Users can request token swaps to happen when the oracle price
is within a price band. Once the price is right, an executor can
trigger the swap. The executors are rewarded with a premium
over the oracle price.
This allows limit and stop loss orders on arbitrary spot pairs.
The PR comes with basic ts support and adjustments to the liquidator,
to execute available token conditional swaps.
Co-authored-by: microwavedcola1 <microwavedcola@gmail.com>
* Stable Price: Reset on first price != 0
This helps when listing tokens or perp markets with an upcoming
oracle. Currently the stable price would be 0 and would need to be
manually reset by DAO proposal.
With this change, the first non-zero value will be used as the starting
point for the stable price instead.
* Listing instructions: Succeed even if oracle is invalid
But require the stable price to reset once it becomes valid.
Instead of requiring a strict increase when init health < 0.
This allows users to still place reducing limit orders on the spot and
perp orderbooks as long as these orders keep the health unchanged.
This changes perp market margining to no longer assume all pnl is in USD
while settlement is in USDC. Instead, a configurable settle token is used for
pnl and settlement, defaulting to USDC.
There is no difference while the USDC price is forced to $1 and the init and liab
weights are 1. But with this patch, it becomes possible to change that.
For now it is not recommended to use a token other than USDC or USDT (or
another USD targeting stable token) for perp settlement.
The patch also updates all insurance vault use to be aware that the insurance
fund is not in USD but in USDC and apply the USDC price before payouts.
To do this, the previous PerpLiqNegativePnlOrBankruptcy was replaced by
a new PerpLiqNegativePnlOrBankruptcyV2 instruction.
Co-authored-by: microwavedcola1 <89031858+microwavedcola1@users.noreply.github.com>
* add new event for taker trade so arb bots can verify their execution cost without waiting for consume events
Co-authored-by: Nicholas <nicholasgclarke@gmail.com>
Previously tokens listed this way could be borrowed. Now tokens start
with reduce-only set to the "no borrows" mode.
Also decrease the default soft borrow/deposit limits significantly, even
if they don't come into effect when there are no borrows and the deposit
weight is 0 anyway.
It looks like it wasn't possible to exploit the program by
re-initializing the user-owned token accounts used in flash loan because
the later use of health_ais with the health computation would error out
if any token account was included there.
However, the check and a few others were too indirect. In this patch:
- We pass the number of loans into FlashLoanEnd explicitly (verified
from FlashLoanBegin)
- Add explicit checks for token mints, so it's no longer possible to use
token accounts for foreign mints in Begin when the loan amount is zero,
and it's clearer to see that the bookkeeping in End won't break if the
user reinited the account for a different mint.
- Also add a few other extra comments and checks.
The updated FlashLoanEnd instruction is called FlashLoanEndV2
* Emit the slot corresponding to the oracle price to PerpUpdateFundingLog.
* Emit a new FilledPerpOrderLog consisting of just the group, perp market and seq num. This will be used to correlate perp fills to the transactions they were matched (not consumed).
Previously, if the funding or interest updating instruction wasn't
called for a long time (like for a solana downtime or the security
council halting the program), the next update would apply funding or
interest for the whole time interval since the last update.
This could lead to a bad downtime situation becoming worse. Instead,
limit the maximum funding and interest time interval to one hour.
* in perp settle fees, dont error, rather return early
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* Fixes from review
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
---------
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* Fix bug: only account for borrows we are offsetting
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* fix
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* Bank: Unittest for net borrow limits
---------
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
Co-authored-by: Christian Kamm <mail@ckamm.de>
This fixes a security issue where bankruptcy related instructions could
be called inside a health region. Now health regions are limited to
compute optimization like when placing multiple orders in one
transaction.
This limitation also makes it impossible to abuse health regions for
flash loans. Use the FlashLoan instructions for that purpose.
* support name edit for token and program
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* undo
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* Fixes from review
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
---------
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
This allows the security council to say "users can't create new borrows
against this token/perp anymore". In some emergency situations this can
help reduce risk exposure.
For example, if the price of a wrapped asset permanently depegs from
its underlying or there is a successful long-term attack on an oracle,
this (and reduce-only) would significantly reduce exploitability until
the DAO's decision for how to resolve the issue goes through.
* Vendor `fixed` crate to have checked math in release mode
* remove all cm!()
* drop superfluous parens
* drop use of checked_math crate
* manual removal of redundant checked_* functions
To do that, split up the Accounts objects and the instruction
implementations.
GPL code is only used when the "enable-gpl" feature is enabled. That
means compiling the program or running tests need explicit feature
activation now.
Due to the safety features in v4, the init health can differ from maint
health a lot more than it used to in v3. This is because of stable-price
adjusted oracle prices used in init health, and the weight scaling based
on total deposits and borrows used in init health.
The effect is that once an account becomes liquidatable, it could be
liquidated a lot until it reaches init>=0.
The original idea of liquidating until init>=0 was just to provide some
buffer, such that liquidated accounts wouldn't immediately become
liquidatable again.
This patch decouples the buffer idea explicit from init health by
creating a new LiquidationEnd health type. Liquidation proceeds until
the LiquidationEnd health becomes positive.
Co-authored-by: microwavedcola1 <89031858+microwavedcola1@users.noreply.github.com>
Previously liquidation would overestimate the amount required, because
it used the oracle price for computing the health gain from
liquidation.
Now it uses the correct (stable price adjusted) price for figuring out
the amount of liquidation required, while still executing at
fee-adjusted oracle price.
- don't store internal order ids: unneeded
- provide the maker client order id for user correlation
- store fees as f32 to waste fewer bytes
- new FillLogV2
- Rename to perp_liq_base_or_positive_pnl and perp_liq_negative_pnl_or_bankruptcy
- Deal with situations where overall asset weight is zero and base position reduction
would not improve liqee health
- Add ability for liqors to take over positive unsettled pnl if that improves liqee health
Speeds up the linking step, needs way less disk space for test binaries
and executes tests significantly faster.
Test execution went from 35s -> 29s for me and compilation improved a
lot.
* return order id from a perp place order ix
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* fix
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* fixes from review
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* zero out perp position and orders for a broken market
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* fix
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* client code
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* fixes from review
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* skip iteration if the incoming order has no lots to process
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
* fixes from review
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
This includes trade pnl, funding and fees. Tracking this makes it easier
for uis to display a consistent position overall pnl value that doesn't
decrease by settling.
Co-authored-by: microwavedcola1 <microwavedcola@gmail.com>
This replaces the previous distinction between trusted and untrusted
markets, they are equivalent to setting the asset weights to 1 or 0
instead.
This way, we can weigh positive pnl in the trusted case at less than 1
which is more correct from a risk point of view and allows for more
flexibility when it comes to liquidation.
Co-authored-by: microwavedcola1 <microwavedcola@gmail.com>