Ugh. This is all wrong.

- Won't build

conan.lock

@@ -6,18 +6,18 @@
         "sqlite3/3.49.1#8631739a4c9b93bd3d6b753bac548a63%1756234266.869",
         "soci/4.0.3#a9f8d773cd33e356b5879a4b0564f287%1756234262.318",
         "snappy/1.1.10#968fef506ff261592ec30c574d4a7809%1756234314.246",
-        "rocksdb/10.5.1#4a197eca381a3e5ae8adf8cffa5aacd0%1759820024.194",
+        "rocksdb/10.5.1#4a197eca381a3e5ae8adf8cffa5aacd0%1762797952.535",
         "re2/20230301#dfd6e2bf050eb90ddd8729cfb4c844a4%1756234257.976",
         "protobuf/3.21.12#d927114e28de9f4691a6bbcdd9a529d1%1756234251.614",
         "openssl/3.5.4#a1d5835cc6ed5c5b8f3cd5b9b5d24205%1760106486.594",
-        "nudb/2.0.9#c62cfd501e57055a7e0d8ee3d5e5427d%1756234237.107",
+        "nudb/2.0.9#fb8dfd1a5557f5e0528114c2da17721e%1763150366.909",
         "lz4/1.10.0#59fc63cac7f10fbe8e05c7e62c2f3504%1756234228.999",
         "libiconv/1.17#1e65319e945f2d31941a9d28cc13c058%1756223727.64",
         "libbacktrace/cci.20210118#a7691bfccd8caaf66309df196790a5a1%1756230911.03",
         "libarchive/3.8.1#5cf685686322e906cb42706ab7e099a8%1756234256.696",
         "jemalloc/5.3.0#e951da9cf599e956cebc117880d2d9f8%1729241615.244",
         "grpc/1.50.1#02291451d1e17200293a409410d1c4e1%1756234248.958",
-        "doctest/2.4.12#eb9fb352fb2fdfc8abb17ec270945165%1749889324.069",
+        "doctest/2.4.12#eb9fb352fb2fdfc8abb17ec270945165%1762797941.757",
         "date/3.0.4#f74bbba5a08fa388256688743136cb6f%1756234217.493",
         "c-ares/1.34.5#b78b91e7cfb1f11ce777a285bbf169c6%1756234217.915",
         "bzip2/1.0.8#00b4a4658791c1f06914e087f0e792f5%1756234261.716",
@@ -53,6 +53,9 @@
         ],
         "lz4/[>=1.9.4 <2]": [
             "lz4/1.10.0#59fc63cac7f10fbe8e05c7e62c2f3504"
+        ],
+        "sqlite3/3.44.2": [
+            "sqlite3/3.49.1"
         ]
     },
     "config_requires": []

include/xrpl/basics/Number.h

@@ -13,6 +13,15 @@ class Number;
 std::string
 to_string(Number const& amount);
 
+template <typename T>
+constexpr bool
+isPowerOfTen(T value)
+{
+    while (value >= 10 && value % 10 == 0)
+        value /= 10;
+    return value == 1;
+}
+
 class Number
 {
     using rep = std::int64_t;
@@ -21,8 +30,13 @@ class Number
 
 public:
     // The range for the mantissa when normalized
-    constexpr static std::int64_t minMantissa = 1'000'000'000'000'000LL;
-    constexpr static std::int64_t maxMantissa = 9'999'999'999'999'999LL;
+    constexpr static rep minMantissa = 1'000'000'000'000'000LL;
+    static_assert(isPowerOfTen(minMantissa));
+    constexpr static rep maxMantissa = minMantissa * 10 - 1;
+    static_assert(maxMantissa == 9'999'999'999'999'999LL);
+
+    constexpr static rep maxIntValue = maxMantissa / 100;
+    static_assert(maxIntValue == 99'999'999'999'999LL);
 
     // The range for the exponent when normalized
     constexpr static int minExponent = -32768;
@@ -404,6 +418,12 @@ public:
     operator=(NumberRoundModeGuard const&) = delete;
 };
 
+class NumberOverflow : public std::overflow_error
+{
+public:
+    using overflow_error::overflow_error;
+};
+
 }  // namespace ripple
 
