Enhance new account creation at SetHook

- Add owner count and account index to AccountRoot
- Increment account count at FeeSetting

hook/sfcodes.h

@@ -192,6 +192,7 @@
 #define sfNFTokenMinter ((8U << 16U) + 9U)
 #define sfEmitCallback ((8U << 16U) + 10U)
 #define sfHookAccount ((8U << 16U) + 16U)
+#define sfHookAdministrator ((8U << 16U) + 98U)
 #define sfInform ((8U << 16U) + 99U)
 #define sfIndexes ((19U << 16U) + 1U)
 #define sfHashes ((19U << 16U) + 2U)

src/ripple/app/tx/impl/DeleteAccount.cpp

@@ -267,6 +267,9 @@ DeleteAccount::preclaim(PreclaimContext const& ctx)
         if (sleAccount->isFieldPresent(sfHookNamespaces) ||
             sleAccount->isFieldPresent(sfHooks))
             return tecHAS_OBLIGATIONS;
+
+        if (sleAccount->isFieldPresent(sfHookAdministrator))
+            return tecHAS_OBLIGATIONS;
     }
 
     // When fixNFTokenRemint is enabled, we don't allow an account to be

src/ripple/app/tx/impl/InvariantCheck.cpp

@@ -897,7 +897,9 @@ ValidNewAccountRoot::finalize(
     }
 
     if ((tt == ttPAYMENT || tt == ttIMPORT || tt == ttGENESIS_MINT ||
-         tt == ttREMIT) &&
+         tt == ttREMIT ||
+         (tt == ttHOOK_SET &&
+          view.rules().enabled(featureHookAdministrator))) &&
         isTesSuccess(result))
     {
         std::uint32_t const startingSeq{

src/ripple/app/tx/impl/SetHook.cpp

@@ -628,6 +628,21 @@ SetHook::calculateBaseFee(ReadView const& view, STTx const& tx)
 TER
 SetHook::preclaim(ripple::PreclaimContext const& ctx)
 {
+    if (ctx.tx.isFieldPresent(sfHookAdministrator))
+    {
+        auto const& administrator = ctx.tx.getAccountID(sfHookAdministrator);
+        auto const& sle = ctx.view.read(keylet::account(administrator));
+        if (!sle)
+            return tecNO_DST;
+
+        if (!sle->isFieldPresent(sfHookAdministrator))
+            return tecNO_PERMISSION;
+
+        if (sle->getAccountID(sfHookAdministrator) !=
+            ctx.tx.getAccountID(sfAccount))
+            return tecNO_PERMISSION;
+    }
+
     auto const& hookSets = ctx.tx.getFieldArray(sfHooks);
 
     for (auto const& hookSetObj : hookSets)
@@ -667,12 +682,46 @@ SetHook::preflight(PreflightContext const& ctx)
         return ret;
 
     if (ctx.rules.enabled(fixInvalidTxFlags) &&
-        ctx.tx.getFlags() & tfUniversalMask)
+        ctx.tx.getFlags() & tfSetHookMask)
     {
         JLOG(ctx.j.trace()) << "SetHook: Invalid flags set.";
         return temINVALID_FLAG;
     }
 
+    if (ctx.tx.isFlag(tfNewAccount) &&
+        !ctx.rules.enabled(featureHookAdministrator))
+    {
+        JLOG(ctx.j.trace()) << "SetHook: New account flag set but hook "
+                               "administrator amendment is not enabled.";
+        return temDISABLED;
+    }
+
+    if (ctx.tx.isFieldPresent(sfDestination))
+    {
+        if (!ctx.rules.enabled(featureHookAdministrator))
+        {
+            JLOG(ctx.j.trace())
+                << "HookSet: Hook administrator amendment not enabled.";
+            return temDISABLED;
+        }
+
+        if (ctx.tx.isFlag(tfNewAccount))
+        {
+            JLOG(ctx.j.trace())
+                << "HookSet: Both new account flag and destination set. "
+                   "New account flag and destination cannot be set at the same "
+                   "time.";
+            return temMALFORMED;
+        }
+
+        if (ctx.tx.getAccountID(sfDestination) ==
+            ctx.tx.getAccountID(sfAccount))
+        {
+            JLOG(ctx.j.trace()) << "HookSet: Redundant hook administrator.";
+            return temREDUNDANT;
+        }
+    }
+
     if (!ctx.tx.isFieldPresent(sfHooks))
     {
         JLOG(ctx.j.trace())
@@ -1183,6 +1232,23 @@ struct KeyletComparator
     }
 };
 
