Some notes:

[vegasmorph]

1 — High level test strategy (why these tests)

1. Unit tests — verify individual math and guards (base_pool, PRP, clamps, TWAP check, quorum kill, fee split, stable→stable disabled). These are the first line of defense.
2. Integration tests — swaps through the module with mocked oracles + block progression, epoch rollover, tax redirect, burn at epoch end, fee accounting.
3. Simulation & property tests — fuzz various parameters (supply, F factor, PRP) and assert invariants (no net mint, pool never exceeds redirected tax, fee accounting always conserved, swap failures on TWAP mismatch).
4. Adversarial / exploit scenarios — oracle manipulation, price-stale exploitation, high-frequency draining, quorum outages, two-validator outage sequences.
5. Load & stress tests — many concurrent swaps, large notional sizes; measure gas, denial-of-service, and state bloat.
6. Chaos tests — random validator outages, oracle feeder misreports, delayed epoch transitions, partial pool redirects.
7. Testnet plan & community engagement — incentivised community , reproduction steps.

---

2 — Important invariants (things every test must assert)

• No net mint: total LUNC and USTC supply must never increase due to MM operations.
• Pool bound: per-epoch pool sizes ≤ redirected tax allowances and obey clamps.
• PRP / base_pool: computed base_pool must follow formula and clamps exactly.
• TWAP & price sanity: swaps fail if peg input differs by >10% vs 45-block TWAP.
• Quorum kill: MM refuses swaps when oracle quorum rule triggered (<50% VP for 25 blocks).
• Fee accounting: 0.35% spread fee is collected and routed 50% burn / 50% oracle pool.
• Stable→Stable disabled: stable-to-stable path must always revert with ErrStableSwapDisabled.
• Epoch burn: at epoch start next period, leftover pool balances must be burned.

Every test should also check final on-chain balances, events emitted, and storage state for these invariants.

---

3 — Unit test examples (Go / Cosmos SDK style)

Below are sample unit tests you can paste into x/marketmodule/types or x/marketmodule/keeper test folders. Adapt package names to match repo structure.

// file: x/marketmodule/keeper/keeper_test.go
package keeper_test

import (
    "testing"
    "github.com/stretchr/testify/require"
    sdk "github.com/cosmos/cosmos-sdk/types"
    mmtypes "github.com/yourorg/marketmodule/types"
)

func TestBasePoolCalculation_ClampsAndPRP(t *testing.T) {
    // sample inputs
    poolBalanceSDR := sdk.NewDec(100000) // 100k SDR
    F := sdk.MustNewDecFromStr("0.07")
    supplyLUNC := sdk.NewIntFromUint64(6500000000000) // 6.5T

    // compute desired daily cap
    desiredDaily := poolBalanceSDR.Mul(F) // 0.07 * poolBalanceSDR

    // compute PRP
    blocksPerDay := int64(14400)
    prpBlocks := blocksPerDay * (supplyLUNC.ToDec().QuoInt64(1000000000000).TruncateInt64() + 1) // simplified
    if prpBlocks < blocksPerDay {
        prpBlocks = blocksPerDay
    }

    // compute base_pool_raw
    baseRaw := desiredDaily.MulInt64(prpBlocks).QuoInt64(2 * blocksPerDay)

    // clamp: min(baseRaw, 0.00010*supply_value_in_SDR, 5_000_000)
    // (supply_value_in_SDR requires oracle; for unit test mock supply_value_in_SDR)
    supplyValueSDR := sdk.NewDec(2000000) // mocked
    clamp := supplyValueSDR.Mul(sdk.MustNewDecFromStr("0.00010"))
    maxRoof := sdk.NewDec(5000000)
    expected := baseRaw
    if clamp.LT(expected) { expected = clamp }
    if maxRoof.LT(expected) { expected = maxRoof }

    // call the function under test
    got := mmtypes.CalcBasePool(baseRaw, supplyValueSDR) // stubbed function ideally in types for deterministic behavior

    require.True(t, got.Equal(expected), "base_pool clamps must match expected")
}

Add tests for:

• fee routing math (0.35% split and 50/50 burn/oracle)
• TWAP comparison: simulate voting price and twap mismatch > 10% leads to swap abort
• stable->stable try and expect ErrStableSwapDisabled

---

4 — Integration test harness (local sim app)

Create a testutil/simnet/ that runs a single-validator chain (or a 3-validator chain) and runs sequences of blocks, oracle votes, and swaps.

