixup" commits already pushed that will be squashed before this is merged):

client/{asset,core}: RefundBond broadcasts too

The asset.Bonder.RefundBond method now broadcasts, as it was supposed
to from the beginning. Only MakeBondTx required broadcasting in the
consumer.

client/{asset,core,webserver}: BondLocked balance category

This adds the client.WalletBalance.BondLocked field, which parallels
the ContractLocked field. These are used for core to supplement the
wallet's reported balance with values that the wallet does not
include in the balance itself because they are not spendable by the
wallet alone (core authors the spending tx).

This also updates the web UI's TypeScript to include bondLocked
when appropriate.  This also fixes a bug where contractLocked was
not included on the wallets page's "Locked" balance category.

This also adds to DCR's implementation fields for reserves tracking.
The values are included in the reported asset.Balance. Subsequent
commits will add the ability modify the reserves, and for funding
methods to respect the reserves.

client/asset/dcr: respect reserves in funding

This updates the DCR wallet's transaction funding method and helpers to
respect the reserves added in the previous commit.

To do so without creating sizing transactions to actively isolate the
reserved value, we add new coin selection functions that we use exclude
UTXOs from transaction funding. The objective of these coin selection
functions is different from order funding coin selection.

The main helper, leastOverFund, attempts to pick a subset of the provided
UTXOs to reach the required amount with the objective of minimizing the
total amount of the selected UTXOs. This is different from the objective
used when funding orders, which is to minimize the number of UTXOs (to
minimize fees).

NOTE: The provided UTXO set MUST be sorted in ascending order (smallest
first, largest last)!

leastOverFund begins by partitioning the UTXO slice before the smallest
single UTXO that is large enough to fully fund the requested amount, if
it exists. If the smaller set is insufficient, the single largest UTXO
is returned. If instead the set of smaller UTXOs has enough total
value, it will search for a subset that reaches the amount with least
over-funding (see subsetSmallBias and subsetLargeBias). If that subset
has less combined value than the single sufficiently-large UTXO (if it
exists), the subset will be returned, otherwise the single UTXO will be
returned.

We also modify the "enough" functions and their constructors with
excess (change) reporting in a new return from the enough function.
The constructor also accepts a flag indicating if this returned value
should be set to zero. The tryFund helper now returns the final excess
value when it completes UTXO selection. This is used in the
(*ExchangeWallet).fund method, and in other callers, to discern if
there would be sufficient remaining in the wallet (including this
change) to satisfy a reserved amount. This amount is an input to fund
called "keep". If change should not be considered "kept" (e.g. no
preceding split txn, or mixing sends change to umixed account where it
is unusable for reserves), caller should return 0 extra from the enough
func (via the enough func's constructor flag).

client/{asset,core}: reserves track as bonds are spend/refunded

This updates DCR's backend to begin modifying the reserves fields
as bonds are created (locked UTXOs) and spend (unlock UTXOs into
balance). Subsequent commits add the new exported wallet
interface methods for a consumer (core) to prepare and adjust the
reserves for the client's needs.

This also modifies the wallet's MakeBondTx method signature with
an additional return, an "abandon" function" to be used if the
consumer decides not to broadcast the generated bond transaction.
This function both unlocks the bond's funding utxos, and reverts
the reserves updates that were made when the transaction was
created.

client/{asset,core}: ReserveBondFunds and dexAccount.tierChange

This adds the new Bonder methods, RegisterUnspent and ReserveBondFunds:

RegisterUnspent informs the wallet of a certain amount already locked in
unspent bonds that will eventually be refunded with RefundBond. This
should be used prior to ReserveBondFunds. This alone does not enable
reserves enforcement, and it should be called on bring-up when existing
bonds that may refund to this wallet are known. Once ReserveBondFunds is
called, even with 0 for future bonds, these live bond amounts will
become enforced reserves when they are refunded via RefundBond.

ReserveBondFunds (un)reserves funds for creation of future bonds.
MakeBondTx will create transactions that decrement these reserves, while
RefundBond will replenish the reserves. If the wallet's available
balance should be respected when adding reserves, the boolean argument
may be set to indicate this, in which case the return value indicates if
it was able to reserve the funds. In this manner, funds may be
pre-reserved so that when the wallet receives funds (from either
external deposits or refunding of live bonds), they will go directly
into locked balance. When the reserves are decremented to zero (by the
amount that they were incremented), all enforcement including any fee
buffering is disabled. Previously registered unspent/active bonds are
not forgotten however; they total amount of these are tracked in case
the wallet is used for reserves again in the future.

