Added expiry check

Author: Soupstraw

src/Ledger/Conway/Conformance/Equivalence.agda

@@ -396,8 +396,8 @@ opaque
           → (record Γ { certState = certState' } , n)
             ⊢ s ⇀⦇ txgov ,GOVn⦈ s'
   castGOV deps (BS-base Id-nop) = BS-base Id-nop
-  castGOV {Γ} deps (BS-ind (C.GOV-Vote {voter = voter} (a , b , c)) rs) =
-    BS-ind (C.GOV-Vote (a , b , cast-isRegistered Γ deps voter c))
+  castGOV {Γ} deps (BS-ind (C.GOV-Vote {voter = voter} (a , b , c , d)) rs) =
+    BS-ind (C.GOV-Vote (a , b , cast-isRegistered Γ deps voter c , d))
            (castGOV deps rs)
   castGOV deps (BS-ind (C.GOV-Propose h) rs) =
     BS-ind (C.GOV-Propose h)

src/Ledger/Conway/Conformance/Equivalence/Gov.agda

@@ -41,7 +41,7 @@ instance
             → L.Deposits × L.Deposits
               ⊢ (Γ , n) L.⊢ s ⇀⦇ votes ,GOV'⦈ s' ⭆ⁱ λ deposits _ →
                 (deposits ⊢conv Γ , n) C.⊢ s ⇀⦇ votes ,GOV'⦈ s'
-  GOV'ToConf .convⁱ deposits (L.GOV-Vote (a , b , c)) = C.GOV-Vote (a , b , deposits ⊢conv c)
+  GOV'ToConf .convⁱ deposits (L.GOV-Vote (a , b , c , d)) = C.GOV-Vote (a , b , deposits ⊢conv c , d)
   GOV'ToConf .convⁱ deposits (L.GOV-Propose h) = C.GOV-Propose h
 
   GOVToConf : ∀ {Γ s votes s' n}
@@ -53,7 +53,7 @@ instance
 
   GOV'FromConf : ∀ {Γ s votes s' n}
             → (Γ , n) C.⊢ s ⇀⦇ votes ,GOV'⦈ s' ⭆ (conv Γ , n) L.⊢ s ⇀⦇ votes ,GOV'⦈ s'
-  GOV'FromConf .convⁱ _ (C.GOV-Vote (a , b , c)) = L.GOV-Vote (a , b , conv c)
+  GOV'FromConf .convⁱ _ (C.GOV-Vote (a , b , c , d)) = L.GOV-Vote (a , b , conv c , d)
   GOV'FromConf .convⁱ _ (C.GOV-Propose h)        = L.GOV-Propose h
 
   GOVFromConf : ∀ {Γ s votes s' n}

src/Ledger/Conway/Conformance/Gov.agda

@@ -77,6 +77,7 @@ data _⊢_⇀⦇_,GOV'⦈_  : GovEnv × ℕ → GovState → GovVote ⊎ GovProp
     ∙ (aid , ast) ∈ fromList s
     ∙ canVote pparams (action ast) (proj₁ voter)
     ∙ isRegistered Γ voter
+    ∙ ¬ (expired epoch ast)
       ───────────────────────────────────────
       (Γ , k) ⊢ s ⇀⦇ inj₁ vote ,GOV'⦈ L.addVote s aid voter v
 
@@ -86,11 +87,13 @@ data _⊢_⇀⦇_,GOV'⦈_  : GovEnv × ℕ → GovState → GovVote ⊎ GovProp
                     ; policy = p ; deposit = d ; prevAction = prev }
       s' = L.addAction s (govActionLifetime +ᵉ epoch) (txid , k) addr a prev
     in
-    ∙ L.actionWellFormed rewardCreds p ppolicy epoch a
+    ∙ L.actionWellFormed a
+    ∙ L.actionValid rewardCreds p ppolicy epoch a
     ∙ d ≡ govActionDeposit
     ∙ L.validHFAction prop s enactState
     ∙ L.hasParent enactState s a prev
     ∙ addr .RwdAddr.net ≡ NetworkId
+    ∙ addr .RwdAddr.stake ∈ rewardCreds
       ───────────────────────────────────────
       (Γ , k) ⊢ s ⇀⦇ inj₂ prop ,GOV'⦈ s'
 