+AccountID
+randomAccountAddress(ReadView const& view, uint256 const& pseudoOwnerKey)
+{
+    // This number must not be changed without an amendment
+    constexpr std::uint16_t maxAccountAttempts = 256;
+    for (std::uint16_t i = 0; i < maxAccountAttempts; ++i)
+    {
+        ripesha_hasher rsh;
+        auto const hash = sha512Half(i, view.info().parentHash, pseudoOwnerKey);
+        rsh(hash.data(), hash.size());
+        AccountID const ret{static_cast<ripesha_hasher::result_type>(rsh)};
+        if (!view.read(keylet::account(ret)))
+            return ret;
+    }
+    return beast::zero;
+}
+
 TER
 SetHook::setHook()
 {
@@ -1202,11 +1268,69 @@ SetHook::setHook()
         .app = ctx_.app,
         .rules = ctx_.view().rules()};
 
-    const int blobMax = hook::maxHookWasmSize();
-    auto const accountKeylet = keylet::account(account_);
-    auto const hookKeylet = keylet::hook(account_);
+    auto targetAccount = ctx.tx[~sfDestination].value_or(account_);
+    if (ctx_.tx.isFlag(tfNewAccount))
+    {
+        // create the new account
+        auto const newAccount = randomAccountAddress(ctx_.view(), uint256{});
+        if (newAccount == beast::zero)
+            return tecDUPLICATE;
 
-    auto accountSLE = view().peek(accountKeylet);
+        auto sleNewAccount = std::make_shared<SLE>(keylet::account(newAccount));
+        sleNewAccount->setAccountID(sfAccount, newAccount);
+        sleNewAccount->setFieldAmount(sfBalance, STAmount{});
+        sleNewAccount->setFieldU32(sfOwnerCount, 1);  // ltHook
+        std::uint32_t const seqno{
+            ctx_.view().rules().enabled(featureXahauGenesis)
+                ? ctx_.view().info().parentCloseTime.time_since_epoch().count()
+                : ctx_.view().rules().enabled(featureDeletableAccounts)
+                    ? ctx_.view().seq()
+                    : 1};
+        sleNewAccount->setFieldU32(sfSequence, seqno);
+        sleNewAccount->setFieldU32(sfFlags, lsfDisableMaster);
+
+        sleNewAccount->setAccountID(sfHookAdministrator, account_);
+
+        auto sleFees = view().peek(keylet::fees());
+        if (sleFees && view().rules().enabled(featureXahauGenesis))
+        {
+            auto actIdx = sleFees->isFieldPresent(sfAccountCount)
+                ? sleFees->getFieldU64(sfAccountCount)
+                : 0;
+            sleNewAccount->setFieldU64(sfAccountIndex, actIdx);
+            sleFees->setFieldU64(sfAccountCount, actIdx + 1);
+            view().update(sleFees);
+        }
+
+        // fund AccountReserve + ObjectReserve (ltHook)
+        auto const requiredDrops = ctx_.view().fees().accountReserve(1);
+
+        auto sourceSle = ctx_.view().peek(keylet::account(account_));
+        if (!sourceSle)
+            return tefINTERNAL;
+
+        auto const sourceCurrentReserve = ctx_.view().fees().accountReserve(
+            sourceSle->getFieldU32(sfOwnerCount));
+
+        auto const sourceBalance = sourceSle->getFieldAmount(sfBalance).xrp();
+
+        if (sourceBalance < sourceCurrentReserve + requiredDrops)
+            return tecUNFUNDED;
+
+        sourceSle->setFieldAmount(sfBalance, sourceBalance - requiredDrops);
+        ctx_.view().update(sourceSle);
+
+        sleNewAccount->setFieldAmount(sfBalance, requiredDrops);
+        ctx_.view().insert(sleNewAccount);
+
+        targetAccount = newAccount;
+    }
+
+    const int blobMax = hook::maxHookWasmSize();
+
+    auto const hookKeylet = keylet::hook(targetAccount);
+
+    auto accountSLE = view().peek(keylet::account(targetAccount));
 