In core.Core, the new wallet reserves methods are used to maintain
adequate reserves based on the account's target tier and observed tier
change. The dexAccount type has new fields to support this:
- tierChange int64, is the total tier change that needs to be actuated
  with wallet reserves. Facilitates maintenance with changing tier.
- totalReserved int64, helps track and debug the total amount reserved
  with the wallet's ReserveBondFunds method *only* for this dexAccount.

Use of ReserveBondFunds and RegisterUnspent, facilitated by the new
dexAccount fields, happens in:
- connectWallets() via initialize(), after connectDEX(). Here it
  calls RegisterUnspent for all known bonds across all dexConnections.
- authDEX. On reconnect, any observed tier change is acctuated with
  wallet reserves. Initial auth on login is handled slightly
  differently, (re)reserving the full required amount given the known
  unspent bonds.
- handleTier change, which is called on penalization only, updates
  the tierChange field of the dexAccount.
- rotateBonds. Any tierChange value is actuated with reserves.
- PostBond. When making the initial bond for a new account, with
  maintenance enabled, ReserveBondFunds is used to pre-reseve. Here
  the boolean input is true, and the return is checked to ensure the
  wallet is sufficiently funded to increase reserves by the requested
  amount for the new bonds.
- UpdateBondOptions. When modifying target tier or changing the bond
  asset. The boolean input and output are also used here.

[martonp]

This should never happen if as in the comment, Each utxo in the input must be smaller than amt

[martonp]

You could call bondSpent after the SendRawTransaction, instead of re-locking in the error block.

[chappjc]

Just a rebase, minimal review revisions

[chappjc]

Squashed in fixups: https://github.com/decred/dcrdex/compare/0e01dc9460851fde6a51c8b93663cf9a5f1b040e..dd58c2eb3c9ab1ad147757d73f8134d2bd97de75

[martonp]

I think I found an issue while testing on simnet. I created a fresh account, posted 1 bonds worth, and at first the Locked amount showed 20+fees as I expected, but when I mined one extra block it jumped to 30 + fees.

[martonp]

Unrelated to review, but I think there should be a "force" flag for someone to call this when the account already exists.

[martonp]

registered*

[martonp]

Could return early if !tierChanged && !assetChanged

[chappjc]

It's permitted to change max bonded amt only.

[martonp]

Maybe only check this if future > dcr.bondReservesNominal? If someone's decreasing the reserves and their balance isn't high enough it would mean that something went wrong somewhere else, but I don't think it should fail here.

[chappjc]

I think future > 0 would be the condition to indicate if reserves are increasing.

[martonp]

This is also called in AccountImport.

[chappjc]

Ah right, that's an atrocity. Going to change that. I'm also going to remove connectAccount now.

[chappjc]

Oh heck, the dc.acct.authed() check in here makes this safe, so I'll remove the comment for now, but I figure we should factor out the loop contents for stuff like AccountImport.

[martonp]

Wouldn't insufficient balance due to penalties and pre-reserving more than available just make bondReservesEnforced be greater than the balance, not become negative?

[martonp]

Should the fee buffer be updated on reconfigure, if the feeRateLimit is changed?

[martonp]

Did you consider a dynamic programming technique to find the optimal solution?

[chappjc]

Was on my todo list. 😊 Just threw together a few heuristics, but you have a point that it can be solved optimally. Seems akin to the fractional knapsack problem (reversed). Will give it a shot.

[chappjc]

I think I found an issue while testing on simnet. I created a fresh account, posted 1 bonds worth, and at first the Locked amount showed 20+fees as I expected, but when I mined one extra block it jumped to 30 + fees.

OK, will have to go back to test fresh accounts. I did some revisions to the system that I validated with existing accounts, but must have regressed with account creation.

[chappjc]

I think I found an issue while testing on simnet. I created a fresh account, posted 1 bonds worth, and at first the Locked amount showed 20+fees as I expected, but when I mined one extra block it jumped to 30 + fees.

OK, will have to go back to test fresh accounts. I did some revisions to the system that I validated with existing accounts, but must have regressed with account creation.

Oopsie fixed in 638214d

[buck54321]

I need to review core parts still, but I gotta run for a few hours at least. I think I get it all now. Thanks for all of the descriptive docs.

[buck54321]

It's not clear to me exactly how this might work. avail-sum+extra will be all that remains after the tx is funded, including the change transaction. Is the hope that if we reserve the right utxos bond reserves, tryFund will somehow find a more favorable set of utxos?