src/Ledger/Conway/Conformance/Gov/Properties.agda

@@ -36,10 +36,6 @@ open GovActionState
 open Inverse
 
 private
-  lookupActionId : (pparams : PParams) (role : GovRole) (aid : GovActionID) (s : GovState) →
-                   Dec (Any (λ (aid' , ast) → aid ≡ aid' × canVote pparams (action ast) role) s)
-  lookupActionId pparams role aid = any? λ _ → ¿ _ ¿
-
   isUpdateCommittee : (a : GovAction) → Dec (∃[ new ] ∃[ rem ] ∃[ q ] a ≡ UpdateCommittee new rem q)
   isUpdateCommittee NoConfidence                = no λ()
   isUpdateCommittee (UpdateCommittee new rem q) = yes (new , rem , q , refl)
@@ -97,16 +93,16 @@ instance
       module GoVote sig where
         open GovVote sig
 
-        computeProof = case lookupActionId pparams (proj₁ voter) gid s ,′ isRegistered? (proj₁ Γ) voter of λ where
+        computeProof = case L.lookupActionId pparams (proj₁ voter) gid epoch s ,′ isRegistered? (proj₁ Γ) voter of λ where
             (yes p , yes p') → case Any↔ .from p of λ where
-              (_ , mem , refl , cV) → success (_ , GOV-Vote (∈-fromList .to mem , cV , p'))
+              (_ , mem , refl , cV , ¬exp) → success (_ , GOV-Vote (∈-fromList .to mem , cV , p' , ¬exp))
             (yes _ , no ¬p) → failure (genErrors ¬p)
             (no ¬p , _)     → failure (genErrors ¬p)
 
         completeness : ∀ s' → Γ ⊢ s ⇀⦇ inj₁ sig ,GOV'⦈ s' → map proj₁ computeProof ≡ success s'
-        completeness s' (GOV-Vote (mem , cV , reg))
-          with lookupActionId pparams (proj₁ voter) gid s | isRegistered? (proj₁ Γ) voter
-        ... | no ¬p | _ = ⊥-elim (¬p (Any↔ .to (_ , ∈-fromList .from mem , refl , cV)))
+        completeness s' (GOV-Vote (mem , cV , reg , ¬exp))
+          with L.lookupActionId pparams (proj₁ voter) gid epoch s | isRegistered? (proj₁ Γ) voter
+        ... | no ¬p | _ = ⊥-elim (¬p (Any↔ .to (_ , ∈-fromList .from mem , refl , cV , ¬exp)))
         ... | yes _ | no ¬p = ⊥-elim $ ¬p reg
         ... | yes p | yes p' with Any↔ .from p
         ... | (_ , mem , refl , cV) = refl
@@ -118,40 +114,55 @@ instance
 
         instance 
           Dec-actionWellFormed = L.actionWellFormed?
+          Dec-actionValid = L.actionValid?
         {-# INCOHERENT Dec-actionWellFormed #-}
+        {-# INCOHERENT Dec-actionValid #-}
 
-        H = ¿ L.actionWellFormed rewardCreds p ppolicy epoch a
+        H = ¿ L.actionWellFormed a
+            × L.actionValid rewardCreds p ppolicy epoch a
             × d ≡ govActionDeposit
             × L.validHFAction prop s enactState
             × L.hasParent' enactState s a prev
-            × addr .RwdAddr.net ≡ NetworkId ¿
+            × addr .RwdAddr.net ≡ NetworkId
+            × addr .RwdAddr.stake ∈ rewardCreds ¿
             ,′ isUpdateCommittee a
 