 #endif  // XRPL_BASICS_NUMBER_H_INCLUDED

include/xrpl/protocol/Asset.h

@@ -84,6 +84,19 @@ public:
         return holds<Issue>() && get<Issue>().native();
     }
 
+    bool
+    integral() const
+    {
+        return std::visit(
+            []<ValidIssueType TIss>(TIss const& issue) {
+                if constexpr (std::is_same_v<TIss, Issue>)
+                    return issue.native();
+                if constexpr (std::is_same_v<TIss, MPTIssue>)
+                    return true;
+            },
+            issue_);
+    }
+
     friend constexpr bool
     operator==(Asset const& lhs, Asset const& rhs);
 

include/xrpl/protocol/STAmount.h

@@ -155,6 +155,9 @@ public:
     int
     exponent() const noexcept;
 
+    bool
+    integral() const noexcept;
+
     bool
     native() const noexcept;
 
@@ -435,6 +438,12 @@ STAmount::exponent() const noexcept
     return mOffset;
 }
 
+inline bool
+STAmount::integral() const noexcept
+{
+    return mAsset.integral();
+}
+
 inline bool
 STAmount::native() const noexcept
 {
@@ -553,7 +562,7 @@ STAmount::clear()
 {
     // The -100 is used to allow 0 to sort less than a small positive values
     // which have a negative exponent.
-    mOffset = native() ? 0 : -100;
+    mOffset = integral() ? 0 : -100;
     mValue = 0;
     mIsNegative = false;
 }

include/xrpl/protocol/STNumber.h

@@ -24,6 +24,10 @@ class STNumber : public STBase, public CountedObject<STNumber>
 {
 private:
     Number value_;
+    // isInteger_ is not serialized or transmitted in any way. It is used only
+    // for internal validation of integer types. It is a one-way switch. Once
+    // it's on, it stays on.
+    bool isInteger_ = false;
 
 public:
     using value_type = Number;
@@ -51,6 +55,35 @@ public:
         return *this;
     }
 
+    // Tell the STNumber whether the value it is holding represents an integer,
+    // and must fit within the allowable range.
+    void
+    usesAsset(Asset const& a);
+    // The asset isn't stored, only whether it's an integral type. Get that flag
+    // back out.
+    bool
+    isIntegral() const;
+    // Returns whether the value fits within Number::maxIntValue. Transactors
+    // should check this whenever interacting with an STNumber.
+    bool
+    safeNumber() const;
+    /// Combines usesAsset(a) and safeNumber()
+    static std::int64_t
+    safeNumberLimit();
+    bool
+    safeNumber(Asset const& a);
+    // Returns whether the value fits within Number::maxMantissa. Transactors
+    // may check this, too, but are not required to. It will be checked when
+    // serializing, and will throw if false, thus preventing the value from
+    // being silently truncated.
+    bool
+    validNumber() const;
+    /// Combines usesAsset(a) and validAsset()
+    bool
+    validNumber(Asset const& a);
+    static std::int64_t
+    validNumberLimit();
+
     bool
     isEquivalent(STBase const& t) const override;
     bool

include/xrpl/protocol/STObject.h

@@ -482,9 +482,15 @@ public:
     value_type
     operator*() const;
 
+    /// Do not use operator->() unless the field is required, or you've checked
+    /// that it's set.
     T const*
     operator->() const;
 
+    /// Access the underlying STObject without necessarily dereferencing it
+    T*
+    stValue() const;
+
 protected:
     STObject* st_;
     SOEStyle style_;
@@ -718,11 +724,21 @@ STObject::Proxy<T>::operator*() const -> value_type
     return this->value();
 }
 
+/// Do not use operator->() unless the field is required, or you've checked that
+/// it's set.
 template <class T>
 T const*
 STObject::Proxy<T>::operator->() const
 {
-    return this->find();
+    return stValue();
+}
+
+/// Access the underlying STObject without necessarily dereferencing it
+template <class T>
+T*
+STObject::Proxy<T>::stValue() const
+{
+    return dynamic_cast<T*>(st_->getPField(*f_));
 }
 
 template <class T>

include/xrpl/protocol/SystemParameters.h

@@ -23,6 +23,7 @@ systemName()
 
