Idempotency of MS deposits - closes #76 #80
Conversation
| uint256 added_deposit; | ||
|
|
||
| // Calculate the actual amount of tokens that will be transferred | ||
| added_deposit = total_deposit - balances[beneficiary]; |
There was a problem hiding this comment.
This is not good. uint256 can only be positive integers, and if the new total_deposit is lower than the current balance you have a problem. You must add a check that doesn't allow for this to happen. Ideally you also add a small test to show that it works correctly.
.gitignore
Outdated
| @@ -12,6 +12,9 @@ venv/ | |||
| # ignore private keys | |||
| *.pem | |||
|
|
|||
| # virtualenv | |||
| .venv | |||
There was a problem hiding this comment.
We already have env/ for this purpose.
| require(amount > 0); | ||
| /// @param beneficiary The account benefiting from the deposit | ||
| /// @param total_deposit Idempotent function that sets the total_deposit of | ||
| //// tokens of the beneficiary |
| //// tokens of the beneficiary | ||
| function deposit(address beneficiary, uint256 total_deposit) public | ||
| { | ||
| require(total_deposit != 0); |
There was a problem hiding this comment.
Consider using total_deposit > 0 . One might say it's redundant, because we are talking about a uint, but more complete and we keep consistency with the rest of the contracts code.
There was a problem hiding this comment.
I changed it, as I found that the > 0 looks like a wrong int-underflow safeguard, as it actually does not check what it states, i.e. the require will not throw when .deposit(Uint(-1)) is called. Does that make sense?
There was a problem hiding this comment.
When .deposit(-1) is called, there should be a type error thrown before it even gets to the require. Just because we are using uint as the input type. The check's scope is actually >0 and not only !=0.
There was a problem hiding this comment.
Ah, ok. I understand what you mean. But I see it as: the scope is to make sure total_deposit > 0. Because Solidity is still a young language that can still behave in unwanted ways, I would not completely trust it especially if it doesn't really cost us much. Plus, this > 0 pattern was agreed upon in a previous smart contracts review session for uRaiden. I would rather keep it like this for now. You can open an issue to discuss adv/disadv if you want.
There was a problem hiding this comment.
Changed it back to the way it was. I was referring to UINT(-1) above, but doesn't make a difference I think.
| function deposit(address beneficiary, uint amount) public { | ||
| require(amount > 0); | ||
| /// @param beneficiary The account benefiting from the deposit | ||
| /// @param total_deposit Idempotent function that sets the total_deposit of |
There was a problem hiding this comment.
This should explain what the parameter is, not what the function does. The @notice is meant for explaining what the function does.
|
|
||
| emit NewDeposit(beneficiary, amount); | ||
| require(balances[beneficiary] >= added_deposit); |
There was a problem hiding this comment.
Couldn't we cover both require(total_deposit != 0); and require(balances[beneficiary] >= added_deposit); by doing total_deposit > balances[beneficary] instead?
There was a problem hiding this comment.
I used the pattern that was also used here in TokenNetwork.setDeposit because I was also trying to keep the checks grouped, as agreed. In this case, require(total_deposit > balances[beneficary]) can work.
There was a problem hiding this comment.
require(total_deposit > balances[beneficary]) Doesn't conflict with keeping the checks grouped, since there's only one check, but I get what you mean. I am fine with either. Just thought that Tobias might find it interesting to think about both options.
There was a problem hiding this comment.
I think require(total_deposit > balances[beneficiary]) solves under/overflow the shortest way, not sure though which conventions Loredana refers too.
There was a problem hiding this comment.
There was a problem hiding this comment.
As Loredana says, require(total_deposit > balances[beneficiary]) does the trick and we get the same checks guarantees from one line rather than two. So please use that instead.
|
|
||
| emit NewDeposit(beneficiary, amount); | ||
| require(balances[beneficiary] >= added_deposit); |
There was a problem hiding this comment.
As Loredana says, require(total_deposit > balances[beneficiary]) does the trick and we get the same checks guarantees from one line rather than two. So please use that instead.
err508
force-pushed
the
issue_#76
branch
3 times, most recently
from
b8f3225 to
0422674
Compare
No description provided.