     ripple::STArray newHooks{sfHooks, 8};
     auto newHookSLE = std::make_shared<SLE>(hookKeylet);

src/ripple/consensus/Consensus.h

@@ -479,23 +479,10 @@ private:
         to reach consensus. Update our position only on the timer, and in this
         phase.
 
-        If we have consensus, move to the shuffle phase.
-    */
-    void
-    phaseEstablish();
-
-
-    /** Handle shuffle phase.
-
-        In the shuffle phase, UNLReport nodes exchange entropy to build
-        a consensus entropy that is then used as an RNG source for Hooks.
-
-        The entropy is injected as a ttSHUFFLE psuedo into the final ledger
-
         If we have consensus, move to the accepted phase.
     */
     void
-    phaseShuffle();
+    phaseEstablish();
 
     /** Evaluate whether pausing increases likelihood of validation.
      *
@@ -601,10 +588,6 @@ private:
     // Peer proposed positions for the current round
     hash_map<NodeID_t, PeerPosition_t> currPeerPositions_;
 
-    // our and our peers' entropy as per TMShuffle, used in phaseShuffle
-    std::optional<uint256> ourEntropy_;
-    hash_map<NodeID_t, std::pair<uint256, uint256>> currPeerEntropy_;
-
     // Recently received peer positions, available when transitioning between
     // ledgers or rounds
     hash_map<NodeID_t, std::deque<PeerPosition_t>> recentPeerPositions_;
@@ -849,10 +832,6 @@ Consensus<Adaptor>::timerEntry(NetClock::time_point const& now)
     {
         phaseEstablish();
     }
-    else if (phase_ == ConsensusPhase::shuffle)
-    {
-        phaseShuffle();
-    }
 }
 
 template <class Adaptor>
@@ -1312,12 +1291,8 @@ Consensus<Adaptor>::phaseEstablish()
     adaptor_.updateOperatingMode(currPeerPositions_.size());
     prevProposers_ = currPeerPositions_.size();
     prevRoundTime_ = result_->roundTime.read();
-
-    // RHTODO: guard with amendment
-    phase_ = ConsensusPhase::shuffle;
-    JLOG(j_.debug()) << "transitioned to ConsensusPhase::shuffle";
-
-    /*
+    phase_ = ConsensusPhase::accepted;
+    JLOG(j_.debug()) << "transitioned to ConsensusPhase::accepted";
     adaptor_.onAccept(
         *result_,
         previousLedger_,
@@ -1325,60 +1300,6 @@ Consensus<Adaptor>::phaseEstablish()
         rawCloseTimes_,
         mode_.get(),
         getJson(true));
-        */
-}
-
-template <class Adaptor>
-void
-Consensus<Adaptor>::phaseShuffle()
-{
-    // can only establish consensus if we already took a stance
-    assert(result_);
-
-    using namespace std::chrono;
-    ConsensusParms const& parms = adaptor_.parms();
-
-    result_->roundTime.tick(clock_.now());
-    result_->proposers = currPeerPositions_.size();
-
-    convergePercent_ = result_->roundTime.read() * 100 /
-        std::max<milliseconds>(prevRoundTime_, parms.avMIN_CONSENSUS_TIME);
-
-    // Give everyone a chance to take an initial position
-    if (result_->roundTime.read() < parms.ledgerMIN_CONSENSUS)
-        return;
-
-    updateOurPositions();
-
-    // Nothing to do if too many laggards or we don't have consensus.
-    if (shouldPause() || !haveConsensus())
-        return;
-
-    if (!haveCloseTimeConsensus_)
-    {
-        JLOG(j_.info()) << "We have TX consensus but not CT consensus";
-        return;
-    }
-
-    JLOG(j_.info()) << "Converge cutoff (" << currPeerPositions_.size()
-                    << " participants)";
-    adaptor_.updateOperatingMode(currPeerPositions_.size());
-    prevProposers_ = currPeerPositions_.size();
-    prevRoundTime_ = result_->roundTime.read();
-
-    // RHTODO: guard with amendment
-    phase_ = ConsensusPhase::shuffle;
-    JLOG(j_.debug()) << "transitioned to ConsensusPhase::shuffle";
-
-    /*
-    adaptor_.onAccept(
-        *result_,
-        previousLedger_,
-        closeResolution_,
-        rawCloseTimes_,
-        mode_.get(),
-        getJson(true));
-        */
 }
 