 /** Number of drops in the genesis account. */
 constexpr XRPAmount INITIAL_XRP{100'000'000'000 * DROPS_PER_XRP};
+static_assert(INITIAL_XRP.drops() == 100'000'000'000'000'000);
 
 /** Returns true if the amount does not exceed the initial XRP in existence. */
 inline bool

include/xrpl/protocol/detail/ledger_entries.macro

@@ -479,10 +479,10 @@ LEDGER_ENTRY(ltVAULT, 0x0084, Vault, vault, ({
     {sfAccount,              soeREQUIRED},
     {sfData,                 soeOPTIONAL},
     {sfAsset,                soeREQUIRED},
-    {sfAssetsTotal,          soeREQUIRED},
-    {sfAssetsAvailable,      soeREQUIRED},
+    {sfAssetsTotal,          soeDEFAULT},
+    {sfAssetsAvailable,      soeDEFAULT},
     {sfAssetsMaximum,        soeDEFAULT},
-    {sfLossUnrealized,       soeREQUIRED},
+    {sfLossUnrealized,       soeDEFAULT},
     {sfShareMPTID,           soeREQUIRED},
     {sfWithdrawalPolicy,     soeREQUIRED},
     {sfScale,                soeDEFAULT},

src/libxrpl/protocol/STLedgerEntry.cpp

@@ -12,6 +12,7 @@
 #include <xrpl/protocol/SField.h>
 #include <xrpl/protocol/STBase.h>
 #include <xrpl/protocol/STLedgerEntry.h>
+#include <xrpl/protocol/STNumber.h>
 #include <xrpl/protocol/STObject.h>
 #include <xrpl/protocol/Serializer.h>
 #include <xrpl/protocol/jss.h>
@@ -67,6 +68,32 @@ STLedgerEntry::setSLEType()
 
     type_ = format->getType();
     applyTemplate(format->getSOTemplate());  // May throw
+
+    // Per object type overrides
+    // Currently only covers STNumber fields to link them to appropriate assets
+    switch (type_)
+    {
+        case ltVAULT: {
+            auto const asset = at(sfAsset);
+            for (auto const& field :
+                 {~sfAssetsAvailable,
+                  ~sfAssetsTotal,
+                  ~sfAssetsMaximum,
+                  ~sfLossUnrealized})
+            {
+                if (auto proxy = at(field))
+                    if (auto stNumber = proxy.stValue())
+                        stNumber->usesAsset(asset);
+            }
+        }
+            /*
+            // TODO: If possible, set up the loan-related STNumber fields, too.
+            // May not be possible because we don't have a view available.
+
+            case ltLOAN_BROKER:
+            case ltLOAN:
+            */
+    }
 }
 
 std::string

src/libxrpl/protocol/STNumber.cpp

@@ -50,6 +50,8 @@ STNumber::add(Serializer& s) const
     XRPL_ASSERT(
         getFName().fieldType == getSType(),
         "ripple::STNumber::add : field type match");
+    if (!validNumber())
+        throw NumberOverflow(to_string(value_));
     s.add64(value_.mantissa());
     s.add32(value_.exponent());
 }
@@ -66,6 +68,87 @@ STNumber::setValue(Number const& v)
     value_ = v;
 }
 