Create scripts/run_local_simnet.sh:

#!/usr/bin/env bash
set -euo pipefail
# build binary
make build

# create a local chain dir
BINARY=build/terrad
CHAIN_DIR=/tmp/mm2_local
rm -rf $CHAIN_DIR
mkdir -p $CHAIN_DIR

# init a single validator chain (adjust per repo instructions)
$BINARY init testnode --chain-id mm2-local

# add keys, genesis roles, fund accounts (use sdk commands from the repo)
# start node in background
$BINARY start --home $CHAIN_DIR > $CHAIN_DIR/node.log 2>&1 &
sleep 5

# run integration tests (go tests with network)
go test ./x/marketmodule/keeper -run TestIntegrationMM -v

Integration tests should:

• initialize the redirected tax pool with controlled amounts (mock the distribution)
• simulate epoch start: move redirected pool into swap pool
• perform swaps in both directions and verify pool counters and fee distribution
• simulate epoch end: assert leftover burned

---

5 — Property/fuzz tests (fuzz parameters to find corner cases)

Use testing/quick or go-fuzz to randomly vary:

• supply S (from 1 T to 10 T)
• F (0.01 .. 0.5)
• PRP (min to very large)
• oracle price jumps (1%..1000%)
• swap sizes (small to pool draining)

Example with testing/quick:

func FuzzInvariant(t *testing.T) {
    f := func(supply uint64, Ffloat float64, swapAmount int64) bool {
        // sanitize inputs
        if supply < 1e12 { supply += 1e12 }
        if Ffloat <= 0 || Ffloat > 1 { Ffloat = 0.07 }
        // run single scenario and assert invariants
        ok := RunScenarioAndCheckInvariants(supply, Ffloat, swapAmount)
        return ok
    }
    if err := quick.Check(f, nil); err != nil {
        t.Fatal(err)
    }
}

RunScenarioAndCheckInvariants should create a fresh app instance in memory, apply blocks, do swaps, and assert invariants.

---

6 — Attack / adversarial scenarios (concrete sequences to try)

Below are high-value exploit tests and how to simulate them.

1. Oracle twist + fast front-run

   • Sequence: send a validator price vote pushing USTC price up or down by > 10% relative to TWAP; then immediately perform a large swap exploiting stale TWAP within the 30 s window.
   • Expected: TWAP sanity clamp should reject swap if >10% difference. If not, this is a bug.

2. Quorum outage then rapid rejoin

   • Take enough validator votes offline to drop VP <50% for 25 blocks → MM shuts.
   • Then bring validators back with intentionally skewed prices to try to reopen and allow large swaps in a short window.
   • Expected: MM disabled until quorum and conditions restored.

3. Pool drain via alternating swaps

   • Alternate LUNC→USTC and USTC→LUNC swaps to attempt to grow available pool beyond initial allowance by “self-sustaining” swaps.
   • Test that pool balance accounting prevents net minting and that the epoch burn clears remainders appropriately.

4. Gas DOS / Reentrancy / State bloat

   • Flood with many tiny swaps in a single block or across many blocks, measure gas consumption and state writes. Verify node behavior and validator mempool limits.

5. Time-warp / Block skip

   • Simulate manipulated block times (if possible in simulation) to see if PRP refill logic is purely block-count based and resilient.

6. Stable→stable bypass attempt

   • Ensure that any path that tries to swap stable to stable (e.g., USTC→USTC via MM router) errors with ErrStableSwapDisabled.

7. Epoch boundary race

   • Start a large swap at block t, then force epoch rollover and ensure atomicity: swap must use pre-epoch pool and not double credit.

For each attack, log full tx traces, keep account balances snapshots, and events emitted. If any assertion fails, produce a minimal reproduction script.

---

7 — Simulation scenarios (the scenarios from from Prop )

Implement a simulation harness that runs 30-day epoch examples and the three scenarios a/b/c mentioned in README. For each scenario produce:

• Epoch by epoch table of pool balances and burned amounts (CSV)
• Charts (e.g., epoch vs burned LUNC/USTC) for the post-test report

Suggested outputs:

• CSV with columns: epoch, tax_LUNC, tax_USTC, pool_LUNC_before, pool_USTC_before, pool_LUNC_after, pool_USTC_after, burned_LUNC, burned_USTC
• JSON traces of each swap with gas, oracle price, twap, and result

You can use Go to write these CSV/JSON tracegers. The simulation harness should be deterministic (seedable RNG).