 template <class Adaptor>

src/ripple/consensus/ConsensusTypes.h

@@ -87,15 +87,15 @@ to_string(ConsensusMode m)
 /** Phases of consensus for a single ledger round.
 
     @code
-          "close"             "shuffle"        "accept"
-     open ------- > establish -------> shuffle ---------> accepted
-       ^               |                                     |
-       |---------------|                                     |
-       ^                                        "startRound" |
-       |-----------------------------------------------------|
+          "close"             "accept"
+     open ------- > establish ---------> accepted
+       ^               |                    |
+       |---------------|                    |
+       ^                     "startRound"   |
+       |------------------------------------|
    @endcode
 
-   The typical transition goes from open to establish to shuffle to accepted and
+   The typical transition goes from open to establish to accepted and
    then a call to startRound begins the process anew. However, if a wrong prior
    ledger is detected and recovered during the establish or accept phase,
    consensus will internally go back to open (see Consensus::handleWrongLedger).
@@ -107,9 +107,6 @@ enum class ConsensusPhase {
     //! Establishing consensus by exchanging proposals with our peers
     establish,
 
-    //! Negotitate featureRNG entropy
-    shuffle,
-
     //! We have accepted a new last closed ledger and are waiting on a call
     //! to startRound to begin the next consensus round.  No changes
     //! to consensus phase occur while in this phase.
@@ -125,8 +122,6 @@ to_string(ConsensusPhase p)
             return "open";
         case ConsensusPhase::establish:
             return "establish";
-        case ConsensusPhase::shuffle:
-            return "shuffle";
         case ConsensusPhase::accepted:
             return "accepted";
         default:

src/ripple/ledger/View.h

@@ -1094,7 +1094,6 @@ trustTransferLockedBalance(
     }
     return tesSUCCESS;
 }
-
 }  // namespace ripple
 
 #endif

src/ripple/overlay/impl/PeerImp.cpp

@@ -1918,100 +1918,6 @@ PeerImp::onMessage(std::shared_ptr<protocol::TMLedgerData> const& m)
     app_.getInboundLedgers().gotLedgerData(ledgerHash, shared_from_this(), m);
 }
 
