make Chainlink the canonical priceAggregator

[turadg]

closes: #6628
part of #6571

Description

Make priceAggregatorChainlink the price aggregator contract. Updates CLI command and smoketest script to use the new result struct.

Updates the contract itself for code quality and compatibility with the Smart Wallet (using continuing invitation pattern and keying oracles by wallet address).

Security Considerations

Increases security by implementing round constraints on oracle price pushes. No new privileges.

Documentation Considerations

This changes the priceAggregator to be Chainlink style, which is different than https://github.com/Agoric/dapp-oracle/ expects. OTOH it's already broken and serves mostly an illustration instead of a functioning dapp.

Testing Considerations

Tested manually with https://github.com/Agoric/agoric-sdk/blob/6ff21e34936bdaad17ecd3d0e40dc7493a75cac3/packages/agoric-cli/test/agops-oracle-smoketest.sh

[dckc]

To what extent does closing #6628 mean claiming we're done with this contract?

Comparing the scope of this to the 5 tasks listed in #6571, it seems to claim to address:

• make it support continuing invitation
• FIXMEs (e.g. We throw away the updater but shouldn’t)
• wire it into integration tests and fix whatever else comes up

but not these:

• make durable
• replace makeLegacyMap usage

I'm also curious whether...

• limits work by message size?

... is in scope.

Is there more vstorage work to do after this? (#5854)

I suppose #5060 is likely to impact only the vaultFactory contract and not this one.

[dckc]

This makes me wonder whether the oracle operators aware of quoting prices in integers without decimals. I'm looking around.

[dckc]

The vstorage path segment is still ATOM-USD_price_feed. Is the number of decimals available at a nearby vstorage key?

[turadg]

Not presently. I expect the proposal config to suffice:

agoric-sdk/packages/inter-protocol/src/proposals/price-feed-proposal.js

Lines 292 to 296 in a3962a7

	priceFeedOptions: {
	IN_BRAND_NAME: inBrandName,
	IN_BRAND_DECIMALS: '6',
	OUT_BRAND_NAME: outBrandName,
	OUT_BRAND_DECIMALS: '6',

[dckc]

What's this limitation of 100k - 1? I aim to look around a bit more...

[turadg]

Nothing purposeful. It's much bigger in

agoric-sdk/packages/inter-protocol/scripts/price-feed-core.js

Line 11 in a3962a7

maxSubmissionValue: 2n ** 256n,

Any suggestions?

[dckc]

I don't understand the purpose of the limitation. What is it limiting? What bad thing might happen if there's no limit? Why is 100k a plausible number?

[turadg]

What is it limiting?

It's limiting the maximum value in a submission.

I don't understand the purpose of the limitation.

One is that it came in the port of https://github.com/smartcontractkit/chainlink/blob/b045416ebca769aa69bde2da23b5109abe07a8b5/contracts/src/v0.6/FluxAggregator.sol#L155-L156

What bad thing might happen if there's no limit?

If enough oracles were compromised they could push the median up to a ludicrous price. Or if there is a software bug affecting all of them it wouldn't even require malice. TMK it's a hedge against run-away values.

Why is 100k a plausible number?

I don't know that it is. This code isn't of the economics or risk, just the functionality. Isn't that sufficient?

[dckc]

Is there anything to this change besides line order? I can't tell. Is there some motivation for changing the order?

[turadg]

There was some import to remove and I used Organize imports in VS Code (from TypeScript LSP)

[dckc]

convention calls for capitalizing makePushPriceInvitation

and I don't believe oracleAddr is actually always a string. The tests seem to use an instance.

I haven't tried reproducing the integration testing results; that's next...

[dckc]

Should defaultConfig be exposed more widely? Is it something operators should know about? Or is it just arbitrary test constants?

[turadg]

arbitrary test constants. "default" merely for this module's tests. I think the "in this test module" is implied but let me know if you think it needs a comment or something

[dckc]

That's fine.

I was just asking about the possibility that the numbers are not arbitrary and in fact have some relevance to production operation.

[dckc]

100, 200, and 300 seem pretty far apart; does the aggregator consume them no matter how far apart they are? Or is there a point where it says "sources don't agree; nothing available at this time"?

[turadg]

Right, it lets the prices push as long as they're within the minSubmissionValue and maxSubmissionValue. Extremity of gap doesn't matter because the feed only exposes the median.

[dckc]

I'm missing something about how scale works in this contract. DAI has 18 decimals. the .value of an ERTP amount of 1 DAI is bigger than 100K. How could this possibly work?

[dckc]

I wonder what an oracleAddr is... I think it's: an address to which an invitation to this contract was sent. Why would this contract know the addresses? hm.

[turadg]

I wonder what an oracleAddr is... I think it's: an address to which an invitation to this contract was sent.

Correct. I'll make clearer by documentation.

Why would this contract know the addresses?

It needs to know the oracles and it's keyed on their public address. What's the concern?

[dckc]

The fact that the .instance test works suggests that the keys don't need to be addresses of the validators; the validators could be identified as 'A', 'B', and 'C' and the contract would work fine, yes? The convention of using addresses seems to be external to the contract.

[turadg]

Oh yes, good point. I'll change it to be oracleKey.

[dckc]

how refreshing! docs!

[dckc]

Suggested change

	* @returns {Promise<{admin: OracleAdmin<PriceRound>, invitationMakers: {makePushPriceInvitation: (result: PriceRound) => Promise<Invitation<void>>} }>}
	* @returns {Promise<{admin: OracleAdmin<PriceRound>, invitationMakers: {MakePushPriceInvitation: (result: PriceRound) => Promise<Invitation<void>>} }>}

The sparsely-documented continuing invitation pattern seems to including capitalizing the fields of invitation makers. For example:

    invitationMakers: Far('invitation makers', {
      AdjustBalances: vault.makeAdjustBalancesInvitation,
      CloseVault: vault.makeCloseInvitation,
      TransferVault: vault.makeTransferInvitation,
    }),

I think that's to avoid colliding with existing property names, as noted for assertKeywordName in Zoe.

I can imagine this argument is not very strong, but if we're not going to follow the pattern in this respect, I would want to discuss it more widely.

[dckc]

I guess the AdjustBalances example suggests just PushPrice.

[dckc]

Ah... and I think the method name is supposed to match the invitation description, which is also PushPrice.

[turadg]

Good call. invitationMakers.makePushPriceInvitation is redundant. Changed to invitationMakers.PushPrice.

[dckc]

Is this really a string? The tests suggest otherwise:

  const pricePushAdminA = await E(aggregator.creatorFacet).initOracle(
    priceOracleA.instance,
  );

[turadg]

Thanks for raising. That test was written for the agsolo era. We only support smart wallet oracles now so I've amended to make that clear. This is also necessary for durability.

[dckc]

let's go.

I'm fuzzy on some of the details. And I didn't reproduce the scripted integration test. But... onward.