-        genErrorsWellFormed : ∀ {a} → ¬ (L.actionWellFormed rewardCreds p ppolicy epoch a) → String
-        genErrorsWellFormed {NoConfidence} ¬p          = genErrors ¬p
-        genErrorsWellFormed {UpdateCommittee _ _ _} ¬p = genErrors ¬p
-        genErrorsWellFormed {NewConstitution _ _} ¬p   = genErrors ¬p
-        genErrorsWellFormed {TriggerHF _} ¬p           = genErrors ¬p
-        genErrorsWellFormed {ChangePParams _} ¬p       = genErrors ¬p
-        genErrorsWellFormed {TreasuryWdrl _} ¬p        = genErrors ¬p
-        genErrorsWellFormed {Info} ¬p                  = genErrors ¬p
+        genErrorsActionWellFormed : ∀ {a} → ¬ (L.actionWellFormed a) → String
+        genErrorsActionWellFormed {NoConfidence} ¬p          = genErrors ¬p
+        genErrorsActionWellFormed {UpdateCommittee _ _ _} ¬p = genErrors ¬p
+        genErrorsActionWellFormed {NewConstitution _ _} ¬p   = genErrors ¬p
+        genErrorsActionWellFormed {TriggerHF _} ¬p           = genErrors ¬p
+        genErrorsActionWellFormed {ChangePParams _} ¬p       = genErrors ¬p
+        genErrorsActionWellFormed {TreasuryWdrl _} ¬p        = genErrors ¬p
+        genErrorsActionWellFormed {Info} ¬p                  = genErrors ¬p
+
+        genErrorsActionValid : ∀ {a} → ¬ (L.actionValid rewardCreds p ppolicy epoch a) → String
+        genErrorsActionValid {NoConfidence} ¬p          = genErrors ¬p
+        genErrorsActionValid {UpdateCommittee _ _ _} ¬p = genErrors ¬p
+        genErrorsActionValid {NewConstitution _ _} ¬p   = genErrors ¬p
+        genErrorsActionValid {TriggerHF _} ¬p           = genErrors ¬p
+        genErrorsActionValid {ChangePParams _} ¬p       = genErrors ¬p
+        genErrorsActionValid {TreasuryWdrl _} ¬p        = genErrors ¬p
+        genErrorsActionValid {Info} ¬p                  = genErrors ¬p
 
         computeProof = case H of λ where
-          (yes (wf , dep , vHFA , L.HasParent' en , goodAddr) , yes (new , rem , q , refl)) →
+          (yes (wf , av , dep , vHFA , L.HasParent' en , goodAddr , regReward) , yes (new , rem , q , refl)) →
             case ¿ ∀[ e ∈ range new ] epoch < e × dom new ∩ rem ≡ᵉ ∅ ¿ of λ where
-              (yes newOk) → success (_ , GOV-Propose (wf , dep , vHFA , en , goodAddr))
+              (yes newOk) → success (_ , GOV-Propose (wf , av , dep , vHFA , en , goodAddr , regReward))
               (no ¬p)     → failure (genErrors ¬p)
-          (yes (wf , dep , vHFA , L.HasParent' en , goodAddr) , no notNewComm) → success
-            (-, GOV-Propose (wf , dep , vHFA , en , goodAddr))
+          (yes (wf , av , dep , vHFA , L.HasParent' en , goodAddr) , no notNewComm) → success
+            (-, GOV-Propose (wf , av , dep , vHFA , en , goodAddr))
           (no ¬p , _) → case dec-de-morgan ¬p of λ where
-            (inj₁ q) → failure (genErrorsWellFormed q)
-            (inj₂ q) → failure (genErrors q)
+            (inj₁ q) → failure (genErrorsActionWellFormed q)
+            (inj₂ q) → case dec-de-morgan q of λ where
+              (inj₁ r) → failure (genErrorsActionValid r)
+              (inj₂ r) → failure (genErrors r)
 
         completeness : ∀ s' → Γ ⊢ s ⇀⦇ inj₂ prop ,GOV'⦈ s' → map proj₁ computeProof ≡ success s'
-        completeness s' (GOV-Propose (wf , dep , vHFA , en , goodAddr)) with H
-        ... | (no ¬p , _) = ⊥-elim (¬p (wf , dep , vHFA , L.HasParent' en , goodAddr))
-        ... | (yes (_ , _ , _ , L.HasParent' _ , _) , no notNewComm) = refl
-        ... | (yes ((_ , allOk) , _ , _ , L.HasParent' _ , _) , yes (new , rem , q , refl))
+        completeness s' (GOV-Propose (wf , av , dep , vHFA , en , goodAddr)) with H
+        ... | (no ¬p , _) = ⊥-elim (¬p (wf , av , dep , vHFA , L.HasParent' en , goodAddr))
+        ... | (yes (_ , _ , _ , _ , L.HasParent' _ , _) , no notNewComm) = refl
+        ... | (yes (_ , (_ , allOk) , _ , _ , L.HasParent' _ , _) , yes (new , rem , q , refl))
           rewrite dec-yes ¿ ∀[ e ∈ range new ] epoch < e × dom new ∩ rem ≡ᵉ ∅ ¿ allOk .proj₂ = refl
 
       computeProof : (sig : GovVote ⊎ GovProposal) → _

src/Ledger/Gov.lagda

@@ -320,29 +320,39 @@ action is \NoConfidence and the other is an \UpdateCommittee action.
 