+// Tell the STNumber whether the value it is holding represents an integer, and
+// must fit within the allowable range.
+void
+STNumber::usesAsset(Asset const& a)
+{
+    XRPL_ASSERT_PARTS(
+        !isInteger_ || a.integral(),
+        "ripple::STNumber::value",
+        "asset check only gets stricter");
+    // isInteger_ is a one-way switch. Once it's on, it stays on.
+    if (isInteger_)
+        return;
+    isInteger_ = a.integral();
+}
+
+bool
+STNumber::isIntegral() const
+{
+    return isInteger_;
+}
+
+// Returns whether the value fits within Number::maxIntValue. Transactors
+// should check this whenever interacting with an STNumber.
+bool
+STNumber::safeNumber() const
+{
+    if (!isInteger_)
+        return true;
+
+    static Number const max = safeNumberLimit();
+    static Number const maxNeg = -max;
+    // Avoid making a copy
+    if (value_ < 0)
+        return value_ >= maxNeg;
+    return value_ <= max;
+}
+
+bool
+STNumber::safeNumber(Asset const& a)
+{
+    usesAsset(a);
+    return safeNumber();
+}
+
+std::int64_t
+STNumber::safeNumberLimit()
+{
+    return Number::maxIntValue;
+}
+
+// Returns whether the value fits within Number::maxMantissa. Transactors
+// may check this, too, but are not required to. It will be checked when
+// serializing, and will throw if false, thus preventing the value from
+// being silently truncated.
+bool
+STNumber::validNumber() const
+{
+    if (!isInteger_)
+        return true;
+
+    static Number const max = validNumberLimit();
+    static Number const maxNeg = -max;
+    // Avoid making a copy
+    if (value_ < 0)
+        return value_ >= maxNeg;
+    return value_ <= max;
+}
+
+bool
+STNumber::validNumber(Asset const& a)
+{
+    usesAsset(a);
+    return validNumber();
+}
+
+std::int64_t
+STNumber::validNumberLimit()
+{
+    return Number::maxMantissa;
+}
+
 STBase*
 STNumber::copy(std::size_t n, void* buf) const
 {

src/test/app/AMM_test.cpp

@@ -1384,7 +1384,7 @@ private:
         // equal asset deposit: unit test to exercise the rounding-down of
         // LPTokens in the AMMHelpers.cpp: adjustLPTokens calculations
         // The LPTokens need to have 16 significant digits and a fractional part
-        for (Number const deltaLPTokens :
+        for (Number const& deltaLPTokens :
              {Number{UINT64_C(100000'0000000009), -10},
               Number{UINT64_C(100000'0000000001), -10}})
         {

src/test/app/Vault_test.cpp

@@ -1329,7 +1329,7 @@ class Vault_test : public beast::unit_test::suite
                      Vault& vault) {
             auto [tx, keylet] = vault.create({.owner = owner, .asset = asset});
             testcase("insufficient fee");
-            env(tx, fee(env.current()->fees().base), ter(telINSUF_FEE_P));
+            env(tx, fee(env.current()->fees().base - 1), ter(telINSUF_FEE_P));
         });
 
         testCase([this](
@@ -2074,6 +2074,10 @@ class Vault_test : public beast::unit_test::suite
                     auto const sleMPT = env.le(mptoken);
                     BEAST_EXPECT(sleMPT == nullptr);
 
+                    // Use one reserve so the next transaction fails
+                    env(ticket::create(owner, 1));
+                    env.close();
+
                     // No reserve to create MPToken for asset in VaultWithdraw
                     tx = vault.withdraw(
                         {.depositor = owner,
@@ -2091,7 +2095,7 @@ class Vault_test : public beast::unit_test::suite
                 }
             },
             {.requireAuth = false,
-             .initialXRP = acctReserve + incReserve * 4 - 1});
+             .initialXRP = acctReserve + incReserve * 4 + 1});
 
         testCase([this](
                      Env& env,
@@ -2980,6 +2984,9 @@ class Vault_test : public beast::unit_test::suite
                     env.le(keylet::line(owner, asset.raw().get<Issue>()));
                 BEAST_EXPECT(trustline == nullptr);
 
+                env(ticket::create(owner, 1));
+                env.close();
+
                 // Fail because not enough reserve to create trust line
                 tx = vault.withdraw(
                     {.depositor = owner,
@@ -2995,7 +3002,7 @@ class Vault_test : public beast::unit_test::suite
                 env(tx);
                 env.close();
             },
-            CaseArgs{.initialXRP = acctReserve + incReserve * 4 - 1});
+            CaseArgs{.initialXRP = acctReserve + incReserve * 4 + 1});
 
         testCase(
             [&, this](
@@ -3016,8 +3023,7 @@ class Vault_test : public beast::unit_test::suite
                 env(pay(owner, charlie, asset(100)));
                 env.close();
 
-                // Use up some reserve on tickets
-                env(ticket::create(charlie, 2));
+                env(ticket::create(charlie, 3));
                 env.close();
 
