Then you can see both: <img width="1884" height="1082" alt="image" src="https://github.com/user-attachments/assets/0e3c643c-378a-40e1-9f14-0f9d25a6f7ad" />
Similar to the tx-cost-diff, this adds a comparision comment showing the difference between the PR and master on the benchmarks. Note that there appears to be moderately high variance; we can play with the thresholds as we get more used to what they mean.
mustPreserveHeadValue used geq (≥) rather than == for the Close and Contest transitions. This allowed a malicious contester to add extra ADA to the head output — a griefing attack where the added value would cause the fanout's strict == conservation check to fail, permanently locking the head. The geq was a defensive measure for datum-growth min-UTxO scenarios, but neither closeTx nor contestTx ever changes the head value (both call modifyTxOutDatum only), and using geq to "top up" would break the fanout anyway. The correct invariant is ==, which matches the spec. Add ContestIncreaseHeadValue mutation test to document the property. Signed-off-by: Sasha Bogicevic <[email protected]>
mustNotChangeVersion (H13) fires before mustBeValidSnapshot (H28) in checkClose because && evaluates left-to-right; setting closedVersion != openVersion always triggers H13 first. Signed-off-by: Sasha Bogicevic <[email protected]>
Add CloseCommitUnused and CloseCommitUsed contract tests to cover the (ToCommit, True) and (ToCommit, False) branches of headAdaOverhead computation in closeTx, which were previously untested. Both new test suites include a healthy-tx property and a full mutation generator. Signed-off-by: Sasha Bogicevic <[email protected]>
When a DecrementTx was applied on-chain before the head was closed (snapshotVersion != openVersion), partialFanout passed fullUTxO to buildAndVerifyAccumulator. But the closed datum's accumulatorCommitment was built from utxoForProof (snapshot UTxO including the decommit set), so the check always failed with StaleChainState, leaving the head stuck. Separate the accumulator proof input from the distribution set by adding a proofUTxO parameter to partialFanout and findFittingFanoutTx. The FanoutTx call site now passes utxoForProof as proofUTxO so it matches what the closed datum was committed to, while fullUTxO (the actual distribution set) is used unchanged for fanout outputs. Signed-off-by: Sasha Bogicevic <[email protected]>
Remove UTxO fields from ToCommit and ToDecommit constructors of IncrementalAction — the UTxO was already ignored at every callsite. Update setIncrementalActionMaybe and pattern matches in Close.hs and Contest.hs accordingly. Extract repeated BLS12-381 generator check into isG1Generator helper in Head.hs, and add a comment explaining why mustConserveValue uses geq rather than == (min-UTxO overhead on the head output). Signed-off-by: Sasha Bogicevic <[email protected]>
CloseUnusedDec + CloseUnusedInc → CloseUnused CloseUsedDec + CloseUsedInc → CloseUsed ContestCurrent + ContestUnusedDec + ContestUnusedInc → ContestUnused ContestUsedDec + ContestUsedInc → ContestUsed The Dec/Inc suffix was redundant: the accumulator hash already cryptographically commits to the nature of the pending UTxO action, so the on-chain validator does not need to distinguish them. The Unused/Used split (which version to use for signature verification) is preserved. As a consequence, contestTx no longer needs IncrementalAction at all — the version comparison alone determines the redeemer — so the parameter and the BothCommitAndDecommitInContest error variant are removed. Also bounds genStOpen and genFanoutTx UTxO sizes to [1..5] so full fanout transactions with maximumNumberOfParties stay within the 14M memory execution budget. Signed-off-by: Sasha Bogicevic <[email protected]>
The init head output carries only tokens (0 ADA), so fanout evaluation was always failing with HeadValueIsNotPreserved (H4). Additionally, toCommit' was unconditionally generated causing accumulator commitment mismatches (H39) when version == openVersion. - genStOpen now generates a real u0 and inflates the head output with its total value so close/fanout operations can cover snapshot outputs - genFanoutTx only generates commit UTxO when openVersion /= version, keeping the accumulator commitment in the closed datum consistent with what fanoutTx builds; returns the inflated spendableUTxO so evaluation sees the correct head input value - forAllFanout uses the returned spendableUTxO instead of getKnownUTxO stClosed - TxCost genFanoutTx returns utxoToFanout (inflated) as the lookup UTxO, fixing the same value mismatch that caused the FanOut table to be empty Signed-off-by: Sasha Bogicevic <[email protected]>
genFanoutTx generated a snapshot with utxoToCommit/utxoToDecommit but called unsafeFanout with mempty mempty — the BLS proof was built for a different accumulator than the one committed in the closed head datum, so every evaluateTx call failed script validation and the FanOut table produced no rows. Fix: pass utxoToCommit and utxoToDecommit through to unsafeFanout, and inflate the head output value by the total fanout value (same pattern as computePartialFanOutNominalCost) so mustConserveValue passes. Signed-off-by: Sasha Bogicevic <[email protected]>