slot staleness checks (#1705)

* slot staleness checks

* update aum ix to use constituent oracles

Author: NourAlharithi

programs/drift/src/error.rs

@@ -1,7 +1,4 @@
 use anchor_lang::prelude::*;
-
-use crate::state::lp_pool::Constituent;
-
 pub type DriftResult<T = ()> = std::result::Result<T, ErrorCode>;
 
 #[error_code]
@@ -659,6 +656,12 @@ pub enum ErrorCode {
     OracleTooStaleForLPAUMUpdate,
     #[msg("Insufficient constituent token balance")]
     InsufficientConstituentTokenBalance,
+    #[msg("Amm Cache data too stale")]
+    AMMCacheStale,
+    #[msg("LP Pool AUM not updated recently")]
+    LpPoolAumDelayed,
+    #[msg("Constituent oracle is stale")]
+    ConstituentOracleStale,
 }
 
 #[macro_export]

programs/drift/src/instructions/keeper.rs

@@ -50,6 +50,7 @@ use crate::state::insurance_fund_stake::InsuranceFundStake;
 use crate::state::lp_pool::Constituent;
 use crate::state::lp_pool::LPPool;
 use crate::state::lp_pool::CONSTITUENT_PDA_SEED;
+use crate::state::lp_pool::SETTLE_AMM_ORACLE_MAX_DELAY;
 use crate::state::oracle_map::OracleMap;
 use crate::state::order_params::{OrderParams, PlaceOrderOptions};
 use crate::state::paused_operations::{PerpOperation, SpotOperation};
@@ -2949,6 +2950,8 @@ pub fn handle_pause_spot_market_deposit_withdraw(
 pub fn handle_settle_perp_to_lp_pool<'c: 'info, 'info>(
     ctx: Context<'_, '_, 'c, 'info, SettleAmmPnlToLp<'info>>,
 ) -> Result<()> {
+    let slot = Clock::get()?.slot;
+
     let state = &ctx.accounts.state;
     let amm_cache_key = &ctx.accounts.amm_cache.key();
     let mut amm_cache: AccountZeroCopyMut<'_, CacheInfo, _> =
@@ -2978,19 +2981,27 @@ pub fn handle_settle_perp_to_lp_pool<'c: 'info, 'info>(
     let AccountMaps {
         perp_market_map,
         spot_market_map: _,
-        mut oracle_map,
+        oracle_map: _,
     } = load_maps(
         remaining_accounts_iter,
         &MarketSet::new(),
         &MarketSet::new(),
-        Clock::get()?.slot,
+        slot,
         None,
     )?;
 
     for (_, perp_market_loader) in perp_market_map.0.iter() {
         let mut perp_market = perp_market_loader.load_mut()?;
         let cached_info = amm_cache.get_mut(perp_market.market_index as u32);
-        let oracle_data = oracle_map.get_price_data(&perp_market.oracle_id())?;
+
+        if slot.saturating_sub(cached_info.oracle_slot) > SETTLE_AMM_ORACLE_MAX_DELAY {
+            // If the oracle slot is not up to date, skip this market
+            msg!(
+                "Skipping settling perp market {} to dlp because oracle slot is not up to date",
+                perp_market.market_index
+            );
+            continue;
+        }
 
         let fee_pool_token_amount = get_token_amount(
             perp_market.amm.fee_pool.scaled_balance,
@@ -3004,7 +3015,10 @@ pub fn handle_settle_perp_to_lp_pool<'c: 'info, 'info>(
             perp_market.pnl_pool.balance_type(),
         )?
         .cast::<i128>()?
-        .safe_sub(calculate_net_user_pnl(&perp_market.amm, oracle_data.price)?)?;
+        .safe_sub(calculate_net_user_pnl(
+            &perp_market.amm,
+            cached_info.oracle_price,
+        )?)?;
 
         let amm_amount_available =
             net_pnl_pool_token_amount.safe_add(fee_pool_token_amount.cast::<i128>()?)?;
@@ -3024,53 +3038,7 @@ pub fn handle_settle_perp_to_lp_pool<'c: 'info, 'info>(
         )?;
 