                 // Fail because not enough reserve to create MPToken for shares
@@ -3035,7 +3041,7 @@ class Vault_test : public beast::unit_test::suite
                 env(tx);
                 env.close();
             },
-            CaseArgs{.initialXRP = acctReserve + incReserve * 4 - 1});
+            CaseArgs{.initialXRP = acctReserve + incReserve * 4 + 1});
 
         testCase([&, this](
                      Env& env,
@@ -4519,7 +4525,8 @@ class Vault_test : public beast::unit_test::suite
             BEAST_EXPECT(checkString(vault, sfAssetsAvailable, "50"));
             BEAST_EXPECT(checkString(vault, sfAssetsMaximum, "1000"));
             BEAST_EXPECT(checkString(vault, sfAssetsTotal, "50"));
-            BEAST_EXPECT(checkString(vault, sfLossUnrealized, "0"));
+            // Since this field is default, it is not returned.
+            BEAST_EXPECT(!vault.isMember(sfLossUnrealized.getJsonName()));
 
             auto const strShareID = strHex(sle->at(sfShareMPTID));
             BEAST_EXPECT(checkString(vault, sfShareMPTID, strShareID));

src/test/jtx/impl/vault.cpp

@@ -19,7 +19,6 @@ Vault::create(CreateArgs const& args)
     jv[jss::TransactionType] = jss::VaultCreate;
     jv[jss::Account] = args.owner.human();
     jv[jss::Asset] = to_json(args.asset);
-    jv[jss::Fee] = STAmount(env.current()->fees().increment).getJson();
     if (args.flags)
         jv[jss::Flags] = *args.flags;
     return {jv, keylet};

src/xrpld/app/tx/detail/InvariantCheck.cpp

@@ -2164,6 +2164,28 @@ ValidAMM::finalize(
 
 //------------------------------------------------------------------------------
 
+ValidVault::NumberInfo
+ValidVault::NumberInfo::make(
+    SLE const& from,
+    SF_NUMBER const& field,
+    Asset const& asset)
+{
+    bool valid = true;
+
+    // Poke around in the internals of STObject to get the STNumber object
+    if (auto const stNumber =
+            dynamic_cast<STNumber const*>(from.peekAtPField(field)))
+        valid = stNumber->isIntegral() == asset.integral() &&
+            stNumber->validNumber();
+
+    return {.n = from.at(field), .valid = valid};
+}
+
+ValidVault::NumberInfo::operator Number const&() const
+{
+    return n;
+}
+
 ValidVault::Vault
 ValidVault::Vault::make(SLE const& from)
 {
@@ -2176,10 +2198,11 @@ ValidVault::Vault::make(SLE const& from)
     self.asset = from.at(sfAsset);
     self.pseudoId = from.getAccountID(sfAccount);
     self.shareMPTID = from.getFieldH192(sfShareMPTID);
-    self.assetsTotal = from.at(sfAssetsTotal);
-    self.assetsAvailable = from.at(sfAssetsAvailable);
-    self.assetsMaximum = from.at(sfAssetsMaximum);
-    self.lossUnrealized = from.at(sfLossUnrealized);
+    self.assetsTotal = NumberInfo::make(from, sfAssetsTotal, self.asset);
+    self.assetsAvailable =
+        NumberInfo::make(from, sfAssetsAvailable, self.asset);
+    self.assetsMaximum = NumberInfo::make(from, sfAssetsMaximum, self.asset);
+    self.lossUnrealized = NumberInfo::make(from, sfLossUnrealized, self.asset);
     return self;
 }
 
@@ -2413,6 +2436,17 @@ ValidVault::finalize(
         beforeVault_.empty() || beforeVault_[0].key == afterVault.key,
         "ripple::ValidVault::finalize : single vault operation");
 
+    if (!afterVault.assetsTotal.valid || !afterVault.assetsAvailable.valid ||
+        !afterVault.assetsMaximum.valid || !afterVault.lossUnrealized.valid)
+    {
+        JLOG(j.fatal()) << "Invariant failed: vault overflowed maximum current "
+                           "representable integer value";
+        XRPL_ASSERT(
+            enforce,
+            "ripple::ValidVault::finalize : vault integer limit invariant");
+        return !enforce;  // That's all we can do here
+    }
+
     auto const updatedShares = [&]() -> std::optional<Shares> {
         // At this moment we only know that a vault is being updated and there
         // might be some MPTokenIssuance objects which are also updated in the
@@ -2487,7 +2521,7 @@ ValidVault::finalize(
         result = false;
     }
 
