Introduce Vaults pallet (part of the pUSD Project)

[lrazovic]

Description

This PR introduces pallet-vaults, a new FRAME pallet that implements a Collateralized Debt Position (CDP) system for creating over-collateralized stablecoin loans on Substrate-based blockchains. The pallet allows users to lock up DOT as collateral and mint pUSD against it.

Integration

For Runtime Developers

To integrate pallet-vaults into your runtime:

1. Add dependency to your runtime's Cargo.toml:

pallet-vaults = { version = "0.1.0", default-features = false }

2. Implement the Config trait in your runtime:

impl pallet_vaults::Config for Runtime {
    type Currency = Balances;                    // Native token for collateral
    type RuntimeHoldReason = RuntimeHoldReason;
    type Asset = Assets;                         // pallet-assets for pUSD
    type AssetId = u32;
    type TimeProvider = Timestamp;
    type Oracle = OraclePallet;                  // Must implement `ProvidePrice` trait
    type AuctionsHandler = Auctions;             // Liquidation auction handler
    type FeeHandler = ResolveTo<Treasury, Balances>;   // DOT from surplus auctions
    type SurplusHandler = ResolveTo<Treasury, Assets>; // pUSD surplus transfers
    type ManagerOrigin = EnsureVaultsManager;    // Governance (returns VaultsManagerLevel)
    type WeightInfo = pallet_vaults::weights::SubstrateWeight<Runtime>;
    #[cfg(feature = "runtime-benchmarks")]
    type BenchmarkHelper = VaultsBenchmarkHelper;
    type StablecoinAssetId = StablecoinAssetId;  // pUSD asset ID
    type InsuranceFund = InsuranceFund;          // Account receiving protocol revenue
    type MaxOnIdleItems = ConstU32<100>;         // Safety limit for on_idle processing
    type CollateralLocation = CollateralLocation; // XCM Location of collateral asset
}

3. Add to construct_runtime!:

construct_runtime!(
  pub enum Runtime {
    // ... other pallets
    Vaults: pallet_vaults,
  }
);

4. For existing chains, include the migration:

pub type Migrations = (
   pallet_vaults::migrations::MigrateV0ToV1<Runtime, VaultsInitialConfig>,
);

For Pallet Developers

Other pallets can interact with vaults via the CollateralManager trait:

use sp_pusd::CollateralManager;

// Get current DOT price from oracle
if let Some(price) = <pallet_vaults::Pallet<T> as CollateralManager<AccountId>>::get_dot_price() {
  // Use the price data
}

// Execute a purchase during auction
CollateralManager::execute_purchase(buyer, collateral, payment, recipient, vault_owner)?;

Review Notes

Key Features

• Per-Account Vaults: Each account can have at most one vault. Collateral is held in the user's account via MutateHold (not transferred to a pallet account)
• Over-Collateralization: Two-tier ratio system - Initial CR for minting/withdrawing (e.g., 200%) and Minimum CR as liquidation threshold (e.g., 180%)
• Stability Fees: Time-based interest accrual using timestamps. Interest is minted to the Insurance Fund when it accrues ("mint-on-accrual" model).
• Liquidation System: Unsafe vaults can be liquidated by anyone, with collateral auctioned via AuctionsHandler
• Bad Debt Tracking: Records shortfalls when auctions fail to cover debt, healable via heal() extrinsic
• Tiered Governance: Full privileges for all parameters, Emergency privileges for defensive actions only (lowering debt ceiling)

Vault Lifecycle:

1. create_vault - Create a new Vault and lock initial collateral
2. deposit_collateral / withdraw_collateral - Manage collateral
3. mint - Borrow pUSD against collateral
4. repay - Burn pUSD to reduce debt (interest paid first)
5. close_vault - Close debt-free vault, release collateral
6. liquidate_vault - Liquidate unsafe vaults
7. poke - Force fee accrual on any vault

Hold Reasons:

• VaultDeposit - Collateral backing active vaults
• Seized - Collateral under liquidation, pending auction

Testing

The pallet includes comprehensive tests covering:

• Vault creation, deposits, withdrawals, and closure
• Minting and repayment with interest accrual
• Collateralization ratio enforcement
• Liquidation flow and auction integration
• Oracle staleness handling
• Governance parameter updates
• Migration from V0 to V1

[cla-bot-2021]

User @lrazovic, please sign the CLA here.

[bkchr]

Just put the calculation here instead of having it in a comment.

[lrazovic]

Addressed in 054c6e6.

[bkchr]

Please tell claude to not over comment stuff. The function name is descriptive enough.

[bkchr]

This should be some extra code in the runtime when we add this pallet.

[lrazovic]

Removed in 65030aa.

[bkchr]

So we are doing one more iteration that isn't part of the weight? Maybe we should just do this at the top of the function.

[lrazovic]

Reworked a bit in 054c6e6.

[bkchr]

Not really a problem to convert this into an error, better safe than sorry here.

[lrazovic]

Converted the .expects into errors in 054c6e6.

[bkchr]

Not sure why these types are not part of the vault crate right now. This code should be clearly not be in this folder.

[lrazovic]

These types will be reused by the other pallets in the pUSD family. Currently they're only used by this pallet, but once we start adding the other pallets, they'll be imported from this common crate. If you have a suggestion for better placement, I'm happy to move them accordingly!

[muharem]

Substrate is not the right place for these items. For Frame pallets common items usually located under support crate. But these traits and types I would locate for now next to their implementations. Later if we have impls for them, we modify them if needed and move to support. But for now I would keep it simple.

[muharem]

we still need to move this under frame

[Jan-Jan]

noe = now?