         // Actually transfer the pnl to the lp usdc constituent account
-        let oracle_price = oracle_map.get_price_data(&perp_market.oracle_id())?.price;
-        validate_market_within_price_band(&perp_market, state, oracle_price)?;
-
-        if perp_market.amm.curve_update_intensity > 0 {
-            let healthy_oracle = perp_market.amm.is_recent_oracle_valid(oracle_map.slot)?;
-
-            if !healthy_oracle {
-                let (_, oracle_validity) = oracle_map.get_price_data_and_validity(
-                    MarketType::Perp,
-                    perp_market.market_index,
-                    &perp_market.oracle_id(),
-                    perp_market
-                        .amm
-                        .historical_oracle_data
-                        .last_oracle_price_twap,
-                    perp_market.get_max_confidence_interval_multiplier()?,
-                    0,
-                )?;
-
-                if !is_oracle_valid_for_action(oracle_validity, Some(DriftAction::SettlePnl))?
-                    || !perp_market.is_price_divergence_ok_for_settle_pnl(oracle_price)?
-                {
-                    if !perp_market.amm.last_oracle_valid {
-                        let msg = format!(
-                            "Oracle Price detected as invalid ({}) on last perp market update for Market = {}",
-                            oracle_validity,
-                            perp_market.market_index
-                        );
-                        msg!(&msg);
-
-                        return Err(oracle_validity.get_error_code().into());
-                    }
-
-                    if oracle_map.slot != perp_market.amm.last_update_slot {
-                        let msg = format!(
-                            "Market={} AMM must be updated in a prior instruction within same slot (current={} != amm={}, last_oracle_valid={})",
-                            perp_market.market_index,
-                            oracle_map.slot,
-                            perp_market.amm.last_update_slot,
-                            perp_market.amm.last_oracle_valid
-                        );
-                        msg!(&msg);
-                        return Err(ErrorCode::AMMNotUpdatedInSameSlot.into());
-                    }
-                }
-            }
-        }
+        validate_market_within_price_band(&perp_market, state, cached_info.oracle_price)?;
 
         if perp_market.is_operation_paused(PerpOperation::SettlePnl) {
             msg!(

programs/drift/src/instructions/lp_pool.rs

@@ -30,6 +30,8 @@ use crate::{
             calculate_target_weight, AmmConstituentDatum, AmmConstituentMappingFixed, Constituent,
             ConstituentCorrelationsFixed, ConstituentTargetBaseFixed, LPPool, TargetsDatum,
             WeightValidationFlags, CONSTITUENT_CORRELATIONS_PDA_SEED,
+            LP_POOL_SWAP_AUM_UPDATE_DELAY, MAX_AMM_CACHE_STALENESS_FOR_TARGET_CALC,
+            MAX_CONSTITUENT_ORACLE_SLOT_STALENESS_FOR_AUM,
         },
         oracle::OraclePriceData,
         oracle_map::OracleMap,
@@ -58,13 +60,18 @@ use crate::state::lp_pool::{
 pub fn handle_update_constituent_target_base<'c: 'info, 'info>(
     ctx: Context<'_, '_, 'c, 'info, UpdateConstituentTargetBase<'info>>,
 ) -> Result<()> {
+    let slot = Clock::get()?.slot;
+
     let lp_pool = &ctx.accounts.lp_pool.load()?;
     let lp_pool_key: &Pubkey = &ctx.accounts.lp_pool.key();
     let amm_cache_key: &Pubkey = &ctx.accounts.amm_cache.key();
 
     let amm_cache: AccountZeroCopy<'_, CacheInfo, AmmCacheFixed> =
         ctx.accounts.amm_cache.load_zc()?;
 
+    amm_cache.check_oracle_staleness(slot, MAX_AMM_CACHE_STALENESS_FOR_TARGET_CALC)?;
+    amm_cache.check_perp_market_staleness(slot, MAX_AMM_CACHE_STALENESS_FOR_TARGET_CALC)?;
+
     let expected_cache_pda = &Pubkey::create_program_address(
         &[
             AMM_POSITIONS_CACHE.as_ref(),
@@ -223,7 +230,7 @@ pub fn handle_update_lp_pool_aum<'c: 'info, 'info>(
     let AccountMaps {
         perp_market_map: _,
         spot_market_map,
-        mut oracle_map,
+        oracle_map: _,
     } = load_maps(
         remaining_accounts,
         &MarketSet::new(),
@@ -284,7 +291,19 @@ pub fn handle_update_lp_pool_aum<'c: 'info, 'info>(
     let mut oldest_slot = u64::MAX;
     let mut derivative_groups: BTreeMap<u16, Vec<u16>> = BTreeMap::new();
     for i in 0..lp_pool.constituents as usize {
-        let mut constituent = constituent_map.get_ref_mut(&(i as u16))?;
+        let constituent = constituent_map.get_ref(&(i as u16))?;
+        if slot.saturating_sub(constituent.last_oracle_slot)
+            > MAX_CONSTITUENT_ORACLE_SLOT_STALENESS_FOR_AUM
+        {
+            msg!(
+                "Constituent {} oracle slot is too stale: {}, current slot: {}",
+                constituent.constituent_index,
+                constituent.last_oracle_slot,
+                slot
+            );
+            return Err(ErrorCode::ConstituentOracleStale.into());
+        }
+
         if constituent.constituent_derivative_index >= 0 && constituent.derivative_weight != 0 {
             if !derivative_groups.contains_key(&(constituent.constituent_derivative_index as u16)) {
                 derivative_groups.insert(
@@ -301,40 +320,7 @@ pub fn handle_update_lp_pool_aum<'c: 'info, 'info>(
 
         let spot_market = spot_market_map.get_ref(&constituent.spot_market_index)?;
 
