cardano-ledger
cardano-ledger copied to clipboard
IntersectMBO
Do not allow collateral fields when there is no redeemer
Network: Vasil Dev
Block: 1787ae01340333569855947f84d095b84db408edda2da80a157bf2ab6d961ef3
Absolute Slot: 607569
Transaction at index 0
Block CBOR:
820685828a19681c1a000945515820faa49aebfab1da33459fd6e8d8fcfff237b2ca17f6d5cb8ab02821c49032e77258204cb52835ae3b1bc4aae113fa38c241523a91df90b25a01ce0fbf38025ba13fbd5820495cad4ab91ef4461341be00f862c899e824625508dba5794a60c39deda82a758258406480dc3b9a529200e7e3026325924d51ee2201f71671572fbb43ea5dcf1be19a2e27fab453131fd16f94b462e94c3ec7f5e82194243df6977d02f2e6a56240415850f54a07f44be188df423b47320c4d2a9d821951a7c82c63d88a40944f17dddb669f62292cb1aae187537bd0353dd278fe961ffdd482d93998fc34c6e89a8a9e1cb10619c4945bde18212fc60dc838450319014358201be4d4652bc69f93e13601591fefc3aafe9f52dd92be6232ce8e0fec449f37cf845820945096c938418413114320df97debb4ac3a77ac67097da8c040aff5d55bb45cd00025840bba584228ac5de9d94e9182181889ba493b963b5c859a1c4f97bc3762a5017a1975f288d0078a1a0f47402b9e00a2fb3c466b2fbb9068c34ca1327cd8138d80c8207005901c07fbdd38021bc7da0ee4087932c7c90e12710bd4d912a1892818fae76a292cf3a10a8699a221b38a87fd0aee61596d6608ae8ae83795e923472a4a28ca8807c001418a5c8dbfb6afce1f52bfeebc73560dade7d8af11f901ced015ce8256c2c82dde7d2a00c195a4edab7c46957b2ff6bdc4d3afcca0718ef58541f6a0a10c1d8b91e73bed2b94c5bbcbc3bdc88487a02ef92bce91dfe8267d130ec34bf0996352e9bbc7488026a41c914be36d886fef5c9126aa47c66e99e54a35f929d9c10bc8229a5fb03b71bf37590a6970b83c39f42a6828598ae150fcddc7209eaf323823d09af62c283f74abf6f846fec851706c575f59ab3c12badbc807358bfb0c6cf7cafb40af6ba042bf32ee55d2eba2127a771709f35c3ab14398cfb1ca05b50c0998d0529e5f9a9173b65997ac40093dd7598b0cd6841ae3dd09c0a97d4cc822d99cb62a35634b274a357b5a86f34efda612c7aabb75ea38ecc8b8c2620398920cd9f1a5883b83bc264b4dc850e3b7651f568bd42bab5ef8e0419b7fd7589248e63a79c70daad422ca75336eda1e2bb93642cb2cb2289ba9df9550cb7fcd1dbcf3fdf3a9685290aa6d295c43d4f742d0fcff3c8091879c32796470b311530d04481a90081825820c1d64a32f0e15222d7e2f00fd81deb34e9b5224021070467eadcfab690a51b87010d80128182582047d4b94ad0d78a2b4e1d445a6ba296d44e7e8d5c7627487ded5cf7f7e89c7611010182a200581d60710ea774cf50871f989838c19afe7b92f6bbba795040d64832a0fe52011a002b2fefa200581d60710ea774cf50871f989838c19afe7b92f6bbba795040d64832a0fe52011a001e848010a200581d6076aaef06f38cc98ed08ceb168ddb55bab2ea5df43a6847a99f086fc4011a000f42401101021a000296d1081a0004e5210e8081a10081825820ab90b91479376378665c25d288cc2615d2946d7bf776c0ed2d78f5c41272bf3758403214244f868f82c8cc4a6adeeca0454e10a7d780ea0f354135ce2b4fb87fc3d9f56ab5003493e42f7b9c1bb585e335931f07ff7302b61bbe79687c773f25f306a080
In this block, at tx index 0, the tx has no input collateral but has an output collateral of 1000000 lovelace. Also notice that the collateral output is ONLY 1 lovelace. This tx is marked successful hence the collateral fields are probably not verified, but this does not seem to be right to be present in ledger.
Most collateral checks (at least those relating to conservation of value across the collateral inputs/outputs and the correctness of the total collateral field) are done only if the transaction contains redeemers, because collateral is only taken when the transaction fails phase-2 validation which is only possible if the transaction contains redeemers.
This transaction does not use any phase-2 scripts (right?), so there is no risk of the collateral being taken and thus the checks on the collateral are not ran. It's safe, but perhaps it's a bit weird to allow arbitrary amounts in the collateral return output and total collateral when no phase-2 scripts are being executed.
@jmhrpr yep understandable, also prolly the checks might not be needed on collateral when the tx is marked as true as the tx above is. As you state it is indeed weird to allow arbitrary values in collateral.
It seems we're already checking for the existence of redeemers. Couldn't this check simply fail the transaction if it has collateral fields and there are no redeemers?
as always, thank you @ashisherc for finding and bring up interesting details!
I do not know for certain if this was intentional, but as a general rule of thumb we "do not add extra validation for things that are weird but not harmful". When we were first designing Shelley, an incredibly number of topics came up about "should be forbid this?", and we adopted this mantra in order to keep the rules as simple as possible. I doubt we are completely consistent about this, but it does come up a lot, and we invoke this mantra often.
That said, with hindsight, I think it is worth adding in extra validation for things that make for a bad user experience/interface, such as the issue in this ticket. @lehins has been championing this point, I think it's totally valid.
We will not be able to change this for the Babbage era. But perhaps we can save this issues as a nice to have for a future era. @ashisherc do you mind editing the issue to say something like what @AndrewWestberg posted above, "Consider not allowing collateral outputs if a transaction has no redeemers". and perhaps collateral inputs as well.
also odd that we don't check the collateral balancing (ins, outs, and total) when there are no redeemers.
@ashisherc do you have the CBOR transaction so I can debug a bit more?
@JaredCorduan here you go, this tx was present on Vasil Dev network
a90081825820c1d64a32f0e15222d7e2f00fd81deb34e9b5224021070467eadcfab690a51b87010d80128182582047d4b94ad0d78a2b4e1d445a6ba296d44e7e8d5c7627487ded5cf7f7e89c7611010182a200581d60710ea774cf50871f989838c19afe7b92f6bbba795040d64832a0fe52011a002b2fefa200581d60710ea774cf50871f989838c19afe7b92f6bbba795040d64832a0fe52011a001e848010a200581d6076aaef06f38cc98ed08ceb168ddb55bab2ea5df43a6847a99f086fc4011a000f42401101021a000296d1081a0004e5210e80
thank you! I wonder if the minUTxO values was set to 1 or 0 on the Vasil Dev... :thinking:
I wonder if the minUTxO values was set to 1 or 0 on the Vasil Dev
Quite likely, dont think vasil dev had proto params changed - and it's shelley genesis did have 0.
great, thank you @rdlrt , that explains how the collateral output could have been so small. (I still agree that allowing it to begin with is odd.)