-void
-PeerImp::onMessage(std::shared_ptr<protocol::TMShuffle> const& m)
-{
-    protocol::TMShuffle& shuf = *m;
-
-    auto const sig = makeSlice(shf.signature());
-
-    // Preliminary check for the validity of the signature: A DER encoded
-    // signature can't be longer than 72 bytes.
-    if ((std::clamp<std::size_t>(sig.size(), 64, 72) != sig.size()) ||
-        (publicKeyType(makeSlice(shf.nodepubkey())) != KeyType::secp256k1))
-    {
-        JLOG(p_journal_.warn()) << "Shuffle: malformed";
-        fee_ = Resource::feeInvalidSignature;
-        return;
-    }
-
-    if (!stringIsUint256Sized(shf.nodeentropy()) ||
-        !stringIsUint256Sized(shf.consensusentropy()) ||
-        !stringIsUint256Sized(shf.previousledger()))
-    {
-        JLOG(p_journal_.warn()) << "Shuffle: malformed";
-        fee_ = Resource::feeInvalidRequest;
-        return;
-    }
-
-    PublicKey const publicKey{makeSlice(shf.nodepubkey())};
-    auto const isTrusted = app_.validators().trusted(publicKey);
-
-    if (!isTrusted)
-        return;
-
-    uint256 const prevLedger{shf.previousledger()};
-    uint32_t const shuffleSeq{shf.shuffleseq()};
-    uint256 const nodeEntropy{shf.nodeentropy()};
-    uint256 const consensusEntropy{shf.consensusentropy()};
-
-    uint256 const suppression = sha512Half(std::string("TMShuffle", sig));
-
-    if (auto [added, relayed] =
-            app_.getHashRouter().addSuppressionPeerWithStatus(suppression, id_);
-        !added)
-    {
-        // Count unique messages (Slots has it's own 'HashRouter'), which a peer
-        // receives within IDLED seconds since the message has been relayed.
-        if (reduceRelayReady() && relayed &&
-            (stopwatch().now() - *relayed) < reduce_relay::IDLED)
-            overlay_.updateSlotAndSquelch(
-                suppression, publicKey, id_, protocol::mtSHUFFLE);
-        JLOG(p_journal_.trace()) << "Shuffle: duplicate";
-        return;
-    }
-
-    if (!isTrusted)
-    {
-        if (tracking_.load() == Tracking::diverged)
-        {
-            JLOG(p_journal_.debug())
-                << "Proposal: Dropping untrusted (peer divergence)";
-            return;
-        }
-
-        if (!cluster() && app_.getFeeTrack().isLoadedLocal())
-        {
-            JLOG(p_journal_.debug()) << "Proposal: Dropping untrusted (load)";
-            return;
-        }
-    }
-
-    JLOG(p_journal_.trace())
-        << "Proposal: " << (isTrusted ? "trusted" : "untrusted");
-
-    auto proposal = RCLCxPeerPos(
-        publicKey,
-        sig,
-        suppression,
-        RCLCxPeerPos::Proposal{
-            prevLedger,
-            set.proposeseq(),
-            proposeHash,
-            closeTime,
-            app_.timeKeeper().closeTime(),
-            calcNodeID(app_.validatorManifests().getMasterKey(publicKey))});
-
-    std::weak_ptr<PeerImp> weak = shared_from_this();
-    app_.getJobQueue().addJob(
-        isTrusted ? jtPROPOSAL_t : jtPROPOSAL_ut,
-        "recvPropose->checkPropose",
-        [weak, isTrusted, m, proposal]() {
-            if (auto peer = weak.lock())
-                peer->checkPropose(isTrusted, m, proposal);
-        });
-}
-
 void
 PeerImp::onMessage(std::shared_ptr<protocol::TMProposeSet> const& m)
 {

src/ripple/proto/ripple.proto

@@ -450,12 +450,3 @@ message TMHaveTransactions
     repeated bytes hashes = 1;
 }
 
-message TMShuffle
-{
-    required bytes nodeEntropy = 1;
-    required bytes consensusEntropy = 2;
-    required uint32 shuffleSeq = 3;
-    required bytes nodePubKey = 4;
-    required bytes previousledger = 5;
-    required bytes signature = 6;    // signature of above fields
-}

src/ripple/protocol/Feature.h

@@ -74,7 +74,7 @@ namespace detail {
 // Feature.cpp. Because it's only used to reserve storage, and determine how
 // large to make the FeatureBitset, it MAY be larger. It MUST NOT be less than
 // the actual number of amendments. A LogicError on startup will verify this.
-static constexpr std::size_t numFeatures = 90;
+static constexpr std::size_t numFeatures = 91;
 
