IntersectMBO
diff --git a/‎WithdrawalReward-analysis.md‎
Lines changed: 100 additions & 0 deletions b/‎WithdrawalReward-analysis.md‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎cardano-testnet/cardano-testnet.cabal‎
Lines changed: 1 addition & 0 deletions b/‎cardano-testnet/cardano-testnet.cabal‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cardano-testnet/test/cardano-testnet-test/Cardano/Testnet/Test/Cli/Transaction/WithdrawalReward.hs‎
Lines changed: 196 additions & 0 deletions b/‎cardano-testnet/test/cardano-testnet-test/Cardano/Testnet/Test/Cli/Transaction/WithdrawalReward.hs‎
Lines changed: 196 additions & 0 deletions
diff --git a/‎cardano-testnet/test/cardano-testnet-test/cardano-testnet-test.hs‎
Lines changed: 8 additions & 5 deletions b/‎cardano-testnet/test/cardano-testnet-test/cardano-testnet-test.hs‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎test/cardano-testnet-test/files/calculatePlutusScriptCost.json‎
Lines changed: 10 additions & 0 deletions b/‎test/cardano-testnet-test/files/calculatePlutusScriptCost.json‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎test/cardano-testnet-test/files/calculateSimpleScriptCost.json‎
Lines changed: 1 addition & 0 deletions b/‎test/cardano-testnet-test/files/calculateSimpleScriptCost.json‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,100 @@
+# Test analysis: `WithdrawalReward.hs`
+
+Regression test for [cardano-cli#965](https://github.com/IntersectMBO/cardano-cli/issues/965).
+Transaction auto-balance crashes with "Illegal Value in TxOut" when withdrawals are present and the change output computation produces a negative value.
+
+## Revision history
+
+- **v1**: Initial analysis against the original test (fictional withdrawal amounts, no error message check).
+- **v2**: Re-analysis after the test was rewritten to use real on-chain rewards, add an `isInfixOf` assertion, and verify the output file.
+  Found critical arithmetic bug: `outputLovelace = inputLovelace + rewardLovelace` consumed all available value, leaving nothing for fees.
+- **v3**: Re-analysis after the arithmetic fix (`outputLovelace = inputLovelace + 1_000_000`) and reward floor guard.
+
+## Core logic assessment
+
+The test is now logically sound and well-structured.
+
+The arithmetic is correct:
+
+```
+change = input + withdrawal - output - fee
+       = inputLovelace + rewardLovelace - (inputLovelace + 1_000_000) - fee
+       = rewardLovelace - 1_000_000 - fee     (positive, guarded by rewardCoin > 1.5 ADA)
+```
+
+Without the withdrawal (the bug):
+
+```
+change = inputLovelace - (inputLovelace + 1_000_000) - fee
+       = -1_000_000 - fee                     (hugely negative, triggers crash)
+```
+
+The output exceeds the input by a fixed 1 ADA, forcing the auto-balancer to rely on the withdrawal.
+The explicit guard at line 127 (`H.assertWith rewardCoin (> L.Coin 1500000)`) ensures the reward comfortably covers the excess + fee, and fails cleanly with a descriptive message if rewards are too small.
+
+API usage is consistent with the codebase: `getAccountsStates`, `retryUntilJustM`, `H.assertWith`, and `balanceAccountStateL` are all used in existing tests and library code (e.g. `Testnet.Process.Cli.SPO`).
+
+## What the test gets right
+
+- **Real rewards**: queries on-chain reward balance via `getAccountsStates` and `retryUntilJustM`, making the test robust against future CLI withdrawal-amount validation.
+- **Specific error assertion**: line 164 checks `not . isInfixOf "Illegal Value in TxOut"` on stderr, distinguishing the regression crash from other failures.
+- **ExitSuccess assertion**: line 166 verifies the command succeeds end-to-end.
+- **Reward floor guard**: line 127 makes the minimum-reward assumption explicit and fails cleanly if not met.
+- **Output file verification**: line 169 reads back the transaction body file.
+- **Clear comments**: lines 136-143 explain the arithmetic for both the correct and buggy cases.
+
+## Remaining holes
+
+### 1. Potential flakiness if rewards accumulate slowly
+
+The test waits up to 10 epochs (`WaitForEpochs $ L.EpochInterval 10`) and then asserts `rewardCoin > L.Coin 1500000`.
+Whether rewards reach 1.5 ADA in time depends on the testnet's monetary expansion parameters (`rho`, `tau`) and the delegator's stake proportion.
+If the default genesis configuration yields slow rewards, the test could time out or fail at the guard.
+
+This is a clean failure (not a false positive), and the guard gives a descriptive message.
+But it could make the test unreliable across different configurations or CI environments.
+
+Mitigation: if this proves flaky, either increase the wait period or lower the excess (e.g. to 500_000 lovelace with a guard of `> 1_000_000`).