-        let oracle_data = oracle_map.get_price_data_and_validity(
-            MarketType::Spot,
-            constituent.spot_market_index,
-            &spot_market.oracle_id(),
-            spot_market.historical_oracle_data.last_oracle_price_twap,
-            spot_market.get_max_confidence_interval_multiplier()?,
-            0,
-        )?;
-
-        let oracle_slot = slot - oracle_data.0.delay.max(0i64).cast::<u64>()?;
-        let oracle_price: Option<i64> = {
-            if !is_oracle_valid_for_action(oracle_data.1, Some(DriftAction::UpdateLpPoolAum))? {
-                msg!(
-                    "Oracle data for spot market {} is invalid. Skipping update",
-                    spot_market.market_index,
-                );
-                if slot.saturating_sub(constituent.last_oracle_slot)
-                    >= constituent.oracle_staleness_threshold
-                {
-                    None
-                } else {
-                    Some(constituent.last_oracle_price)
-                }
-            } else {
-                Some(oracle_data.0.price)
-            }
-        };
-
-        if oracle_price.is_none() {
-            return Err(ErrorCode::OracleTooStaleForLPAUMUpdate.into());
-        }
-
-        constituent.last_oracle_price = oracle_price.unwrap();
-        constituent.last_oracle_slot = oracle_slot;
+        let oracle_slot = constituent.last_oracle_slot;
 
         if oracle_slot < oldest_slot {
             oldest_slot = oracle_slot;
@@ -350,7 +336,7 @@ pub fn handle_update_lp_pool_aum<'c: 'info, 'info>(
             .get_full_balance(&spot_market)?
             .safe_mul(numerator_scale)?
             .safe_div(denominator_scale)?
-            .safe_mul(oracle_price.unwrap() as i128)?
+            .safe_mul(constituent.last_oracle_price as i128)?
             .safe_div(PRICE_PRECISION_I128)?
             .max(0);
         msg!(
@@ -366,15 +352,15 @@ pub fn handle_update_lp_pool_aum<'c: 'info, 'info>(
                 .get(constituent.constituent_index as u32)
                 .target_base
                 .safe_mul(constituent.last_oracle_price)?
-                .safe_div(10_i64.pow(spot_market.decimals as u32))?;
+                .safe_div(10_i64.pow(constituent.decimals as u32))?;
             crypto_delta = crypto_delta.safe_add(constituent_target_notional.cast()?)?;
         }
         aum = aum.safe_add(constituent_aum.cast()?)?;
     }
 
     for cache_datum in amm_cache.iter() {
         if cache_datum.quote_owed_from_lp > 0 {
-            aum = aum.safe_sub(cache_datum.quote_owed_from_lp.abs().cast::<u128>()?)?;
+            aum = aum.saturating_sub(cache_datum.quote_owed_from_lp.abs().cast::<u128>()?);
         } else {
             aum = aum.safe_add(cache_datum.quote_owed_from_lp.abs().cast::<u128>()?)?;
         }
@@ -487,6 +473,15 @@ pub fn handle_lp_pool_swap<'c: 'info, 'info>(
     let state = &ctx.accounts.state;
     let lp_pool = &ctx.accounts.lp_pool.load()?;
 
+    if slot.saturating_sub(lp_pool.last_aum_slot) > LP_POOL_SWAP_AUM_UPDATE_DELAY {
+        msg!(
+            "Must update LP pool AUM before swap, last_aum_slot: {}, current slot: {}",
+            lp_pool.last_aum_slot,
+            slot
+        );
+        return Err(ErrorCode::LpPoolAumDelayed.into());
+    }
+
     let mut in_constituent = ctx.accounts.in_constituent.load_mut()?;
     let mut out_constituent = ctx.accounts.out_constituent.load_mut()?;
 
@@ -729,6 +724,15 @@ pub fn handle_lp_pool_add_liquidity<'c: 'info, 'info>(
     let state = &ctx.accounts.state;
     let mut lp_pool = ctx.accounts.lp_pool.load_mut()?;
 
+    if slot.saturating_sub(lp_pool.last_aum_slot) > LP_POOL_SWAP_AUM_UPDATE_DELAY {
+        msg!(
+            "Must update LP pool AUM before swap, last_aum_slot: {}, current slot: {}",
+            lp_pool.last_aum_slot,
+            slot
+        );
+        return Err(ErrorCode::LpPoolAumDelayed.into());
+    }
+
     let mut in_constituent = ctx.accounts.in_constituent.load_mut()?;
 
     let constituent_target_base = ctx.accounts.constituent_target_base.load_zc()?;
@@ -917,6 +921,15 @@ pub fn handle_lp_pool_remove_liquidity<'c: 'info, 'info>(
     let state = &ctx.accounts.state;
     let mut lp_pool = ctx.accounts.lp_pool.load_mut()?;
 