 /** Amendments that this server supports and the default voting behavior.
    Whether they are enabled depends on the Rules defined in the validated
@@ -378,6 +378,7 @@ extern uint256 const fixInvalidTxFlags;
 extern uint256 const featureExtendedHookState;
 extern uint256 const fixCronStacking;
 extern uint256 const fixHookAPI20251128;
+extern uint256 const featureHookAdministrator;
 }  // namespace ripple
 
 #endif

src/ripple/protocol/SField.h

@@ -563,6 +563,7 @@ extern SF_ACCOUNT const sfEmitCallback;
 extern SF_ACCOUNT const sfHookAccount;
 extern SF_ACCOUNT const sfNFTokenMinter;
 extern SF_ACCOUNT const sfInform;
+extern SF_ACCOUNT const sfHookAdministrator;
 
 // path set
 extern SField const sfPaths;

src/ripple/protocol/TxFlags.h

@@ -184,6 +184,11 @@ constexpr std::uint32_t const tfNFTokenCancelOfferMask     = ~(tfUniversal);
 // NFTokenAcceptOffer flags:
 constexpr std::uint32_t const tfNFTokenAcceptOfferMask     = ~tfUniversal;
 
+enum SetHookFlags : uint32_t {
+    tfNewAccount = 0x00000001,
+};
+constexpr std::uint32_t const tfSetHookMask = ~(tfUniversal | tfNewAccount);
+
 // URIToken mask
 constexpr std::uint32_t const tfURITokenMintMask = ~(tfUniversal | tfBurnable);
 constexpr std::uint32_t const tfURITokenNonMintMask = ~tfUniversal;

src/ripple/protocol/impl/Feature.cpp

@@ -484,6 +484,7 @@ REGISTER_FIX    (fixInvalidTxFlags,             Supported::yes, VoteBehavior::De
 REGISTER_FEATURE(ExtendedHookState,             Supported::yes, VoteBehavior::DefaultNo);
 REGISTER_FIX    (fixCronStacking,               Supported::yes, VoteBehavior::DefaultYes);
 REGISTER_FIX    (fixHookAPI20251128,            Supported::yes, VoteBehavior::DefaultYes);
+REGISTER_FEATURE(HookAdministrator,             Supported::yes, VoteBehavior::DefaultNo);
 
 // The following amendments are obsolete, but must remain supported
 // because they could potentially get enabled.

src/ripple/protocol/impl/LedgerFormats.cpp

@@ -70,6 +70,7 @@ LedgerFormats::LedgerFormats()
             {sfTouchCount,           soeOPTIONAL},
             {sfHookStateScale,       soeOPTIONAL},
             {sfCron,                 soeOPTIONAL},
+            {sfHookAdministrator,    soeOPTIONAL},
         },
         commonFields);
 

src/ripple/protocol/impl/SField.cpp

@@ -315,6 +315,7 @@ CONSTRUCT_TYPED_SFIELD(sfEmitCallback,          "EmitCallback",         ACCOUNT,
 
 // account (uncommon)
 CONSTRUCT_TYPED_SFIELD(sfHookAccount,           "HookAccount",          ACCOUNT,   16);
+CONSTRUCT_TYPED_SFIELD(sfHookAdministrator,     "HookAdministrator",    ACCOUNT,   98);
 CONSTRUCT_TYPED_SFIELD(sfInform,                "Inform",               ACCOUNT,   99);
 
 // vector of 256-bit

src/ripple/protocol/impl/TxFormats.cpp

@@ -324,6 +324,7 @@ TxFormats::TxFormats()
         {
             {sfHooks, soeREQUIRED},
             {sfTicketSequence, soeOPTIONAL},
+            {sfDestination, soeOPTIONAL},
         },
         commonFields);