[chappjc]

If we get here, it is because the enough func is very likely not granting any spendable change i.e. no split tx. Note the if extra != 0 { check above. The logic in this commit is to try again but fist pick out utxos in the amount of at least keep before even calling tryFund -- that guarantees keep will be met but it can then fail if the pruned utxo set is insufficient for the order's enough func.

However (and I apologize for the moving target), after we chatted on matrix this morning, I switched the order of these attempts so that it first sets aside utxos (using just the pruned set with tryFund), and if that fails to leave enough funding, it will then try with the full set and check if extra allowed it to satisfy keep: 9f6ad97

[buck54321]

Hmm. if i == len(utxos)-1 you wouldn't return the last one though.

[chappjc]

It's commented out here of course, but I'm not sure why I had written this as utxos[i:], because that's the same as utxos[i] when i == len(utxos)-1 (the last one). As @martonp pointed out, it's not going to happen that just the one UTXO is sufficient because: Each utxo in the input must be smaller than amt - use via leastOverFund only! so this is commented. Might as well remove.

[buck54321]

Does "smaller set" mean the set of lower valued utxos?

[buck54321]

20 seems like a lot. Won't matter much for low-fee assets, but might be prohibitive for btc and eth at times.

[chappjc]

Probably true in most cases, esp. with the high fee rate and the "tracks" multiplier below, but this helper is in client/asset/dcr so other assets would do differently. I expect eth would be quite a bit simpler in this regard (no UTXO business to worry about), although this could be a lot of value for btc.

[buck54321]

Output size could be more accurate. 1 p2sh, 1 OP_RETURN + push data length, and 1 p2pkh

const BondPushDataSize = 1 + 2 + 32 + 4 + 20
highBondFee := dexdcr.MsgTxOverhead + dexdcr.P2SHOutputSize + BondPushDataSize + dexdcr.P2PKHOutputSize + inputCount*dexdcr.P2PKHInputSize

[buck54321]

Variable name could indicate size.

[buck54321]

The max order is generally attainable when split is used, regardless of whether they choose it on the order form.

Really? I don't see it.

[chappjc]

Yeah, it's more nuanced than I let on, but this is referring to when there are reserves to respect, because the split maximizes the usable balance by allowing the split tx change to offset reserves.

However, the split actually eats a bit extra in fees because of the split tx baggage, but because dcr.estimateSwap falls back to skipping the split if needed, we can be sure that maxOrder calling estimateSwap with trySplitTx=true will give the highest estimate one way or another. The comments in the revised tests in 57db9ad demonstrate this I think.

[buck54321]

Making inputsSize an argument might be more descriptive.

[buck54321]

Ah. Nice. I had commented on this on a different commit but hadn't submitted yet.
It looks like we're still disabling the split in FundOrder for Immediate orders though.

[buck54321]

I think you're probably right that the fee buffer will cover it, but I don't see any harm in adding a dexdcr.P2PKHOutputSize to the splitTxBaggage above if extraOutput > 0.

[buck54321]

Just got through the core parts. A lot to digest, so I'm gonna swing back in a bit for a more thorough review. Just a couple of comments for now.

[buck54321]

known

[buck54321]

One thing I think is going to be needed is a way to check that reserves are sufficient without ordering or sending. We need to be able to provide warnings to users when there's insufficient funds, which could be caused by e.g. user doing dumb stuff with an RPC wallet, or a fee rate spike.

[chappjc]

Good point, this also happens if you sweep the max out of your wallet (leaving 0 "available" and just the reserves in "locked"), then on the next bond tx, it starts eating into the desired fee buffer. Of course, that's the fee buffer doing it's job and you can go on for quite a long time before it is unable to post/renew, but you can observe it running below target reserves.

e.g.
[WRN] CORE[dcr]: Available balance is below configured reserves: 0.013529 < 0.013628
and
[WRN] CORE[dcr]: Available balance is below configured reserves: 10.013479 < 10.013628

But like you said the user can meddle with their wallet to really eat into the reserves way past the fee buffer.

I think we can add a method to report reserves health.

[chappjc]

We have that unused asset.Balance.Other field.

I expect frontend can work with the following or similar?

@@ -1061,7 +1062,9 @@ func (dcr *ExchangeWallet) Balance() (*asset.Balance, error) {
        if reserves > bal.Available { // unmixed (immature) probably needs to trickle in
                dcr.log.Warnf("Available balance is below configured reserves: %f < %f",
                        toDCR(bal.Available), toDCR(reserves))
+               bal.Other["Reserves Deficit"] = reserves - bal.Available
                reserves = bal.Available
        }
+       bal.Other["Reserves"] = reserves
        bal.Available -= reserves
        bal.Locked += reserves

Or keys can be prefixed like bal.Other["warning:Reserves Deficit"] = reserves - bal.Available so it can be shown in red or something?