+    if slot.saturating_sub(lp_pool.last_aum_slot) > LP_POOL_SWAP_AUM_UPDATE_DELAY {
+        msg!(
+            "Must update LP pool AUM before swap, last_aum_slot: {}, current slot: {}",
+            lp_pool.last_aum_slot,
+            slot
+        );
+        return Err(ErrorCode::LpPoolAumDelayed.into());
+    }
+
     let mut out_constituent = ctx.accounts.out_constituent.load_mut()?;
 
     let constituent_target_base = ctx.accounts.constituent_target_base.load_zc()?;

programs/drift/src/state/lp_pool.rs

@@ -31,6 +31,22 @@ pub const MIN_SWAP_FEE: i128 = 200; // 0.75% in PERCENTAGE_PRECISION
 
 pub const MIN_AUM_EXECUTION_FEE: u128 = 10_000_000_000_000;
 
+// Delay constants
+#[cfg(feature = "anchor-test")]
+pub const SETTLE_AMM_ORACLE_MAX_DELAY: u64 = 100;
+#[cfg(not(feature = "anchor-test"))]
+pub const SETTLE_AMM_ORACLE_MAX_DELAY: u64 = 10;
+pub const LP_POOL_SWAP_AUM_UPDATE_DELAY: u64 = 0;
+#[cfg(feature = "anchor-test")]
+pub const MAX_AMM_CACHE_STALENESS_FOR_TARGET_CALC: u64 = 10000u64;
+#[cfg(not(feature = "anchor-test"))]
+pub const MAX_AMM_CACHE_STALENESS_FOR_TARGET_CALC: u64 = 0u64;
+
+#[cfg(feature = "anchor-test")]
+pub const MAX_CONSTITUENT_ORACLE_SLOT_STALENESS_FOR_AUM: u64 = 10000u64;
+#[cfg(not(feature = "anchor-test"))]
+pub const MAX_CONSTITUENT_ORACLE_SLOT_STALENESS_FOR_AUM: u64 = 2u64;
+
 #[cfg(test)]
 mod tests;
 
@@ -1090,6 +1106,9 @@ pub fn calculate_target_weight(
     lp_pool_aum: u128,
     validation_flags: WeightValidationFlags,
 ) -> DriftResult<i64> {
+    if lp_pool_aum == 0 {
+        return Ok(0);
+    }
     let notional: i128 = (target_base as i128)
         .safe_mul(price as i128)?
         .safe_div(10_i128.pow(spot_market.decimals))?;

programs/drift/src/state/perp_market.rs

@@ -1,4 +1,5 @@
 use crate::state::pyth_lazer_oracle::PythLazerOracle;
+use crate::state::zero_copy::AccountZeroCopy;
 use crate::{impl_zero_copy_loader, validate};
 use anchor_lang::prelude::*;
 
@@ -1807,3 +1808,40 @@ impl AmmCache {
 }
 
 impl_zero_copy_loader!(AmmCache, crate::id, AmmCacheFixed, CacheInfo);
+
+impl<'a> AccountZeroCopy<'a, CacheInfo, AmmCacheFixed> {
+    pub fn check_settle_staleness(&self, now: i64, threshold_ms: i64) -> DriftResult<()> {
+        for (i, cache_info) in self.iter().enumerate() {
+            if cache_info.last_settle_ts < now.saturating_sub(threshold_ms) {
+                msg!("AMM settle data is stale for perp market {}", i);
+                return Err(ErrorCode::AMMCacheStale.into());
+            }
+        }
+        Ok(())
+    }
+
+    pub fn check_perp_market_staleness(&self, slot: u64, threshold: u64) -> DriftResult<()> {
+        for (i, cache_info) in self.iter().enumerate() {
+            if cache_info.slot < slot.saturating_sub(threshold) {
+                msg!("Perp market cache info is stale for perp market {}", i);
+                return Err(ErrorCode::AMMCacheStale.into());
+            }
+        }
+        Ok(())
+    }
+
+    pub fn check_oracle_staleness(&self, slot: u64, threshold: u64) -> DriftResult<()> {
+        for (i, cache_info) in self.iter().enumerate() {
+            if cache_info.oracle_slot < slot.saturating_sub(threshold) {
+                msg!(
+                    "Perp market cache info is stale for perp market {}. oracle slot: {}, slot: {}",
+                    i,
+                    cache_info.oracle_slot,
+                    slot
+                );
+                return Err(ErrorCode::AMMCacheStale.into());
+            }
+        }
+        Ok(())
+    }
+}