[lrazovic]

Fixed in ff5479b.

[muharem]

reviewed the implementation, have not checked the tests and the benchmarks. gonna continue tomorrow.

[muharem]

we do not have a working time provider solution. if you have not too, we need to migrate this into block provider. The block provider should be configurable type. You can check society pallet for an example.

[lrazovic]

We actually started with block numbers, but we switched to timestamps (via pallet-timestamps) because the interest accrual domain benefits from real time rather than block-number-as-proxy

[muharem]

its accuracy is prev_timestamp + 3sec < current_timestamp > prev_timestamp + 30sec. not that great, and relies on prev timestamp value. I do not know a case where we used it. I would not do it with this pallet if we do not really know what are we doing.

actually that ^ accuracy only applicable for Relay Chain. for Asset Hubs that 3 sec is 0. tho we probably can pass timestamps from RC to AH, but only from the RC block AH building its current block.

if we use block numbers, on AH its gonna be RC block numbers too.

cc: @kianenigma @seadanda

[kianenigma]

Using the AH Timestamp, until AH collators are the same as RC validators (something that is envisioned long term) is a no-go IMO. It is way too little security.

Using the relay Timestamp is IMO a good option. It is ultimately an oraclized value that the runtime can never know exactly what it is, but relying on the validators is as good as it gets. I was under the impression that the Relay Timestamp is part of the PersistedValidationData, but it is not. The state root is, and we can use a state-proof against that. Not ideal though. If we are to use this, I would explore doing it properly and via #6235

Relay block number is also a safe Plan B. although it has its own set of trade-offs: If we ever ever change the relay block time, all hell breaks loose. Kusama/JAM is already being toyed with having shorter relay slots.

Verdict:

1. Dispatch claude with a good prompt to fix Customize-able ParacnainInherentDataProvider  #6235. If not overly complicated, this feature will help multiple systems.
2. If not straightforward, then use relay timestamp
3. AH timestamp not a viable option IMO.

[lrazovic]

If I understand correctly, paritytech/polkadot-sdk#10678 introduced a KeyToIncludeInRelayProof runtime API that lets parachains request arbitrary relay chain storage keys in the inherent proof. Building on that, accessing the RC Timestamp should now be straightforward. A first draft (untested) is available here: https://gist.github.com/lrazovic/bf701015bcc8e482207c1034b5b7a346

[kianenigma]

Nice, without looking at the gist, the approach sounds exactly correct to me.

[muharem]

should we have some type to get PSM reserved capacity and subtract it?

[muharem]

we can do this when we locate PsmInterface trait in frame/support

[muharem]

I think I can update my vault lets say every block and have accrued always set to 0 and last_fee_update to now.

[lrazovic]

Good catch, addressed and tested in f1a9638

[muharem]

if StabilityFee updated at now, it takes effect for the vaults from last_fee_update, not from now. right? is this expected?

[lrazovic]

For correctness, In 97d0989 I introduced a PreviousStabilityFee storage item that lets update_vault_fees split interest accrual at the fee change boundary, so the old rate applies before the change and the new rate only applies after it

[muharem]

we can make this call for free if there was anything to burn

[lrazovic]

Done in cdb14d6

[muharem]

its should be for free only if the execution really healed some amount. like its done for liquidate_vault call.

[lrazovic]

Updated in 1868737

[muharem]

Substrate is not the right place for these items. For Frame pallets common items usually located under support crate. But these traits and types I would locate for now next to their implementations. Later if we have impls for them, we modify them if needed and move to support. But for now I would keep it simple.

[Gioyik]

this doesn't seem right to me, the keeper_incentive transfer using ? propagates any transfer failure, but all of the auction finalization logic, collateral release, CurrentLiquidationAmount decrement, bad-debt recording, and vault removal sits after this point. If the Insurance Fund has insufficient pUSD for the keeper payment, the entire complete_auction call exits early and none of those steps execute.

This seems to leave the vault permanently in VaultStatus::InLiquidation with collateral held under HoldReason::Seized and no way (not entirely sure if this is true) to finalize it. All user-callable vault operations gate on VaultStatus::Healthy, and there's no force_complete_auction or similar recovery extrinsic in the pallet.

The keeper payment should be non-blocking for auction finalization. One option is to attempt the transfer and, on failure, record the unpaid incentive for later settlement rather than aborting the whole completion. Something like:

if !keeper_incentive.is_zero() {
    let payment_result = T::Asset::transfer(
        T::StablecoinAssetId::get(),
        &T::InsuranceFund::get(),
        keeper,
        keeper_incentive,
        Preservation::Expendable,
    );
    if let Err(_) = payment_result {
        // Record as owed; don't block finalization
        UnpaidKeeperIncentives::<T>::mutate(keeper, |owed| {
            owed.saturating_accrue(keeper_incentive);
        });
        Self::deposit_event(Event::KeeperIncentiveDeferred {
            keeper: keeper.clone(),
            amount: keeper_incentive,
        });
    }
}
// Finalization (collateral release, CLA decrement, vault removal) proceeds unconditionally

Alternatively, I am not sure if a governance-callable force_complete_auction extrinsic would make sense to provide a recovery path for any vault stuck in InLiquidation due to this or similar failures.

[lrazovic]

Good point, part of 389590f. But I'm not sure if adding a new UnpaidKeeperIncentives storage item for this edge-case makes sense, we just emit an event for now

[muharem]

how about Collateral? Currency is outdated naming, refers more to Currency trait

[lrazovic]

Renamed in 6cef850

[muharem]

How about StableAsset?

[lrazovic]

Renamed in 6cef850