+
+### 2. No coverage for Plutus script-based withdrawals
+
+KtorZ's reproduction (the most recent confirmation the bug exists, from 2026-04-17) uses `--withdrawal-plutus-script-v3` with `--withdrawal-reference-tx-in-redeemer-value`.
+
+For Plutus script withdrawals, `evaluateTransactionExecutionUnits` calls the node to evaluate the script.
+This exercises a different code path through the auto-balancer where `exUnitsMap` is non-empty and `substituteExecutionUnits` modifies `txbodycontent1`.
+The current test only covers key-based (non-script) withdrawals, which is the simpler path.
+
+### 3. `checkNonNegative` is dead code for the negative case in the experimental path
+
+The CLI calls `Exp.makeTransactionBodyAutoBalance` (line 1120 of `Run.hs`), the experimental auto-balance path in `Experimental/Tx/Internal/Fee.hs`.
+In this path, the initial change output is constructed at lines 1437-1439 as:
+
+```haskell
+TxOut (L.mkBasicTxOut (toShelleyAddr changeaddr) initialChangeTxOutValue)
+```
+
+Then `checkNonNegative` at line 1443 is supposed to catch negative values.
+But `TxOut` is a newtype wrapper, and when `checkNonNegative` forces it (line 477: `balance ^. L.valueTxOutL`), this evaluates `L.mkBasicTxOut`, which calls `L.mkTxOut`, which throws `error "Illegal Value in TxOut: ..."` for negative values before `checkNonNegative` can return `Left TxBodyErrorBalanceNegative`.
+
+`error` throws an uncaught `ErrorCall` exception that the `Either` monad cannot intercept.
+So `checkNonNegative` never gets to run its logic for the negative case.
+This is a secondary bug in the auto-balance code itself (the check is dead code), though it does not affect whether the test detects the regression.
+
+### 4. Test does not exercise the final balance check
+
+The auto-balancer has two balance checks:
+
+- Initial: line 1443 (`checkNonNegative` on initial change before fee estimation).
+- Final: line 1548 (`when (adaBalance < 0) $ Left $ BalanceIsNegative ...` after fee estimation).
+
+The test's arithmetic ensures both checks yield the same sign (`rewardLovelace - 1_000_000 - fee` is positive in both cases).
+A complementary test case with a very small input (where `inputLovelace < fee`) would exercise the final balance check independently.
+
+## Summary
+
+| Hole | Severity | Impact |
+|------|----------|--------|
+| Potential flakiness from reward timing | Low-Medium | Could fail in slow-reward configurations |
+| No Plutus script withdrawal case | Medium | KtorZ's actual reproduction path untested |
+| `checkNonNegative` is dead code | Low | Secondary bug in auto-balance, not the test |
+| Final balance check not exercised | Low | Incomplete coverage of auto-balance code paths |
@@ -218,6 +218,7 @@ test-suite cardano-testnet-test
                         Cardano.Testnet.Test.Cli.Transaction
                         Cardano.Testnet.Test.Cli.Transaction.BuildEstimate
                         Cardano.Testnet.Test.Cli.Transaction.RegisterDeregisterStakeAddress
+                        Cardano.Testnet.Test.Cli.Transaction.WithdrawalReward
                         Cardano.Testnet.Test.DumpConfig
                         Cardano.Testnet.Test.FoldEpochState
                         Cardano.Testnet.Test.Gov.CommitteeAddNew
 
@@ -0,0 +1,196 @@
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE ScopedTypeVariables #-}
+{-# LANGUAGE TypeApplications #-}
+
+-- | Smoke tests for @transaction build@ with a @--withdrawal@ flag,
+-- covering both key-witnessed and Plutus-script-witnessed withdrawals.
+-- Loosely related to https://github.com/IntersectMBO/cardano-cli/issues/965.
+module Cardano.Testnet.Test.Cli.Transaction.WithdrawalReward
+  ( hprop_tx_withdrawal_reward
+  , hprop_tx_withdrawal_reward_plutus_v3
+  ) where
+
+import           Cardano.Api as Api
+import qualified Cardano.Api.Ledger as L
+
+import           Cardano.Testnet
+
+import           Prelude
+
+import           Control.Monad (void)
+import           Data.Default.Class
+import qualified Data.Text as Text
+import           System.Exit (ExitCode (..))