---

8 — Load test and benchmarks

• Generate many concurrent swap transactions using a script that talks to the CLI or RPC.
• Measure TPS, average gas/per-swap, and node memory usage.
• Watch for mempool rejecions and timeout failures.
• Also test the scenario where swap size > pool balance and ensure the swap is refused, not partially executed.

Example script (bash + jq):

for i in $(seq 1 1000); do
  # craft tx of varying sizes
  $BINARY tx marketmodule swap ustc 1000000lunc --from testacc --gas auto --yes --chain-id mm2-local > /dev/null &
done
wait

Capture metrics from node logs.

---

9 — Testnet rollout checklist (when unfork modules are live)

1. Prepare a testnet branch with deterministic addresses and prefilled tax pools (so testers can reproduce).

2. Publish a clear guide for testers (how to run tests, sample transactions, expected events).

3. Launch a bounty sheet: reward for reproducible security bugs, economic exploits, or consensus/halting issues.

4. Provide a public dashboard that shows:

   • Current epoch pool balances
   • Total swaps and fees collected
   • Events of quorum kills and reopens

5. Provide a npm/python or simple web UI for non-developer community members to execute common swap scenarios and report.

---

10 — Community testing & bug report template

Provide a template BUG_REPORT.md:

Title: [short summary]

Severity: [HIGH | MEDIUM | LOW]

Environment:
- branch/tag:
- binary commit:
- chain-id:
- node count:
- config (PRP, F, redirected %):

Reproduction steps:
1. Set up chain with X
2. At block N do A, B, C
3. Call tx: `terrad tx market swap ...`
4. Expect: X
5. Observed: Y

Artifacts:
- tx hash:
- node logs (attach)
- exported chain state at block (attach)
- CSV/JSON traces

Impact:
- [economic | liveness | invariants | other]

Suggested mitigation:
- [immediate config guard | disable module | other]

---

11 — Example exploit test implementation (script)

A short Golang test that tries to exploit TWAP windows:

// x/marketmodule/test/exploit_twap_test.go
func TestExploit_TWAPWindow(t *testing.T) {
    app, ctx := setupAppWithOracles(t)
    // set initial TWAP to 1.0
    setOraclePrice(app, ctx, "ustc", sdk.NewDecWithPrec(1, 0))
    // create a fast price change (validator feeding a new price)
    for i:=0;i<5;i++ {
        // vote a wildly different price from one validator
        setOraclePriceOneValidator(app, ctx, "ustc", sdk.NewDecWithPrec(200,0)) // 200 LUNC/USTC for example
        // do swap immediately within TWAP window
        txRes := DoSwapTx(app, ctx, fromAcc, "ustc", "lunc", amt)
        // assert txRes failed if logic correct (TWAP sanity clamp)
        require.Error(t, txRes.Error, "Swap should be rejected due TWAP sanity clamp")
        // advance a block and check status
        ctx = ctx.WithBlockHeight(ctx.BlockHeight()+1)
    }
}

This reveals whether TWAP sanity clamps are effective.

---

12 — Reporting & artifacts

For each test run produce:

• report-<timestamp>.zip containing:

  • CSV epoch trace
  • JSON swap trace per tx
  • Node logs and stdout/stderr of test harness
  • Reproduction scripts
  • A short summary.md with “Did it pass invariants? yes/no” and notes

• For failing cases: attach minimal reproduction steps and PR that adds a unit test reproducing the failure.

---

13 — community engagement :

• Hackathon : quants to build arbitrage bots to stress the module

---

[Msa321111]

Review Summary:

• Test strategy solid: covers unit → integration → fuzz → adversarial → load/chaos → community.
• Invariants correct: no net mint, pool ≤ redirected tax, clamps, TWAP sanity, quorum kill, fee routing, epoch burn, stable→stable disabled.

