Check if a withdrawal amount exceeds any applicable receiving limit. (#6117)

- Check the trust line limit is not exceeded for a withdraw to a third party Destination account.

Author: gregtatcam

src/xrpld/app/paths/Credit.h include/xrpl/ledger/Credit.hsrc/xrpld/app/paths/Credit.h renamed to include/xrpl/ledger/Credit.h

@@ -17,8 +17,8 @@
 */
 //==============================================================================
 
-#ifndef RIPPLE_APP_PATHS_CREDIT_H_INCLUDED
-#define RIPPLE_APP_PATHS_CREDIT_H_INCLUDED
+#ifndef RIPPLE_LEDGER_CREDIT_H_INCLUDED
+#define RIPPLE_LEDGER_CREDIT_H_INCLUDED
 
 #include <xrpl/ledger/View.h>
 #include <xrpl/protocol/IOUAmount.h>

include/xrpl/ledger/View.h

@@ -729,13 +729,16 @@ checkDestinationAndTag(SLE::const_ref toSle, bool hasDestinationTag);
  *    - If withdrawing to self, succeed.
  *    - If not, checks if the receiver requires deposit authorization, and if
  *      the sender has it.
+ *    - Checks that the receiver will not exceed the limit (IOU trustline limit
+ *      or MPT MaximumAmount).
  */
 [[nodiscard]] TER
 canWithdraw(
     AccountID const& from,
     ReadView const& view,
     AccountID const& to,
     SLE::const_ref toSle,
+    STAmount const& amount,
     bool hasDestinationTag);
 
 /** Checks that can withdraw funds from an object to itself or a destination.
@@ -749,12 +752,15 @@ canWithdraw(
  *    - If withdrawing to self, succeed.
  *    - If not, checks if the receiver requires deposit authorization, and if
  *      the sender has it.
+ *    - Checks that the receiver will not exceed the limit (IOU trustline limit
+ *      or MPT MaximumAmount).
  */
 [[nodiscard]] TER
 canWithdraw(
     AccountID const& from,
     ReadView const& view,
     AccountID const& to,
+    STAmount const& amount,
     bool hasDestinationTag);
 
 /** Checks that can withdraw funds from an object to itself or a destination.
@@ -768,6 +774,8 @@ canWithdraw(
  *    - If withdrawing to self, succeed.
  *    - If not, checks if the receiver requires deposit authorization, and if
  *      the sender has it.
+ *    - Checks that the receiver will not exceed the limit (IOU trustline limit
+ *      or MPT MaximumAmount).
  */
 [[nodiscard]] TER
 canWithdraw(ReadView const& view, STTx const& tx);

src/xrpld/app/paths/Credit.cpp src/libxrpl/ledger/Credit.cppsrc/xrpld/app/paths/Credit.cpp renamed to src/libxrpl/ledger/Credit.cpp

@@ -22,6 +22,7 @@
 #include <xrpl/basics/chrono.h>
 #include <xrpl/beast/utility/instrumentation.h>
 #include <xrpl/ledger/CredentialHelpers.h>
+#include <xrpl/ledger/Credit.h>
 #include <xrpl/ledger/ReadView.h>
 #include <xrpl/ledger/View.h>
 #include <xrpl/protocol/Feature.h>
@@ -1361,12 +1362,58 @@ checkDestinationAndTag(SLE::const_ref toSle, bool hasDestinationTag)
     return tesSUCCESS;
 }
 
+/*
+ * Checks if a withdrawal amount into the destination account exceeds
+ * any applicable receiving limit.
+ * Called by VaultWithdraw and LoanBrokerCoverWithdraw.
+ *
+ * IOU : Performs the trustline check against the destination account's
+ * credit limit to ensure the account's trust maximum is not exceeded.
+ *
+ * MPT: The limit check is effectively skipped (returns true). This is
+ * because MPT MaximumAmount relates to token supply, and withdrawal does not
+ * involve minting new tokens that could exceed the global cap.
+ * On withdrawal, tokens are simply transferred from the vault's pseudo-account
+ * to the destination account. Since no new MPT tokens are minted during this
+ * transfer, the withdrawal cannot violate the MPT MaximumAmount/supply cap
+ * even if `from` is the issuer.
+ */
+static TER
+withdrawToDestExceedsLimit(
+    ReadView const& view,
+    AccountID const& from,
+    AccountID const& to,
+    STAmount const& amount)
+{
+    auto const& issuer = amount.getIssuer();
+    if (from == to || to == issuer || isXRP(issuer))
+        return tesSUCCESS;
+
+    return std::visit(
+        [&]<ValidIssueType TIss>(TIss const& issue) -> TER {
+            if constexpr (std::is_same_v<TIss, Issue>)
+            {
+                auto const& currency = issue.currency;
+                auto const owed = creditBalance(view, to, issuer, currency);
+                if (owed <= beast::zero)
+                {
+                    auto const limit = creditLimit(view, to, issuer, currency);
+                    if (-owed >= limit || amount > (limit + owed))
+                        return tecNO_LINE;
+                }
+            }
+            return tesSUCCESS;
+        },
+        amount.asset().value());
+}
+
 [[nodiscard]] TER
 canWithdraw(
     AccountID const& from,
     ReadView const& view,
     AccountID const& to,
     SLE::const_ref toSle,
+    STAmount const& amount,
     bool hasDestinationTag)
 {
     if (auto const ret = checkDestinationAndTag(toSle, hasDestinationTag))
@@ -1381,19 +1428,20 @@ canWithdraw(
             return tecNO_PERMISSION;
     }
 
-    return tesSUCCESS;
+    return withdrawToDestExceedsLimit(view, from, to, amount);
 }
 
 [[nodiscard]] TER
 canWithdraw(
     AccountID const& from,
     ReadView const& view,
     AccountID const& to,
+    STAmount const& amount,
     bool hasDestinationTag)
 {
     auto const toSle = view.read(keylet::account(to));
 
-    return canWithdraw(from, view, to, toSle, hasDestinationTag);
+    return canWithdraw(from, view, to, toSle, amount, hasDestinationTag);
 }
 
 [[nodiscard]] TER
@@ -1402,7 +1450,8 @@ canWithdraw(ReadView const& view, STTx const& tx)
     auto const from = tx[sfAccount];
     auto const to = tx[~sfDestination].value_or(from);
 
-    return canWithdraw(from, view, to, tx.isFieldPresent(sfDestinationTag));
+    return canWithdraw(
+        from, view, to, tx[sfAmount], tx.isFieldPresent(sfDestinationTag));
 }
 
 TER