 \begin{figure*}
 \begin{code}[hide]
-actionWellFormed : ℙ Credential → Maybe ScriptHash → Maybe ScriptHash → Epoch → GovAction → Type
-actionWellFormed _ p ppolicy _ (ChangePParams x)     = 
-  ∙ ppdWellFormed x
-  ∙ p ≡ ppolicy
-actionWellFormed rewardCreds p ppolicy _ (TreasuryWdrl x)      = 
-  ∙ ∀[ a ∈ dom x ] RwdAddr.net a ≡ NetworkId
-  ∙ ∃[ v ∈ range x ] ¬ (v ≡ 0)
-  ∙ p ≡ ppolicy
-  ∙ mapˢ RwdAddr.stake (dom x) ⊆ rewardCreds
-actionWellFormed _ p _ epoch (UpdateCommittee new rem q) =
-  ∙ p ≡ nothing
-  ∙ ∀[ e ∈ range new ]  epoch < e  ×  dom new ∩ rem ≡ᵉ ∅
-actionWellFormed _ p _ _ _                         =
-  ∙ p ≡ nothing
-
-actionWellFormed? : ∀ {Γ a p ppolicy epoch} → actionWellFormed Γ p ppolicy epoch a ⁇
-actionWellFormed? {_} {NoConfidence}          = it
-actionWellFormed? {_} {UpdateCommittee _ _ _} = it
-actionWellFormed? {_} {NewConstitution _ _}   = it
-actionWellFormed? {_} {TriggerHF _}           = it
-actionWellFormed? {_} {ChangePParams _}       = it
-actionWellFormed? {_} {TreasuryWdrl _}        = it
-actionWellFormed? {_} {Info}                  = it
+actionValid : ℙ Credential → Maybe ScriptHash → Maybe ScriptHash → Epoch → GovAction → Type
+actionValid rewardCreds p ppolicy epoch (ChangePParams x) =
+  p ≡ ppolicy
+actionValid rewardCreds p ppolicy epoch (TreasuryWdrl x) =
+  p ≡ ppolicy × mapˢ RwdAddr.stake (dom x) ⊆ rewardCreds
+actionValid rewardCreds p ppolicy epoch (UpdateCommittee new rem q) =
+  p ≡ nothing × (∀[ e ∈ range new ]  epoch < e) × (dom new ∩ rem ≡ᵉ ∅)
+actionValid rewardCreds p ppolicy epoch _ =
+  p ≡ nothing
+
+actionValid? : ∀ {rewardCreds p ppolicy epoch a} → actionValid rewardCreds p ppolicy epoch a ⁇
+actionValid? {a = NoConfidence}          = it
+actionValid? {a = UpdateCommittee _ _ _} = it
+actionValid? {a = NewConstitution _ _}   = it
+actionValid? {a = TriggerHF _}           = it
+actionValid? {a = ChangePParams _}       = it
+actionValid? {a = TreasuryWdrl _}        = it
+actionValid? {a = Info}                  = it
+
+actionWellFormed : GovAction → Type
+actionWellFormed (ChangePParams x) = ppdWellFormed x
+actionWellFormed (TreasuryWdrl x)  = 
+  (∀[ a ∈ dom x ] RwdAddr.net a ≡ NetworkId) × (∃[ v ∈ range x ] ¬ (v ≡ 0))
+actionWellFormed _                 = ⊤
+
+actionWellFormed? : ∀ {a} → actionWellFormed a ⁇
+actionWellFormed? {NoConfidence}          = it
+actionWellFormed? {UpdateCommittee _ _ _} = it
+actionWellFormed? {NewConstitution _ _}   = it
+actionWellFormed? {TriggerHF _}           = it
+actionWellFormed? {ChangePParams _}       = it
+actionWellFormed? {TreasuryWdrl _}        = it
+actionWellFormed? {Info}                  = it
 
 data _⊢_⇀⦇_,GOV'⦈_ where
 \end{code}
@@ -354,6 +364,7 @@ data _⊢_⇀⦇_,GOV'⦈_ where
     ∙ (aid , ast) ∈ fromList s
     ∙ canVote pparams (action ast) (proj₁ voter)
     ∙ isRegistered Γ voter
+    ∙ ¬ (expired epoch ast)
       ───────────────────────────────────────
       (Γ , k) ⊢ s ⇀⦇ inj₁ vote ,GOV'⦈ addVote s aid voter v
 
