fix(vapp): charge signer for withdrawing for prover (#154)

mattstam · web-flow · commit b8e7efe5d497 · 2025-07-11T15:23:01.000-07:00
diff --git a/crates/vapp/src/state.rs b/crates/vapp/src/state.rs
@@ -541,25 +541,57 @@ impl<A: Storage<Address, Account>, R: Storage<RequestId, bool>> VAppState<A, R>
                 let auctioneer = Address::try_from(body.auctioneer.as_slice())
                     .map_err(|_| VAppPanic::AddressDeserializationFailed)?;
 
-                // Validate that the account has sufficient balance for withdrawal + auctioneer fee.
-                debug!("validate account has sufficient balance");
-                let balance = self.accounts.entry(account)?.or_default().get_balance();
-                let total_amount = u256::add(amount, auctioneer_fee)?;
-                if balance < total_amount {
-                    return Err(VAppPanic::InsufficientBalance {
-                        account,
-                        amount: total_amount,
-                        balance,
-                    });
-                }
+                if account == from {
+                    // Self withdraw (normal user or prover owner).
+                    debug!("validate balance for self withdraw (account pays amount + fee)");
+                    let balance = self.accounts.entry(account)?.or_default().get_balance();
+                    let total = u256::add(amount, auctioneer_fee)?;
+                    if balance < total {
+                        return Err(VAppPanic::InsufficientBalance {
+                            account,
+                            amount: total,
+                            balance,
+                        });
+                    }
 
-                // Deduct the amount from the account.
-                debug!("deduct amount from account");
-                self.accounts.entry(account)?.or_default().deduct_balance(amount)?;
+                    // Deduct the amount from the withdrawing account.
+                    info!("├── Account({}): - {} $PROVE", account, amount);
+                    self.accounts.entry(account)?.or_default().deduct_balance(amount)?;
+                    // Deduct the fee from the withdrawing account.
+                    info!("├── Account({}): - {} $PROVE (fee)", account, auctioneer_fee);
+                    self.accounts.entry(account)?.or_default().deduct_balance(auctioneer_fee)?;
+                } else {
+                    // Someone else withdrawing for a prover.
+                    debug!("validate balances for prover withdraw (prover pays amount, signer pays fee)");
+
+                    let prover_balance = self.accounts.entry(account)?.or_default().get_balance();
+                    if prover_balance < amount {
+                        return Err(VAppPanic::InsufficientBalance {
+                            account,
+                            amount,
+                            balance: prover_balance,
+                        });
+                    }
 
-                // Deduct and transfer the auctioneer fee.
-                debug!("deduct and transfer auctioneer fee");
-                self.accounts.entry(account)?.or_default().deduct_balance(auctioneer_fee)?;
+                    let from_balance = self.accounts.entry(from)?.or_default().get_balance();
+                    if from_balance < auctioneer_fee {
+                        return Err(VAppPanic::InsufficientBalance {
+                            account: from,
+                            amount: auctioneer_fee,
+                            balance: from_balance,
+                        });
+                    }
+
+                    // Deduct the amount from the prover.
+                    info!("├── Account({}): - {} $PROVE", account, amount);
+                    self.accounts.entry(account)?.or_default().deduct_balance(amount)?;
+                    // Deduct the fee from the signer.
+                    info!("├── Account({}): - {} $PROVE (fee)", from, auctioneer_fee);
+                    self.accounts.entry(from)?.or_default().deduct_balance(auctioneer_fee)?;
+                }
+
+                // Credit the fee to the auctioneer.
+                info!("└── Auctioneer({}): + {} $PROVE (fee)", auctioneer, auctioneer_fee);
                 self.accounts.entry(auctioneer)?.or_default().add_balance(auctioneer_fee)?;
 
                 // Return the withdraw action.
diff --git a/crates/vapp/tests/withdraw.rs b/crates/vapp/tests/withdraw.rs
@@ -145,3 +145,162 @@ fn test_withdraw_insufficient_for_auctioneer_fee() {
 
