Make Chain a variant of AccountOwner

[deuszx]

Motivation

We want to fix and expand our notion of Address (currently Owner, GenericApplicationId, etc.) to different type of addresses (32-byte Linera/Solana, 20-byte EVM). In order to do that we need to prepare the code for the introduction of new variants.

Proposal

Inline a Chain into AccountOwner enum to identify cases where transactions (mostly token transfers) are targeting or using chain's account balance. Previously that case was handled with the usage of Option<AccountOwner>. This made refactoring more difficult.

Test Plan

CI should catch regressions.

Release Plan

• Nothing to do / These changes follow the usual release cycle.

Links

• reviewer checklist

[bart-linera]

I'm not sure I agree with the premise. It seems like a chain as a transfer target doesn't really belong as a variant of AccountOwner. If we want to be more explicit, I'd just make a type like enum TransferTarget { AccountOwner(AccountOwner), Chain } and replace Option<AccountOwner> with it. Then AccountOwner would play the role of identifying someone owning tokens that can authenticate transfers, and TransferTarget would represent, well, a target of a transfer.

I'm just not sure if that helps with solving the problem this was intended to solve, but I guess new potential variants of "addresses" could then be new variants of TransferTarget?

[bart-linera]

Those unreachable!s suggest to me that we might be conflating two different things here: who can authenticate a transaction, and where tokens can be transferred to. Maybe those should be represented by separate types? (Not necessarily something for this PR.)

[ma2bd]

AccountOwner::Chain is both a destination (the chain balance) and an ownership model (any block producer + temporarily message fees).

[ma2bd]

Here the issue is that unreachable! is inaccurate and the error message is kinda misleading. It should be something like

panic!("Using chain balance is not authorized")

[deuszx]

Done in Replace unreachables with panics.

[deuszx]

I'm not sure I agree with the premise. It seems like a chain as a transfer target doesn't really belong as a variant of AccountOwner. If we want to be more explicit, I'd just make a type like enum TransferTarget { AccountOwner(AccountOwner), Chain } and replace Option<AccountOwner> with it. Then AccountOwner would play the role of identifying someone owning tokens that can authenticate transfers, and TransferTarget would represent, well, a target of a transfer.

I'm just not sure if that helps with solving the problem this was intended to solve, but I guess new potential variants of "addresses" could then be new variants of TransferTarget?

I think the ultimate solution would be to simply remove that variant entirely and either hardcode that every chain has an account with some hardcoded address ([0u8; 32]) where we store its balance or remove it - i.e. chains cannot have token balance at all.

[bart-linera]

After some discussion with Mateusz, it seems that a kind of separation between authenticating parties and owners already exists, and what drew my attention seems to have been implementation details of some example applications - so this change seems to be okay to me now 👍

[bart-linera]

This (and below) seems to be a part of a different change?

[bart-linera]

Maybe it would make sense to handle this case? If a chain owner can transfer from an AccountOwner::Chain, then maybe it makes sense to let them claim from an AccountOwner::Chain, too? (if that's even possible to be implemented)

[deuszx]

Sounds reasonable to mirror logic of transfer here. I didn't decide to do it b/c I would change the logic - i.e. the source here wasn't wrapped with Option.

[deuszx]

cc @afck

[afck]

Let's not do it in this PR, but I agree it sounds reasonable.

[ma2bd]

We should fix that (not here but soon)

[ma2bd]

I look forward to removing these tags

[deuszx]

The ::Chain variant might not be so easy to remove b/c there are flow paths where the Chain is still a valid identifier. Right now I can see two ways to get rid of it:

1. Do not let chain own a balance.
2. Turn ::Chain variant into a special case of address ([u8; 32]).

The first one isn't just a refactor (internal change) as it requires making some high-level design decisions around opening new chains etc.

I think the second option is the easier one and we should try to do it. We could hash a string like "Linera Chain Address" (note it cannot simply be [0u8; 32] b/c in Ed25519 a private key for all zeros public key is well-known).

[ma2bd]

note it cannot simply be [0u8; 32] b/c in Ed25519 a private key for all zeros public key is well-known)

Addresses are not public keys but hash values, so [0u8; 32] would work. I proposed 0x0 (Reserved(0)) in the internal doc.

[ma2bd]

Thanks for the PR. Very nice improvement. No major issue except that refund_grand_to should be an option.

[ma2bd]

We should instead modify SystemOperation to use SystemOperation::Transfer { owner: Owner .. } and resolve the default value way earlier.

[ma2bd]

unwrap_or(AccountOwner::Chain) is a little bit of a red flag. After this PR, I would imagine that only CLI options may default to a chain account.

[deuszx]

I agree it looks dangerous. So I tracked the places where I use AccountOwner::Chain as the default - there are two (actually three but there are two instances where I use ::Chain as source when constructing a SystemMessage::Credit so that's one for the purpose of this discussion):

1. In send_refund we previously were using None as source and now we use AccountOwner::Chain.
2. In system.rs#execute_operation we previously were using None as source for the transfer and now we default to ::Chain.

In both those cases None resolved to the "chain" already:

1. main vs this PR
2. main vs this PR.

There's no regression here.

Also, see #3573 where I replace Transfer::source: Option<Owner> with AccountOwner and get rid of some of these unwrap_or(AccountOwner::Chain).

[ma2bd]

Thanks for checking. Indeed the source of a refund's Credit message is currently a best effort. (It only matters if the refund message itself is rejected.)

[ma2bd]

No. We should not force refunds.

[deuszx]

Ah, you're right. We actually had two Options previously here - the outer one (return type) and inner one (Some(Account { owner: None })) and previously Some(None) would not refund at all.

[deuszx]

Do not force refunds to chain

[ma2bd]

Here or very soon we should remove SystemExecutionStateView::balance by the way

[deuszx]

I took a quick stab at removing the chains' balances entirely and it wasn't very difficult. I can propose something in a separate PR.

[ma2bd]

Thanks for checking. Indeed the source of a refund's Credit message is currently a best effort. (It only matters if the refund message itself is rejected.)