@@ -363,11 +374,13 @@ data _⊢_⇀⦇_,GOV'⦈_ where
                     ; policy = p ; deposit = d ; prevAction = prev }
       s' = addAction s (govActionLifetime +ᵉ epoch) (txid , k) addr a prev
     in
-    ∙ actionWellFormed rewardCreds p ppolicy epoch a
+    ∙ actionWellFormed a
+    ∙ actionValid rewardCreds p ppolicy epoch a
     ∙ d ≡ govActionDeposit
     ∙ validHFAction prop s enactState
     ∙ hasParent enactState s a prev
     ∙ addr .RwdAddr.net ≡ NetworkId
+    ∙ addr .RwdAddr.stake ∈ rewardCreds
       ───────────────────────────────────────
       (Γ , k) ⊢ s ⇀⦇ inj₂ prop ,GOV'⦈ s'
 

src/Ledger/Gov/Properties.agda

@@ -31,11 +31,13 @@ open Equivalence
 open GovActionState
 open Inverse
 
-private
-  lookupActionId : (pparams : PParams) (role : GovRole) (aid : GovActionID) (s : GovState) →
-                   Dec (Any (λ (aid' , ast) → aid ≡ aid' × canVote pparams (action ast) role) s)
-  lookupActionId pparams role aid = any? λ _ → ¿ _ ¿
+lookupActionId : (pparams : PParams) (role : GovRole) (aid : GovActionID) (epoch : Epoch) (s : GovState) →
+                 Dec (Any (λ (aid' , ast) → aid ≡ aid' × canVote pparams (action ast) role × ¬ (expired epoch ast)) s)
+lookupActionId pparams role aid epoch = 
+  let instance _ = λ {e ga} → ⁇ (expired? e ga) 
+   in any? λ _ → ¿ _ ¿
 
+private
   isUpdateCommittee : (a : GovAction) → Dec (∃[ new ] ∃[ rem ] ∃[ q ] a ≡ UpdateCommittee new rem q)
   isUpdateCommittee NoConfidence                = no λ()
   isUpdateCommittee (UpdateCommittee new rem q) = yes (new , rem , q , refl)
@@ -111,19 +113,19 @@ instance
       module GoVote sig where
         open GovVote sig
 
-        computeProof = case lookupActionId pparams (proj₁ voter) gid s ,′ isRegistered? (proj₁ Γ) voter of λ where
+        computeProof = case lookupActionId pparams (proj₁ voter) gid epoch s ,′ isRegistered? (proj₁ Γ) voter of λ where
             (yes p , yes p') → case Any↔ .from p of λ where
-              (_ , mem , refl , cV) → success (_ , GOV-Vote (∈-fromList .to mem , cV , p'))
+              (_ , mem , refl , cV , ¬exp) → success (_ , GOV-Vote (∈-fromList .to mem , cV , p' , ¬exp))
             (yes _ , no ¬p) → failure (genErrors ¬p)
-            (no ¬p , _)     → failure (genErrors ¬p)
+            (no ¬p , _    ) → failure (genErrors ¬p)
 