+import           System.FilePath ((</>))
+
+import           Testnet.Components.Configuration
+import           Testnet.Components.Query
+import           Testnet.Defaults (plutusV3Script)
+import           Testnet.Process.Run (execCli, execCliAny, mkExecConfig)
+import           Testnet.Property.Util (integrationRetryWorkspace)
+import           Testnet.Start.Types
+import           Testnet.Types
+
+import           Hedgehog
+import qualified Hedgehog as H
+import qualified Hedgehog.Extras as H
+
+
+-- | Smoke test: @transaction build@ builds a transaction whose output
+-- exceeds the input, with a @--withdrawal@ covering the shortfall
+-- (@output = 2 * input@, @withdrawal = 2 * input@). The auto-balancer
+-- sums the withdrawal into consumed value, producing
+-- @change = inputs + withdrawal - outputs - fee = input - fee@ (positive).
+--
+-- The withdrawal amount is fictional; the CLI does not validate it against
+-- on-chain reward balances at build time, and the test only exercises the
+-- build step.
+--
+-- Execute me with:
+-- @DISABLE_RETRIES=1 cabal test cardano-testnet-test --test-options '-p "/transaction build with withdrawal/"'@
+hprop_tx_withdrawal_reward :: Property
+hprop_tx_withdrawal_reward = integrationRetryWorkspace 2 "tx-withdrawal-reward" $ \tempAbsBasePath' -> H.runWithDefaultWatchdog_ $ do
+  conf@Conf { tempAbsPath } <- mkConf tempAbsBasePath'
+  let tempAbsPath' = unTmpAbsPath tempAbsPath
+      tempBaseAbsPath = makeTmpBaseAbsPath tempAbsPath
+
+  work <- H.createDirectoryIfMissing $ tempAbsPath' </> "work"
+
+  let ceo = ConwayEraOnwardsConway
+      sbe = convert ceo
+      eraName = eraToString sbe
+      fastTestnetOptions = def { cardanoNodeEra = AnyShelleyBasedEra sbe }
+      shelleyOptions = def { genesisEpochLength = 100 }
+
+  TestnetRuntime
+    { testnetMagic
+    , testnetNodes
+    , wallets = wallet0:_
+    , configurationFile
+    }
+    <- createAndRunTestnet fastTestnetOptions shelleyOptions conf
+
+  node <- H.headM testnetNodes
+  poolSprocket1 <- H.noteShow $ nodeSprocket node
+  execConfig <- mkExecConfig tempBaseAbsPath poolSprocket1 testnetMagic
+  let socketPath = nodeSocketPath node
+
+  epochStateView <- getEpochStateView configurationFile socketPath
+
+  let delegatorStakeVKeyFp = tempAbsPath' </> "stake-delegators" </> "delegator1" </> "staking.vkey"
+
+  delegatorStakeAddress <- filter (/= '\n') <$>
+    execCli
+      [ "latest", "stake-address", "build"
+      , "--stake-verification-key-file", delegatorStakeVKeyFp
+      , "--testnet-magic", show @Int testnetMagic
+      ]
+  H.note_ $ "Delegator stake address: " <> delegatorStakeAddress
+
+  (txinForWithdrawal, TxOut _ txinValue _ _) <- H.nothingFailM $
+    findLargestUtxoWithAddress epochStateView sbe $ paymentKeyInfoAddr wallet0
+  let L.Coin inputLovelace = txOutValueToLovelace txinValue
+  H.note_ $ "Input UTxO: " <> show txinForWithdrawal <> " = " <> show inputLovelace <> " lovelace"
+
+  let withdrawalLovelace = inputLovelace * 2
+      outputLovelace     = withdrawalLovelace
+
+  let withdrawalTxBodyFp = work </> "withdrawal.txbody"
+
+  (exitCode, _stdout, stderr) <- execCliAny execConfig
+    [ eraName, "transaction", "build"
+    , "--change-address", Text.unpack $ paymentKeyInfoAddr wallet0
+    , "--tx-in", Text.unpack $ renderTxIn txinForWithdrawal
+    , "--tx-out", Text.unpack (paymentKeyInfoAddr wallet0) <> "+" <> show outputLovelace
+    , "--withdrawal", delegatorStakeAddress <> "+" <> show withdrawalLovelace
+    , "--witness-override", show @Int 2
+    , "--out-file", withdrawalTxBodyFp
+    ]
+  H.note_ stderr
+
+  exitCode H.=== ExitSuccess
+
+  -- Verify the transaction body was written and can be read back
+  void $ H.readFile withdrawalTxBodyFp
+
+-- | Plutus-script-witnessed withdrawal variant of 'hprop_tx_withdrawal_reward'.
+-- A Plutus V3 always-succeeds script acts as the stake credential, exercising
+-- the script-witness branch of the auto-balancer. Same balance arithmetic
+-- (output exceeds input, withdrawal covers the difference), and the
+-- withdrawal amount is likewise fictional.