Fixes / Must-Add:

•Replace Dec.TruncateInt64() → Dec.TruncateInt().Int64().
•Bound PRP (≤ 30 * blocksPerDay), compute in ints.
•Confirm clamp "0.00010" = 0.01% policy.
•Expose single CalcBasePool(F, pool, supplyValue, prpBlocks) for prod + test.
•Define fee rounding (odd wei) and test it.
•Add export/import test to verify invariants across state reload.
•Add epoch rollover atomicity test.
•Switch fuzz to FuzzXxx, persist seeds.
•Prefer in-process sim network over shelling out.
•CI: run go test -race, lint with gocritic/gosec/errcheck.

TL;DR:
Math fixes + determinism + artifact bundling, then ship. Plan is solid.

[Msa321111]

Unit Test Corrections & Improvements

Fixes for sample test:

1. Dec.TruncateInt64() doesn’t exist. Use:

scale := supplyLUNC.Quo(trillion) // sdk.Int
prpBlocks := blocksPerDay * (scale.Int64() + 1)

2. Clamp constant: "0.00010" = 0.01% of supply value in SDR. Confirm that’s the intended policy (not 0.1% or 1%).
3. PRP should be bounded (e.g. ≤ 30 * blocksPerDay) to avoid runaway values.
4. Test compares sdk.Dec with .Equal(). Fine for exact math, but if divisions are involved, use a tolerance compare.
5. Better API: instead of passing baseRaw into CalcBasePool, expose a function like CalcBasePool(F, poolBalance, supplyValue, prpBlocks) so production and test code share the exact math.

Patch (clamped math):

trillion := sdk.NewInt(1_000_000_000_000)
scale := supplyLUNC.Quo(trillion)
if scale.IsZero() { scale = sdk.NewInt(1) }

prpBlocks := blocksPerDay * (scale.Int64() + 1)
if prpBlocks < blocksPerDay { prpBlocks = blocksPerDay }
if prpBlocks > 30blocksPerDay { prpBlocks = 30blocksPerDay }

Extra unit tests to add:

• Fee routing math: 0.35% fee split 50/50 burn vs oracle, with clear rounding rules.
• TWAP mismatch >10% should abort swap; boundary at exactly 10% must pass.
• Stable→stable swap should return ErrStableSwapDisabled and have no side effects.

[Msa321111]

Integration Harness:

• Prefer in-process network over shelling out (faster, deterministic).
• If using bash: add trap cleanup, poll RPC instead of sleep, and set accounts/params in genesis.

Property / Fuzz Tests:
•Use Go fuzzing (FuzzXxx) instead of testing/quick.
•Persist failing SEED in artifacts for reproducibility.

Adversarial / Exploits (assert explicit errors, no side-effects):
•Oracle delay skew (quorum ok, staggered timestamps).
•Epoch rollover race (no double credit across boundary).
•Alternating swaps (no “self-sustaining” pool growth).
•Gas DoS (tiny swaps flood): bounded gas/state writes; mempool behavior OK.
•Stable→stable router bypass → ErrStableSwapDisabled.

Simulation & Artifacts (per run):
•CSV: epoch, tax_LUNC, tax_USTC, pool_*_before/after, burned_LUNC, burned_USTC
•JSONL: per-tx (gas, price, TWAP, result, fees).
•params.json, SEED, node logs, summary.md (“invariants pass? yes/no”).
•Add a checksum row to CSV for integrity.

Load / Bench:
•go test -bench=. for hot paths (fee math, clamps).
•Vary gas prices in load scripts to stress mempool ordering.
•Swap > pool must reject cleanly (no partials, no fees accrued).

CI & Tooling:
•go test -race -count=1 -p=1 ./...
•golangci-lint with gocritic, gosec, errcheck, staticcheck, ineffassign.
•Deterministic builds: -trimpath, pin toolchain in go.mod.

Community / Reporting:
•BUG_REPORT includes: “Which invariant broke?”, params snapshot, artifacts.
•REDTEAM_SCENARIOS with CLI steps.
•Testnet dashboard: epoch pools, fees, quorum events.

TL;DR (merge blockers)
•Fix TruncateInt64 → TruncateInt().Int64()
•PRP computed in ints, bounded
•Confirm clamp = 0.01%
•Single CalcBasePool(...) used by prod + tests
•Fee rounding policy + tests
•Export/import replay test
•Epoch rollover atomicity test
•Go fuzzing + persist seeds
•In-process net for integration
•CI: -race + linters; artifact bundle on runs

[StrathCole]

This topic is not really readable.

Please see https://github.com/orgs/Market-Module-2-0/discussions/1 for how it should be done for easier communication and handling.