     assert!(matches!(result, Err(VAppPanic::InsufficientBalance { .. })));
 }
+
+#[test]
+fn test_withdraw_prover_self_withdraw() {
+    let mut test = setup();
+    let prover_address = test.fulfiller.address();
+    let prover_owner = test.requester.address();
+    let auctioneer = test.state.auctioneer;
+
+    // Create a prover with owner different from prover address.
+    let create_tx = create_prover_tx(prover_address, prover_owner, U256::from(500), 0, 1, 1);
+    test.state.execute::<MockVerifier>(&create_tx).unwrap();
+
+    // Give the prover account some balance.
+    let initial_balance = U256::from(200) * U256::from(10).pow(U256::from(18));
+    let prover_deposit = deposit_tx(prover_address, initial_balance, 0, 2, 2);
+    test.state.execute::<MockVerifier>(&prover_deposit).unwrap();
+    assert_account_balance(&mut test, prover_address, initial_balance);
+
+    // Give the prover owner balance to pay the withdraw fee.
+    let owner_balance = U256::from(10) * U256::from(10).pow(U256::from(18));
+    let owner_deposit = deposit_tx(prover_owner, owner_balance, 0, 3, 3);
+    test.state.execute::<MockVerifier>(&owner_deposit).unwrap();
+
+    // Prover owner withdraws from prover account (prover pays amount, owner pays fee).
+    let withdraw_amount = U256::from(100) * U256::from(10).pow(U256::from(18));
+    let withdraw_tx = withdraw_tx(&test.requester, prover_address, withdraw_amount, 0);
+    let receipt = test.state.execute::<MockVerifier>(&withdraw_tx).unwrap();
+
+    // Verify amount was deducted from prover, fee from owner.
+    let expected_prover_balance = U256::from(100) * U256::from(10).pow(U256::from(18)); // 200 - 100 = 100
+    let expected_owner_balance = U256::from(9) * U256::from(10).pow(U256::from(18)); // 10 - 1 = 9
+    let auctioneer_fee = U256::from(10).pow(U256::from(18)); // 1 PROVE
+    assert_account_balance(&mut test, prover_address, expected_prover_balance);
+    assert_account_balance(&mut test, prover_owner, expected_owner_balance);
+    assert_account_balance(&mut test, auctioneer, auctioneer_fee);
+    assert_withdraw_receipt(&receipt, prover_address, withdraw_amount);
+}
+
+#[test]
+fn test_withdraw_third_party_for_prover() {
+    let mut test = setup();
+    let prover_address = test.fulfiller.address();
+    let prover_owner = test.requester.address();
+    let third_party = test.signers[0].clone(); // Third party who will sign the withdraw
+    let auctioneer = test.state.auctioneer;
+
+    // Create a prover with owner different from prover address.
+    let create_tx = create_prover_tx(prover_address, prover_owner, U256::from(500), 0, 1, 1);
+    test.state.execute::<MockVerifier>(&create_tx).unwrap();
+
+    // Give the prover account balance for withdrawal.
+    let prover_balance = U256::from(150) * U256::from(10).pow(U256::from(18));
+    let prover_deposit = deposit_tx(prover_address, prover_balance, 0, 2, 2);
+    test.state.execute::<MockVerifier>(&prover_deposit).unwrap();
+
+    // Give the third party balance for fee payment.
+    let third_party_balance = U256::from(10) * U256::from(10).pow(U256::from(18));
+    let third_party_deposit = deposit_tx(third_party.address(), third_party_balance, 0, 3, 3);
+    test.state.execute::<MockVerifier>(&third_party_deposit).unwrap();
+
+    // Third party withdraws from prover account (account != signer).
+    let withdraw_amount = U256::from(100) * U256::from(10).pow(U256::from(18));
+    let withdraw_tx = withdraw_tx(&third_party, prover_address, withdraw_amount, 0);
+    let receipt = test.state.execute::<MockVerifier>(&withdraw_tx).unwrap();
+
+    // Verify amount was deducted from prover, fee from third party.
+    let expected_prover_balance = U256::from(50) * U256::from(10).pow(U256::from(18)); // 150 - 100 = 50
+    let expected_third_party_balance = U256::from(9) * U256::from(10).pow(U256::from(18)); // 10 - 1 = 9
+    let auctioneer_fee = U256::from(10).pow(U256::from(18)); // 1 PROVE
+    assert_account_balance(&mut test, prover_address, expected_prover_balance);
+    assert_account_balance(&mut test, third_party.address(), expected_third_party_balance);
+    assert_account_balance(&mut test, auctioneer, auctioneer_fee);
+    assert_withdraw_receipt(&receipt, prover_address, withdraw_amount);
+}
+
+#[test]
+fn test_withdraw_third_party_insufficient_prover_balance() {
