Repatriate residual stake and locks on lease termination

[l0r1s]

Repatriate residual stake and locks on lease termination

Closes #2663.

Problem

do_terminate_lease handed subnet ownership to the beneficiary but left the
accumulated owner-cut alpha and lock state on the lease's derived coldkey
(blake2_256("leasing/coldkey", lease_id)). That coldkey has no private key and
the beneficiary proxy can't extract stake, so every fixed-end lease termination
permanently stranded the owner emissions accrued during the lease.

Change

Before tearing down the lease coldkey, termination now:

• moves the lease coldkey's lock to the beneficiary's hotkey, preserving the
  conviction earned during the lease (do_move_lock(..., preserve_conviction));
• re-points the subnet owner aggregate buckets to the new owner hotkey
  (reassign_subnet_owner_lock_aggregates, extracted so it's shared with the
  existing owner-change path);
• repatriates the residual alpha stake to the beneficiary;
• moves any remaining lock to the beneficiary (transfer_full_lock_to_coldkey);
• clears the lease coldkey's storage references and SubnetUidToLeaseId;
• removes the beneficiary proxy before dec_providers, then sweeps the
  unreserved proxy deposit to the beneficiary, so the keyless coldkey is reaped
  cleanly with no dangling account, refcount, or stranded funds.

Post-condition: no alpha, lock, or ownership rows remain under the lease coldkey.

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

LOW scrutiny: l0r1s has repo write permission, a 2018 account, substantial contribution history, matching commit authors, and no protected instruction/dependency/build-script changes; branch is fix-lease-handoff -> devnet-ready.

No .github/ai-review/*, copilot-instruction, dependency, build-script, or lockfile changes were present. Static review only; no build or tests were run per Skeptic policy.

Findings

Sev	File	Finding
HIGH	pallets/subtensor/src/subnets/leasing.rs:343	Hotkey-swap work is discarded from terminate_lease weight	inline
MEDIUM	pallets/subtensor/src/subnets/leasing.rs:237	Lease termination can still commit a partial handoff on lock conflict	inline

Prior-comment reconciliation

• 5069e74c: not addressed — The current diff still performs lock/owner/aggregate mutations before a later beneficiary-controlled LockHotkeyMismatch can be returned, and terminate_lease still has no storage transaction wrapper.

Conclusion

The PR still has a non-transactional lease termination path that can leave partial state committed on a later error, and it adds an under-accounted hotkey-swap path inside terminate_lease. These are security-relevant runtime safety issues, so the verdict remains vulnerable.

---

📜 Previous run (superseded)

Sev	File	Finding	Status
MEDIUM	pallets/subtensor/src/subnets/leasing.rs:223	Lease termination can still commit a partial handoff on lock conflict	➡️ Carried forward to current findings The current diff still performs lock/owner/aggregate mutations before a later beneficiary-controlled LockHotkeyMismatch can be returned, and terminate_lease still has no storage transaction wrapper.

---

# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[MEDIUM] Lease termination can still commit a partial handoff on lock conflict

terminate_lease is not wrapped in #[transactional] or with_transaction, but this call mutates lock rows via do_move_lock before later fallible calls. In the conflict case covered by the new test, repatriate_lease_coldkey_alpha can still return LockHotkeyMismatch after this mutation and after owner/aggregate updates, leaving the lease in storage while the subnet owner and lock state have already changed. Make the whole termination path storage-transactional, or preflight every fallible lock/proxy/currency operation before the first mutation.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[MEDIUM] Lease termination can still commit a partial handoff on lock conflict

terminate_lease is still not wrapped in #[transactional] or with_transaction. A beneficiary that already has a lock on a different hotkey can make repatriate_lease_coldkey_alpha return LockHotkeyMismatch via transfer_stake_within_subnet after the earlier lock move, owner change, owner-hotkey set, and aggregate reassignment have already written storage. Dispatch errors do not roll those writes back, so the lease can be left partially handed off. Preflight the beneficiary lock compatibility before any mutation, or wrap the whole handoff in a storage transaction and rollback on every Err.

[github-actions]

[HIGH] Hotkey-swap work is discarded from terminate_lease weight

This creates a local Weight::zero() and passes it into perform_hotkey_swap_on_one_subnet, but the accumulated weight is never returned from terminate_lease or otherwise charged. That helper walks and rewrites dynamic storage such as PendingChildKeys::<T>::iter_prefix(netuid), Alpha::<T>::iter_prefix(old_hotkey), and AlphaV2::<T>::iter_prefix(old_hotkey). The dispatch weight for terminate_lease is still only keyed by contributor count, so a lease termination can execute hotkey-swap work that is not reflected in the block weight. Account for the helper's accumulated weight in the post-dispatch result and regenerate/update the lease termination weights with bounds for the dynamic hotkey-swap state, or avoid this helper in favor of a bounded lease-specific migration.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE