Repatriate residual stake and locks on lease termination

[l0r1s]

Repatriate residual stake and locks on lease termination

Closes #2663.

Problem

do_terminate_lease handed subnet ownership to the beneficiary but left the
accumulated owner-cut alpha and lock state on the lease's derived coldkey
(blake2_256("leasing/coldkey", lease_id)). That coldkey has no private key and
the beneficiary proxy can't extract stake, so every fixed-end lease termination
permanently stranded the owner emissions accrued during the lease.

Change

Before tearing down the lease coldkey, termination now:

• moves the lease coldkey's lock to the beneficiary's hotkey, preserving the
  conviction earned during the lease (do_move_lock(..., preserve_conviction));
• re-points the subnet owner aggregate buckets to the new owner hotkey
  (reassign_subnet_owner_lock_aggregates, extracted so it's shared with the
  existing owner-change path);
• repatriates the residual alpha stake to the beneficiary;
• moves any remaining lock to the beneficiary (transfer_full_lock_to_coldkey);
• clears the lease coldkey's storage references and SubnetUidToLeaseId;
• removes the beneficiary proxy before dec_providers, then sweeps the
  unreserved proxy deposit to the beneficiary, so the keyless coldkey is reaped
  cleanly with no dangling account, refcount, or stranded funds.

Post-condition: no alpha, lock, or ownership rows remain under the lease coldkey.

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

LOW scrutiny: l0r1s has repo write permission, a 2018 account, substantial contribution history, and no Gittensor allowlist match found; branch is fix-lease-handoff -> devnet-ready.

No .github/ai-review/*, copilot-instruction, dependency, build-script, or lockfile changes were present. Static review only; no build or tests were run per Skeptic policy.

Findings

Sev	File	Finding
MEDIUM	pallets/subtensor/src/subnets/leasing.rs:223	Lease termination can still commit a partial handoff on lock conflict	inline

Prior-comment reconciliation

• 88cd282a: not addressed — The current diff moves one check earlier and adds a rollback test, but terminate_lease is still non-transactional and still performs lock/owner mutations before a later beneficiary-controlled LockHotkeyMismatch can be returned.

Conclusion

The PR still allows terminate_lease to return an error after changing lease lock, owner, and aggregate state, because the extrinsic is not transactional. A beneficiary-controlled lock conflict can leave the lease partially handed off, so the prior vulnerability remains.

---

📜 Previous run (superseded)

Sev	File	Finding	Status
MEDIUM	pallets/subtensor/src/subnets/leasing.rs:231	Lease termination can commit a partial owner handoff on lock conflict	➡️ Carried forward to current findings The current diff moves one check earlier and adds a rollback test, but terminate_lease is still non-transactional and still performs lock/owner mutations before a later beneficiary-controlled LockHotkeyMismatch can be returned.

---

# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[MEDIUM] Lease termination can still commit a partial handoff on lock conflict

terminate_lease is not wrapped in #[transactional] or with_transaction, but this call mutates lock rows via do_move_lock before later fallible calls. In the conflict case covered by the new test, repatriate_lease_coldkey_alpha can still return LockHotkeyMismatch after this mutation and after owner/aggregate updates, leaving the lease in storage while the subnet owner and lock state have already changed. Make the whole termination path storage-transactional, or preflight every fallible lock/proxy/currency operation before the first mutation.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[evgeny-s]

Should we also re-point Owner[lease.hotkey] to the beneficiary? Otherwise, emissions land on a non-controllable account (lease.coldkey). Or maybe we need to de-register it at all.