+    let mut test = setup();
+    let prover_address = test.fulfiller.address();
+    let prover_owner = test.requester.address();
+    let third_party = test.signers[0].clone();
+
+    // Create a prover.
+    let create_tx = create_prover_tx(prover_address, prover_owner, U256::from(500), 0, 1, 1);
+    test.state.execute::<MockVerifier>(&create_tx).unwrap();
+
+    // Give prover insufficient balance for withdrawal (only 50 PROVE).
+    let prover_balance = U256::from(50) * U256::from(10).pow(U256::from(18));
+    let prover_deposit = deposit_tx(prover_address, prover_balance, 0, 2, 2);
+    test.state.execute::<MockVerifier>(&prover_deposit).unwrap();
+
+    // Give third party enough for fee.
+    let third_party_balance = U256::from(10) * U256::from(10).pow(U256::from(18));
+    let third_party_deposit = deposit_tx(third_party.address(), third_party_balance, 0, 3, 3);
+    test.state.execute::<MockVerifier>(&third_party_deposit).unwrap();
+
+    // Try to withdraw 100 PROVE from prover (should fail - prover has only 50).
+    let withdraw_amount = U256::from(100) * U256::from(10).pow(U256::from(18));
+    let withdraw_tx = withdraw_tx(&third_party, prover_address, withdraw_amount, 0);
+    let result = test.state.execute::<MockVerifier>(&withdraw_tx);
+
+    assert!(matches!(result, Err(VAppPanic::InsufficientBalance { account, amount, balance }) 
+        if account == prover_address && amount == withdraw_amount && balance == prover_balance));
+}
+
+#[test]
+fn test_withdraw_third_party_insufficient_fee_balance() {
+    let mut test = setup();
+    let prover_address = test.fulfiller.address();
+    let prover_owner = test.requester.address();
+    let third_party = test.signers[0].clone();
+
+    // Create a prover.
+    let create_tx = create_prover_tx(prover_address, prover_owner, U256::from(500), 0, 1, 1);
+    test.state.execute::<MockVerifier>(&create_tx).unwrap();
+
+    // Give prover enough balance for withdrawal.
+    let prover_balance = U256::from(150) * U256::from(10).pow(U256::from(18));
+    let prover_deposit = deposit_tx(prover_address, prover_balance, 0, 2, 2);
+    test.state.execute::<MockVerifier>(&prover_deposit).unwrap();
+
+    // Give third party insufficient balance for fee (only 0.5 PROVE, need 1 PROVE).
+    let third_party_balance = U256::from(5) * U256::from(10).pow(U256::from(17)); // 0.5 PROVE
+    let third_party_deposit = deposit_tx(third_party.address(), third_party_balance, 0, 3, 3);
+    test.state.execute::<MockVerifier>(&third_party_deposit).unwrap();
+
+    // Try to withdraw from prover (should fail - third party can't pay fee).
+    let withdraw_amount = U256::from(100) * U256::from(10).pow(U256::from(18));
+    let auctioneer_fee = U256::from(10).pow(U256::from(18)); // 1 PROVE
+    let withdraw_tx = withdraw_tx(&third_party, prover_address, withdraw_amount, 0);
+    let result = test.state.execute::<MockVerifier>(&withdraw_tx);
+
+    assert!(matches!(result, Err(VAppPanic::InsufficientBalance { account, amount, balance }) 
+        if account == third_party.address() && amount == auctioneer_fee && balance == third_party_balance));
+}
+
+#[test]
+fn test_withdraw_non_prover_only_self_can_withdraw() {
+    let mut test = setup();
+    let regular_account = test.requester.address();
+    let third_party = test.signers[0].clone();
+
+    // Give regular account some balance (no prover creation).
+    let account_balance = U256::from(100) * U256::from(10).pow(U256::from(18));
+    let account_deposit = deposit_tx(regular_account, account_balance, 0, 1, 1);
+    test.state.execute::<MockVerifier>(&account_deposit).unwrap();
+
+    // Give third party enough for fee.
+    let third_party_balance = U256::from(10) * U256::from(10).pow(U256::from(18));
+    let third_party_deposit = deposit_tx(third_party.address(), third_party_balance, 0, 2, 2);
+    test.state.execute::<MockVerifier>(&third_party_deposit).unwrap();
+
+    // Try to have third party withdraw from regular account (should fail).
+    let withdraw_amount = U256::from(50) * U256::from(10).pow(U256::from(18));
+    let withdraw_tx = withdraw_tx(&third_party, regular_account, withdraw_amount, 0);
+    let result = test.state.execute::<MockVerifier>(&withdraw_tx);
+
+    assert!(matches!(result, Err(VAppPanic::OnlyAccountCanWithdraw)));
+}