[chappjc]

I this could work out

I'd update that with Bonds (locked) too for completeness

[chappjc]

I kinda like this, in the last commit

later, while not swapping and with bond overlap:

[martonp]

Maybe Bonded and Bond Reserves. Someone might not know what the reserves are for.

[buck54321]

I guess there'd be no way to "merge" parallel tracks without going up or down in tier. That's unfortunate.

[chappjc]

I need to really research this, but I observed them naturally merging sometimes. Perhaps only likely with the high overlap ratio in simnet and testnet though.

[buck54321]

I'd mention that bondReservesEnforced includes projected fees.

[buck54321]

Who's pat?

[buck54321]

Is it possible for rotateBonds to run concurrently?

[chappjc]

Should only be run from the loop in watchBonds (sequentially). Will document that it's not to be run willy nilly.

[chappjc]

Just got through the core parts. A lot to digest, so I'm gonna swing back in a bit for a more thorough review. Just a couple of comments for now.

Much appreciated. It is a lot of work to digest.

[chappjc]

Rebased and squashed away fixup commits, not retested yet, but there might be breakage with view-only merged. Compared with original PR, there are three additional commits with qualitative changes beyond fixups to the other commits. Minimal testing of the forced split with the extra output.

[chappjc]

This commit also reverses the order of funding attempts vs the initial commit that updating fund/tryFund. It tries straight away to set aside UTXOs for the reserves, and falls back to the standard funding approach, hoping that the enough func grants usable change in the extra output.

[chappjc]

Tested forced split with extra output. Worked as intended.

[chappjc]

Just a rebase. Nothing else revised.

[martonp]

Working well while testing.

[martonp]

You could do reserves + (bumpedMaxRate * dexdcr.P2PKHInputSize) as the keep argument to fund so it will fail here.

[chappjc]

Suggestion applied and squashed in.

[martonp]

Why only if cfg.unmixedAccount == "" ? The splitting outputs go into the tradingAccount.

[chappjc]

Just the non-change outputs. The change output goes into the unmixed account, according to signTxAndAddChange+depositAccount.
Mixing epochs are unfortunately kinda long so I don't think we can consider such change as available

[martonp]

I see now.. but why does that change need to go into the unmixed account when we are doing a split? Couldn't it go right back into the trading account?

[chappjc]

It's debatable, but all the input have been linked with each other. They're also now linked with a dex order.

[martonp]

Wouldn't the second output created for the reserves have the same issue then?

[chappjc]

Yeah, and same as when an order that's funded by a split output is cancelled with no fill, that output stays in trading account.

But if we send nothing into unmixed, a wallet will quickly end up with nothing in the mixed account, I think. Meaning the entire previously mixed set gets linked. It would be down to deposits, redeems, and change on matched orders. And the last category would not exist with splits in use.

[chappjc]

Ugh, the browser goes back to /register after restarting even if you've been bonded. Something with view-only logic.

[chappjc]

Oh nevermind I just deleted my dexc.db while it was running! bad chappjc

[chappjc]

I'm done with reviews on this, I think.

Only thing I have to check is what Wisdom discovered with legacy accounts, which is by no means a showstopper, but should be fixed:

an account that paid legacy fee would have maxBondedAmt = 0
if the user enables bond maintenance without setting a maxBondedAmt, the max value remains 0
is this accounted for? so that the default max bonded amt is used?

[chappjc]

Only thing I have to check is what Wisdom discovered with legacy accounts, which is by no means a showstopper, but should be fixed:

an account that paid legacy fee would have maxBondedAmt = 0
if the user enables bond maintenance without setting a maxBondedAmt, the max value remains 0
is this accounted for? so that the default max bonded amt is used?

Seems the missing condition was this 479667e

Will test it out though.

[JoeGruffins]

Tested quite a bit on testnet and simnet. Looks fine. Only problem was it seems max send and max orders don't always work.

[JoeGruffins]

Is this a complete thought?

[JoeGruffins]

prints 2023-02-22 09:40:16.084 [DBG] CORE[dcr]: Funding succeeded with %!s(float64=42.00919958) DCR in spendable change.

[JoeGruffins]

dexdcr.P2PKHOutputSize * bumpedMaxRate?

[JoeGruffins]

Can you add to the comment the purpose of the second addr and val?

[JoeGruffins]

is %x better for []byte?

[JoeGruffins]

are -> have

[martonp]

Option description needs to be updated to not say it is only for standing-type orders.

[chappjc]

Thanks to everyone who reviewed this PR.