Enhance KREAd Contract Robustness to Support Upgrades in Zoe

[Jorge-Lopes]

Description

This pull request addresses a vulnerability in the KREAd contract related to handling subscriber exits, which were not robust to Zoe vat upgrades. The details of this issue can be found in Issue #8714.

Solution Overview

To mitigate this vulnerability, the subscribeLatest method was implemented to replace getUpdateSince within the handleExitCharacter and handleExitItem methods of the market interface. The subscribeLatest method was chosen due to its ability to handle lossy consumption of a subscriber while providing the capability to reconnect after a disconnection and retrieve a new promise.

Contract Upgrade

To apply these changes on-chain, it was necessary to build a core-eval to execute a contract upgrade. During this process, an error ("The 'governedParams' term must be an object like Electorate..."), discussed in Discussion #10423, occurred. This error was due to the outdated version of the @agoric/governance package used in KREAd, which did not include recent updates introduced in this commit.

Due to dependencies among Agoric packages, updating only the @agoric/governance package was not feasible. Updating all necessary packages resulted in a larger bundle size, which is a known issue discussed in Discussion #9455. To resolve this, the resolution field was included at the agoric/package.json to manage dependencies and mitigate size issues.

Related Issues

rel: Agoric/agoric-sdk#8714
rel: Agoric/agoric-sdk#10392

Checklist

• I have used agoric's linter on my code (What linting configuration should I use for my Agoric contracts? Agoric/agoric-sdk#8274)
• I have added/updated unit tests to cover the changes.
• All existing tests pass.
• The PR title is clear and concise.