fix: Priority fee copy and scoring logic

[gzalz]

Problem
Current copy_priority_fee_distribution_account and compute_score instruction handlers don't consider all edge cases considering their permissionless nature.

• There is no way to distinguish a PFDA that has not been copied vs. a PFDA that does not exist (no PF sharing opt-in from validator)
• PFDAs can be copied before they are finalized
• Scoring can be invoked before we can guarantee a PFDA has been copied potentially causing erroneous unstake conditions for a validator

Solution

• Disallow calling copy_priority_fee_distribution_account until the epoch that account tracks is over
• Allow copying PFDAs that do not exist - this is the only way we can distinguish DNE from not yet copied on-chain
• Add new DNE merkle_root_upload_authority enum value
• Disallow re-copying a specific PFDA to remove any possibility of copying a reclaimed account

IMPORTANT
This diff has been modified to have priority fee related score defaulted to 1.0. The intended logic has been commented out until the time of priority fee scoring launch.

[gzalz]

This was wrong.

[ebatsell]

great catch

[ebatsell]

for the record: this bug existed for the case where the copy_priority_fee_distribution ix is called on a validator as the first instruction before any other validator history ixs are called and there existed no entry yet for this validator

[mrmizz]

I do think this check is redundant (bc we can the seeds and seeds::program constraints). So should we update the docstring above? It's specifically talking about the owner check.

[gzalz]

Good call-out. The big logic change here is that now we actually do want to allow a non-existent (still owned by system program) account to be passed in but it must abide by the PDA constraints. I will make sure this is reflected.

[mrmizz]

Oh even better. Did not quite catch that. Nice work.

[ebatsell]

Was copying a non-existent account possible before? I think it wouldn't have been because of the owner constraint

[mrmizz]

Should we rename this method to is_finalized?

I do think we should lean into this concept of "finalizing" a validator history entry. If there is outstanding/missing data, is it okay that the steward can score without it?

The following PR will require the CopyStakeInfo instruction to run during the current epoch. While this CopyPriorityFeeDistribution is required to run after the current epoch. This means that history accounts will always be partially updated, up until being finalized.

[ebatsell]

There's a few other requirements for finalization, kind of baked into the StewardState::compute_score fn like the vote credits being updated in the current epoch and cluster history being updated

Open to putting those all in one method but we should keep scoring logic on the Steward side since validator history is supposed to be just the data store

[gzalz]

Dropping this function as discussed offline. The process of "skipping" an epoch while scoring will look different and impact score rather than instruction success/failure.

[coachchucksol]

I jive with this ^

[coachchucksol]

I would actually name it something a little more verbose, has_copied_priority_fees()

In this case can_score() seems to vague, and is_finalized() is closer, but its meaning is lost.

[coachchucksol]

This all seems to hit what we need!

• Cannot call copy on N epoch
• Cannot overwrite data once its been written
• Added the DNE
• Cannot score without a valid MRUA

Just a couple of comments

[coachchucksol]

I jive with this ^

[coachchucksol]

I would actually name it something a little more verbose, has_copied_priority_fees()

In this case can_score() seems to vague, and is_finalized() is closer, but its meaning is lost.

[coachchucksol]

Another thought

[coachchucksol]

A couple more things

[coachchucksol]

nit: Set as DNE_AUTHORITY not Pubkey::default(),

[coachchucksol]

Any test cases with MerkleRootUploadAuthority::Other?