Correct treatment of excess when burning kit

[gkaracha]

This PR fixes a long-standing bug around the concept of excess kit and removes the excess_kit field in burrows. It's still work in progress but I thought I'd open the PR early so that perhaps you could have a look too @utdemir @dorranh; the changes are rather pervasive (though necessary, I believe) and I really could use more pairs of eyes. Let me know what you think! 🙂

Closes #209.
Closes #136.

Summary:

• The excess_kit is removed from the representation of burrows. This means that in cases where more than burrow.outstanding_kit is attempted to be burned/deposited, the excess is directly credited to the burrow owner on the FA2 ledger. This applies both to explicit burns (via burrow_burn_kit) and implicit burns (via burrow_return_kit_from_auction).
• assert_burrow_invariants now has no invariants to check. I've left it for the time being, but I think we can just get rid of it.
• Some information is now "leaking" from burrow_burn_kit and burrow_return_kit_from_auction: they both need to return to the caller how much of that kit really got burned and how much did not. This is a good thing. This change allows us to remove from parameters.circulating_kit and the parameters.outstanding_kit the kit that got repaid, but not the part that did not. This was the source of internalError_KitSubNegative error raised #209: previously we would erroneously try to remove all the kit we tried to burn from the parameters.outstanding_kit, even if some of it really ended up in the excess_kit field. I left a big comment about what happens with each part of the kit to be burned (and a few assertions) in touch_liquidation_slice to clarify this.
• There is still a hidden assumption in this logic: by never burning more kit than is outstanding per burrow, my text above implies that I don't expect there to be an underflow in the global outstanding kit (parameters.outstanding_kit), which is what internalError_KitSubNegative error raised #209 is about. I have not proven this yet, but I believe that the calculations imply that parameters.outstanding_kit >= sum burrow_i.outstanding_kit. If that is indeed the case, then sound burning per burrow implies sound burning for the total outstanding kit. I expect us to observe this inequality when we address Ensure parameters.oustanding_kit does not drift far from the real value #156, but I will try to prove it before merging this PR anyway.
  If the inequality does not hold then we can always circumvent the issue of internalError_KitSubNegative error raised #209 by a simple if-then-else: never try to burn more kit from parameters.outstanding_kit than there is. I don't like this catch-all because it could hide other bugs, but if the inequality above really does not hold at least this if-then-else works as an absorbing bound at 0, essentially showing that we have to burn more kit than we thought were outstanding. If anything, it reduces the discrepancy between parameters.outstanding_kit and sum burrow_i.outstanding_kit.
• I made touch_liquidation_slice and friends take bigger parts of the state as arguments to be able to update the FA2 ledger when we give kit to the burrow owners. In general I wrote things having clarity in mind, but we have to make sure that the gas costs don't increase too much because of this before merging (if so, we have to re-uglify the code).
• I have not looked at the docs yet, but I am sure I'd have to update them to reflect some of these changes.
• The test folder still have debugging prints in it. I'll remove the calls when done (we can still keep the functions though; very handy).

[dorranh]

🎉

[github-actions]

Gas costs	4e30beb	72cd192	Diff
touch	535780	537980	2200
mint_kit	53699	52105	-1594
burn_kit	52529	51276	-1253
activate_burrow	54263	53694	-569
deactivate_burrow	59578	59021	-557
set_burrow_delegate	55136	54681	-455
withdraw_tez	58024	57578	-446
deposit_tez	53453	53009	-444
create_burrow	48091	47811	-280
touch_burrow	44678	44399	-279
add_liquidity	73752	73532	-220
buy_kit	69738	69518	-220
sell_kit	68865	68645	-220
remove_liquidity	74003	73784	-219
update_operators	41879	41662	-217
transfer	40133	39918	-215

Entrypoint sizes	4e30beb	72cd192	Diff
touch	56119	56499	380
mint_kit	1829	1637	-192
mark_for_liquidation	17275	17127	-148
burn_kit	1645	1519	-126
touch_liquidation_slices	14399	14491	92
cancel_liquidation_slice	12229	12185	-44
activate_burrow	1187	1147	-40
deactivate_burrow	1606	1568	-38
set_burrow_delegate	1085	1059	-26
withdraw_tez	1402	1378	-24
deposit_tez	1065	1041	-24
create_burrow	917	909	-8
touch_burrow	664	660	-4
receive_slice_from_burrow	121	119	-2

[gkaracha]

So @utdemir @dorranh, this should be ready for reviewing (@dorranh not many things changed since the last time you had a look, but you might want to skim it). The size and gas cost differences I think are good; only touch and touch_liquidation_slices increased on both accounts, because of this change I mentioned:

I made touch_liquidation_slice and friends take bigger parts of the state as arguments to be able to update the FA2 ledger when we give kit to the burrow owners. In general I wrote things having clarity in mind, but we have to make sure that the gas costs don't increase too much because of this before merging (if so, we have to re-uglify the code).

I think the clarity is worth the few extra bytes/gas, especially given that that's where the bug was before. Give me a shout if you disagree and I can try and change touch_liquidation_slice.

I started working on paper to prove my postulate that parameters.outstanding_kit is always greater-than-or-equal to the sum of all the outstanding kit in each burrow, but the code itself will remain as-is (I'll add a comment and assertions, once I finish the proof, but that's all).

Edit: Progress here: https://gist.github.com/gkaracha/6623da298944d23f5ebbd621f32b264d

[dorranh]

Nice! I looked through a second time, and it seems to all be in order as far as I can tell. I am a bit surprised that we didn't need to change more tests for this instead of mostly needing to just remove obsolete ones. Though I suppose that it kind of makes sense since this change is largely internal and doesn't seem to affect a given account's balance in the fa2 ledger as far as I can tell.

[gkaracha]

I am a bit surprised that we didn't need to change more tests for this instead of mostly needing to just remove obsolete ones.

Right?! I thought so too and was not amused that not many tests failed. I think that the tests not failing means that our coverage could be improved. For example the changes to burrow_burn_kit reveal that no test we have tries to burn more kit than is outstanding. We might want to consider failing or crediting the rest of the kit back to the owner (as we currently) do, but the exact choice is not that important; the fact that no test triggers this behavior is 😅

[github-actions]

Gas costs	4e30beb	50445b0	Diff
touch	535780	537980	2200
mint_kit	53699	52105	-1594
burn_kit	52529	51276	-1253
activate_burrow	54263	53694	-569
deactivate_burrow	59578	59021	-557
set_burrow_delegate	55136	54681	-455
withdraw_tez	58024	57578	-446
deposit_tez	53453	53009	-444
create_burrow	48091	47811	-280
touch_burrow	44678	44399	-279
add_liquidity	73752	73532	-220
buy_kit	69738	69518	-220
sell_kit	68865	68645	-220
remove_liquidity	74003	73784	-219
update_operators	41879	41662	-217
transfer	40133	39918	-215

Entrypoint sizes	4e30beb	50445b0	Diff
touch	56119	56499	380
mint_kit	1829	1637	-192
mark_for_liquidation	17275	17127	-148
burn_kit	1645	1519	-126
touch_liquidation_slices	14399	14491	92
cancel_liquidation_slice	12229	12185	-44
activate_burrow	1187	1147	-40
deactivate_burrow	1606	1568	-38
set_burrow_delegate	1085	1059	-26
withdraw_tez	1402	1378	-24
deposit_tez	1065	1041	-24
create_burrow	917	909	-8
touch_burrow	664	660	-4
receive_slice_from_burrow	121	119	-2