-    if (afterVault.assetsAvailable > afterVault.assetsTotal)
+    if (afterVault.assetsAvailable.n > afterVault.assetsTotal)
     {
         JLOG(j.fatal()) << "Invariant failed: assets available must "
                            "not be greater than assets outstanding";
@@ -2528,7 +2562,7 @@ ValidVault::finalize(
     }
 
     if (!beforeVault_.empty() &&
-        afterVault.lossUnrealized != beforeVault_[0].lossUnrealized)
+        afterVault.lossUnrealized.n != beforeVault_[0].lossUnrealized)
     {
         JLOG(j.fatal()) <<  //
             "Invariant failed: vault transaction must not change loss "
@@ -2698,7 +2732,7 @@ ValidVault::finalize(
                     result = false;
                 }
 
-                if (beforeVault.assetsTotal != afterVault.assetsTotal)
+                if (beforeVault.assetsTotal.n != afterVault.assetsTotal)
                 {
                     JLOG(j.fatal()) <<  //
                         "Invariant failed: set must not change assets "
@@ -2707,7 +2741,7 @@ ValidVault::finalize(
                 }
 
                 if (afterVault.assetsMaximum > zero &&
-                    afterVault.assetsTotal > afterVault.assetsMaximum)
+                    afterVault.assetsTotal.n > afterVault.assetsMaximum)
                 {
                     JLOG(j.fatal()) <<  //
                         "Invariant failed: set assets outstanding must not "
@@ -2715,7 +2749,7 @@ ValidVault::finalize(
                     result = false;
                 }
 
-                if (beforeVault.assetsAvailable != afterVault.assetsAvailable)
+                if (beforeVault.assetsAvailable.n != afterVault.assetsAvailable)
                 {
                     JLOG(j.fatal()) <<  //
                         "Invariant failed: set must not change assets "
@@ -2803,7 +2837,7 @@ ValidVault::finalize(
                 }
 
                 if (afterVault.assetsMaximum > zero &&
-                    afterVault.assetsTotal > afterVault.assetsMaximum)
+                    afterVault.assetsTotal.n > afterVault.assetsMaximum)
                 {
                     JLOG(j.fatal()) <<  //
                         "Invariant failed: deposit assets outstanding must not "

src/xrpld/app/tx/detail/InvariantCheck.h

@@ -5,6 +5,7 @@
 #include <xrpl/basics/base_uint.h>
 #include <xrpl/beast/utility/Journal.h>
 #include <xrpl/protocol/MPTIssue.h>
+#include <xrpl/protocol/SField.h>
 #include <xrpl/protocol/STLedgerEntry.h>
 #include <xrpl/protocol/STTx.h>
 #include <xrpl/protocol/TER.h>
@@ -738,16 +739,38 @@ class ValidVault
 {
     Number static constexpr zero{};
 
+    struct Vault;
+
+    struct NumberInfo final
+    {
+        Number n;
+        bool valid;
+
+        // Make this Number wrapper as transparent as possible, except when
+        // checking validity. However, rather than fleshing out all the
+        // comparison operators, etc, a few places will still need to specify
+        // "n".
+        operator Number const&() const;
+
+    private:
+        friend class ValidVault::Vault;
+
+        NumberInfo static make(
+            SLE const& from,
+            SF_NUMBER const& field,
+            Asset const& asset);
+    };
+
     struct Vault final
     {
         uint256 key = beast::zero;
         Asset asset = {};
         AccountID pseudoId = {};
         uint192 shareMPTID = beast::zero;
-        Number assetsTotal = 0;
-        Number assetsAvailable = 0;
-        Number assetsMaximum = 0;
-        Number lossUnrealized = 0;
+        NumberInfo assetsTotal{0, true};
+        NumberInfo assetsAvailable{0, true};
+        NumberInfo assetsMaximum{0, true};
+        NumberInfo lossUnrealized{0, true};
 
         Vault static make(SLE const&);
     };

src/xrpld/app/tx/detail/VaultCreate.cpp

@@ -79,13 +79,6 @@ VaultCreate::preflight(PreflightContext const& ctx)
     return tesSUCCESS;
 }
 