         completeness : ∀ s' → Γ ⊢ s ⇀⦇ inj₁ sig ,GOV'⦈ s' → map proj₁ computeProof ≡ success s'
-        completeness s' (GOV-Vote (mem , cV , reg))
-          with lookupActionId pparams (proj₁ voter) gid s | isRegistered? (proj₁ Γ) voter
-        ... | no ¬p | _ = ⊥-elim (¬p (Any↔ .to (_ , ∈-fromList .from mem , refl , cV)))
+        completeness s' (GOV-Vote {ast = ast} (mem , cV , reg , ¬expired))
+          with lookupActionId pparams (proj₁ voter) gid epoch s | isRegistered? (proj₁ Γ) voter
+        ... | no ¬p | _ = ⊥-elim (¬p (Any↔ .to (_ , ∈-fromList .from mem , refl , cV , ¬expired)))
         ... | yes _ | no ¬p = ⊥-elim $ ¬p reg
-        ... | yes p | yes p' with Any↔ .from p
-        ... | (_ , mem , refl , cV) = refl
+        ... | yes p | yes q with Any↔ .from p 
+        ... | ((_ , ast') , mem , refl , cV) = refl
 
       module GoProp prop where
         open GovProposal prop
@@ -132,30 +134,34 @@ instance
 
         instance 
           Dec-actionWellFormed = actionWellFormed?
+          Dec-actionValid = actionValid?
         {-# INCOHERENT Dec-actionWellFormed #-}
+        {-# INCOHERENT Dec-actionValid #-}
 
-        H = ¿ actionWellFormed rewardCreds p ppolicy epoch a
+        H = ¿ actionWellFormed a
+            × actionValid rewardCreds p ppolicy epoch a
             × d ≡ govActionDeposit
             × validHFAction prop s enactState
             × hasParent' enactState s a prev
-            × addr .RwdAddr.net ≡ NetworkId ¿
+            × addr .RwdAddr.net ≡ NetworkId
+            × addr .RwdAddr.stake ∈ rewardCreds ¿
             ,′ isUpdateCommittee a
 
         computeProof = case H of λ where
-          (yes (wf , dep , vHFA , HasParent' en , goodAddr) , yes (new , rem , q , refl)) →
+          (yes (wf , av , dep , vHFA , HasParent' en , goodAddr , regReturn) , yes (new , rem , q , refl)) →
             case ¿ ∀[ e ∈ range new ] epoch < e × dom new ∩ rem ≡ᵉ ∅ ¿ of λ where
-              (yes newOk) → success (_ , GOV-Propose (wf , dep , vHFA , en , goodAddr))
+              (yes newOk) → success (_ , GOV-Propose (wf , av , dep , vHFA , en , goodAddr , regReturn))
               (no ¬p)     → failure (genErrors ¬p)
-          (yes (wf , dep , vHFA , HasParent' en , goodAddr) , no notNewComm) → success
-            (-, GOV-Propose (wf , dep , vHFA , en , goodAddr))
+          (yes (wf , av , dep , vHFA , HasParent' en , goodAddr , returnReg) , no notNewComm) → success
+            (-, GOV-Propose (wf , av , dep , vHFA , en , goodAddr , returnReg))
           (no ¬p , _) → failure (genErrors ¬p)
 
         completeness : ∀ s' → Γ ⊢ s ⇀⦇ inj₂ prop ,GOV'⦈ s' → map proj₁ computeProof ≡ success s'
-        completeness s' (GOV-Propose (wf , dep , vHFA , en , goodAddr)) with H
-        ... | (no ¬p , _) = ⊥-elim (¬p (wf , dep , vHFA , HasParent' en , goodAddr))
-        ... | (yes (_ , _ , _ , HasParent' _ , _) , no notNewComm) = refl
-        ... | (yes ((_ , allOk) , _ , _ , HasParent' _ , _) , yes (new , rem , q , refl))
-          rewrite dec-yes ¿ ∀[ e ∈ range new ] epoch < e × dom new ∩ rem ≡ᵉ ∅ ¿ allOk .proj₂ = refl
+        completeness s' (GOV-Propose (wf , av , dep , vHFA , en , goodAddr)) with H
+        ... | (no ¬p , _) = ⊥-elim (¬p (wf , av , dep , vHFA , HasParent' en , goodAddr))
+        ... | (yes (_ , _ , _ , _ , HasParent' _ , _) , no notNewComm) = refl
+        ... | (yes (_ , (_ , av) , _ , _ , HasParent' _ , _) , yes (new , rem , q , refl))
+          rewrite dec-yes ¿ ∀[ e ∈ range new ] epoch < e × dom new ∩ rem ≡ᵉ ∅ ¿ av .proj₂ = refl
 
       computeProof : (sig : GovVote ⊎ GovProposal) → _
       computeProof (inj₁ s) = GoVote.computeProof s