margin_pool: clamp decrease_supply_absolute to total_supply#978
Draft
tonylee08 wants to merge 1 commit into
Draft
margin_pool: clamp decrease_supply_absolute to total_supply#978tonylee08 wants to merge 1 commit into
tonylee08 wants to merge 1 commit into
Conversation
Prevents an arithmetic_error when a full-share liquidation records bad debt larger than the current total_supply. The write-off is now capped at total_supply; excess is uncollectible by design (never backed by vault cash). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
margin_state::decrease_supply_absoluteattotal_supply. Previously it could underflow (rawarithmetic_error) whenrepay_liquidationrecorded bad debt larger than the current supplier pool.decrease_supply_absolute_clamps_at_zero) asserting the clamp holds and repeated over-decrements stay at zero.Key decisions
decrease_supply_absoluteis apublic(package)primitive; per the leaf-guard convention in.claude/rules/move.md, it should be self-consistent regardless of which sibling module reaches it. The only caller (margin_pool::repay_liquidation) was relying on a cross-module invariant (bad_debt ≤ total_supply) that isn't guaranteed —total_supplydrifts belowtotal_borrowover time becauseupdate()skims protocol spread only from the supply side. Rather than add caller-side math, the leaf now enforces its own bound.total_supply, suppliers are already fully written down (worst case for them); the residual was never backed by vault cash so it's uncollectible by definition. The existingdefaultreturn fromrepay_liquidationstill reflects the economic shortfall, which remains accurate.total_borrowvs.total_supplydrift from protocol spread is intentional (it's how the fee model works). This PR only fixes the bad-debt path's handling of the resulting state, not the drift itself.Test plan
sui move test --gas-limit 100000000000inpackages/deepbook_margin— all 301 tests passdecrease_supply_absolute_clamps_at_zerotest exercises over-decrement + follow-up decrement from zerobunx prettier-move -con modified files — clean🤖 Generated with Claude Code