-XRPAmount
-VaultCreate::calculateBaseFee(ReadView const& view, STTx const& tx)
-{
-    // One reserve increment is typically much greater than one base fee.
-    return calculateOwnerReserveFee(view, tx);
-}
-
 TER
 VaultCreate::preclaim(PreclaimContext const& ctx)
 {
@@ -142,8 +135,9 @@ VaultCreate::doApply()
 
     if (auto ter = dirLink(view(), account_, vault))
         return ter;
-    adjustOwnerCount(view(), owner, 1, j_);
-    auto ownerCount = owner->at(sfOwnerCount);
+    // We will create Vault and PseudoAccount, hence increase OwnerCount by 2
+    adjustOwnerCount(view(), owner, 2, j_);
+    auto const ownerCount = owner->at(sfOwnerCount);
     if (mPriorBalance < view().fees().accountReserve(ownerCount))
         return tecINSUFFICIENT_RESERVE;
 
@@ -199,7 +193,28 @@ VaultCreate::doApply()
     vault->at(sfLossUnrealized) = Number(0);
     // Leave default values for AssetTotal and AssetAvailable, both zero.
     if (auto value = tx[~sfAssetsMaximum])
-        vault->at(sfAssetsMaximum) = *value;
+    {
+        auto assetsMaximumProxy = vault->at(~sfAssetsMaximum);
+        assetsMaximumProxy = *value;
+        if (auto const stNumber = assetsMaximumProxy.stValue();
+            stNumber && !stNumber->validNumber(asset))
+        {
+            JLOG(j_.warn()) << "VaultCreate: Invalid assets maximum value for "
+                               "integral asset type: "
+                            << *value << " > " << STNumber::validNumberLimit();
+            return tecPRECISION_LOSS;
+        }
+    }
+    // TODO: Should integral types automatically set a limit to the
+    // Number::validNumberLimit() value? Or safeNumberLimit()?
+    /*
+    else if (asset.integral())
+    {
+        auto assetsMaximumProxy = vault->at(~sfAssetsMaximum);
+        assetsMaximumProxy = STNumber::validNumberLimit();
+        assetsMaximumProxy.stValue()->usesAsset(asset);
+    }
+    */
     vault->at(sfShareMPTID) = mptIssuanceID;
     if (auto value = tx[~sfData])
         vault->at(sfData) = *value;

src/xrpld/app/tx/detail/VaultCreate.h

@@ -23,9 +23,6 @@ public:
     static NotTEC
     preflight(PreflightContext const& ctx);
 
-    static XRPAmount
-    calculateBaseFee(ReadView const& view, STTx const& tx);
-
     static TER
     preclaim(PreclaimContext const& ctx);
 

src/xrpld/app/tx/detail/VaultDelete.cpp

@@ -146,7 +146,35 @@ VaultDelete::doApply()
         return tecHAS_OBLIGATIONS;  // LCOV_EXCL_LINE
 
     // Destroy the pseudo-account.
-    view().erase(view().peek(keylet::account(pseudoID)));
+    auto vaultPseudoSLE = view().peek(keylet::account(pseudoID));
+    if (!vaultPseudoSLE || vaultPseudoSLE->at(~sfVaultID) != vault->key())
+        return tefBAD_LEDGER;  // LCOV_EXCL_LINE
+
+    // Making the payment and removing the empty holding should have deleted any
+    // obligations associated with the vault or vault pseudo-account.
+    if (*vaultPseudoSLE->at(sfBalance))
+    {
+        // LCOV_EXCL_START
+        JLOG(j_.error()) << "VaultDelete: pseudo-account has a balance";
+        return tecHAS_OBLIGATIONS;
+        // LCOV_EXCL_STOP
+    }
+    if (vaultPseudoSLE->at(sfOwnerCount) != 0)
+    {
+        // LCOV_EXCL_START
+        JLOG(j_.error()) << "VaultDelete: pseudo-account still owns objects";
+        return tecHAS_OBLIGATIONS;
+        // LCOV_EXCL_STOP
+    }
+    if (view().exists(keylet::ownerDir(pseudoID)))
+    {
+        // LCOV_EXCL_START
+        JLOG(j_.error()) << "VaultDelete: pseudo-account has a directory";
+        return tecHAS_OBLIGATIONS;
+        // LCOV_EXCL_STOP
+    }
+
+    view().erase(vaultPseudoSLE);
 
     // Remove the vault from its owner's directory.
     auto const ownerID = vault->at(sfOwner);
@@ -170,7 +198,9 @@ VaultDelete::doApply()
         return tefBAD_LEDGER;
         // LCOV_EXCL_STOP
     }
-    adjustOwnerCount(view(), owner, -1, j_);
+
+    // We are destroying Vault and PseudoAccount, hence decrease by 2
+    adjustOwnerCount(view(), owner, -2, j_);
 
     // Destroy the vault.
     view().erase(vault);

src/xrpld/app/tx/detail/VaultDeposit.cpp

@@ -260,13 +260,43 @@ VaultDeposit::doApply()
         sharesCreated.asset() != assetsDeposited.asset(),
         "ripple::VaultDeposit::doApply : assets are not shares");
 
-    vault->at(sfAssetsTotal) += assetsDeposited;
-    vault->at(sfAssetsAvailable) += assetsDeposited;
+    auto assetsTotalProxy = vault->at(sfAssetsTotal);
+    auto assetsAvailableProxy = vault->at(sfAssetsAvailable);
+
+    assetsTotalProxy += assetsDeposited;
+    assetsAvailableProxy += assetsDeposited;
     view().update(vault);
 
+    auto const asset = *vault->at(sfAsset);
+    if (auto stNumber = assetsTotalProxy.stValue();
+        stNumber && !stNumber->safeNumber(asset))
+    {
+        JLOG(j_.warn()) << "VaultDeposit: Invalid assets total value for "
+                           "integral asset type: "
+                        << *assetsTotalProxy << " > "
+                        << STNumber::safeNumberLimit();
+        return tecPRECISION_LOSS;
+    }
+    if (auto stNumber = assetsAvailableProxy.stValue();
+        stNumber && !stNumber->safeNumber(asset))
+    {
+        // LCOV_EXCL_START
+        // This should be impossible to reach because total should never be less
+        // than available, so if total is ok, available should be ok.
+        UNREACHABLE(
+            "ripple::VaultDeposit::doApply() : AssetsAvailable exceeds "
+            "AssetsTotal");
+        JLOG(j_.warn()) << "VaultDeposit: Invalid assets available value for "
+                           "integral asset type: "
+                        << *assetsAvailableProxy << " > "
+                        << STNumber::safeNumberLimit();
+        return tecPRECISION_LOSS;
+        // LCOV_EXCL_STOP
+    }
+
     // A deposit must not push the vault over its limit.
     auto const maximum = *vault->at(sfAssetsMaximum);
-    if (maximum != 0 && *vault->at(sfAssetsTotal) > maximum)
+    if (maximum != 0 && *assetsTotalProxy > maximum)
         return tecLIMIT_EXCEEDED;
 
     // Transfer assets from depositor to vault.

src/xrpld/app/tx/detail/VaultSet.cpp

@@ -143,7 +143,19 @@ VaultSet::doApply()
         if (tx[sfAssetsMaximum] != 0 &&
             tx[sfAssetsMaximum] < *vault->at(sfAssetsTotal))
             return tecLIMIT_EXCEEDED;
-        vault->at(sfAssetsMaximum) = tx[sfAssetsMaximum];
+        auto assetsMaximumProxy = vault->at(~sfAssetsMaximum);
+        assetsMaximumProxy = tx[sfAssetsMaximum];
+        if (auto const stNumber = assetsMaximumProxy.stValue();
+            stNumber && !stNumber->validNumber(vault->at(sfAsset)))
+        {
+            // LCOV_EXCL_START
+            // This should be impossible, because invalid values would have been
+            // stopped by `VaultCreate`.
+            UNREACHABLE(
+                "ripple::VaultSet::doApply : invalid assets maximum value");
+            return tecLIMIT_EXCEEDED;
+            // LCOV_EXCL_STOP
+        }
     }
 
     if (auto const domainId = tx[~sfDomainID]; domainId)