+--
+-- Execute me with:
+-- @DISABLE_RETRIES=1 cabal test cardano-testnet-test --test-options '-p "/transaction build with plutus withdrawal/"'@
+hprop_tx_withdrawal_reward_plutus_v3 :: Property
+hprop_tx_withdrawal_reward_plutus_v3 = integrationRetryWorkspace 2 "tx-withdrawal-reward-plutus-v3" $ \tempAbsBasePath' -> H.runWithDefaultWatchdog_ $ do
+  conf@Conf { tempAbsPath } <- mkConf tempAbsBasePath'
+  let tempAbsPath' = unTmpAbsPath tempAbsPath
+      tempBaseAbsPath = makeTmpBaseAbsPath tempAbsPath
+
+  work <- H.createDirectoryIfMissing $ tempAbsPath' </> "work"
+
+  let ceo = ConwayEraOnwardsConway
+      sbe = convert ceo
+      eraName = eraToString sbe
+      fastTestnetOptions = def { cardanoNodeEra = AnyShelleyBasedEra sbe }
+      shelleyOptions = def { genesisEpochLength = 100 }
+
+  TestnetRuntime
+    { testnetMagic
+    , testnetNodes
+    , wallets = wallet0:wallet1:_
+    , configurationFile
+    }
+    <- createAndRunTestnet fastTestnetOptions shelleyOptions conf
+
+  node <- H.headM testnetNodes
+  poolSprocket1 <- H.noteShow $ nodeSprocket node
+  execConfig <- mkExecConfig tempBaseAbsPath poolSprocket1 testnetMagic
+  let socketPath = nodeSocketPath node
+
+  epochStateView <- getEpochStateView configurationFile socketPath
+
+  -- Write the always-succeeds Plutus V3 script used as stake credential
+  plutusScriptFp <- H.note $ work </> "always-succeeds.plutusV3"
+  H.writeFile plutusScriptFp $ Text.unpack plutusV3Script
+
+  -- Build the bech32 stake address for the script credential
+  scriptStakeAddr <- filter (/= '\n') <$> execCli
+    [ eraName, "stake-address", "build"
+    , "--stake-script-file", plutusScriptFp
+    , "--testnet-magic", show @Int testnetMagic
+    ]
+  H.note_ $ "Script stake address: " <> scriptStakeAddr
+
+  (txinForWithdrawal, TxOut _ txinValue _ _) <- H.nothingFailM $
+    findLargestUtxoWithAddress epochStateView sbe $ paymentKeyInfoAddr wallet0
+  let L.Coin inputLovelace = txOutValueToLovelace txinValue
+  H.note_ $ "Input UTxO: " <> show txinForWithdrawal <> " = " <> show inputLovelace <> " lovelace"
+
+  -- Plutus scripts require collateral
+  txinCollateral <- findLargestUtxoForPaymentKey epochStateView sbe wallet1
+
+  let withdrawalLovelace = inputLovelace * 2
+      outputLovelace     = withdrawalLovelace
+
+  let withdrawalTxBodyFp = work </> "withdrawal.txbody"
+
+  (exitCode, _stdout, stderr) <- execCliAny execConfig
+    [ eraName, "transaction", "build"
+    , "--change-address", Text.unpack $ paymentKeyInfoAddr wallet0
+    , "--tx-in-collateral", Text.unpack $ renderTxIn txinCollateral
+    , "--tx-in", Text.unpack $ renderTxIn txinForWithdrawal
+    , "--tx-out", Text.unpack (paymentKeyInfoAddr wallet0) <> "+" <> show outputLovelace
+    , "--withdrawal", scriptStakeAddr <> "+" <> show withdrawalLovelace
+    , "--withdrawal-script-file", plutusScriptFp
+    , "--withdrawal-redeemer-value", "0"
+    , "--witness-override", show @Int 2
+    , "--out-file", withdrawalTxBodyFp
+    ]
+  H.note_ stderr
+
+  exitCode H.=== ExitSuccess
+
+  -- Verify the transaction body was written and can be read back
+  void $ H.readFile withdrawalTxBodyFp
@@ -9,12 +9,17 @@ import qualified Cardano.Testnet.Test.Api.TxReferenceInputDatum
 import qualified Cardano.Testnet.Test.Cli.KesPeriodInfo
 import qualified Cardano.Testnet.Test.Cli.Plutus.BuildRaw
 import qualified Cardano.Testnet.Test.Cli.Plutus.CostCalculation
+import qualified Cardano.Testnet.Test.Cli.Plutus.MultiAssetReturnCollateral
 import qualified Cardano.Testnet.Test.Cli.Plutus.Scripts
 import qualified Cardano.Testnet.Test.Cli.Query
 import qualified Cardano.Testnet.Test.Cli.QuerySlotNumber
+import qualified Cardano.Testnet.Test.Cli.Scripts.Simple.CostCalculation
+import qualified Cardano.Testnet.Test.Cli.Scripts.Simple.Mint
 import qualified Cardano.Testnet.Test.Cli.StakeSnapshot
 import qualified Cardano.Testnet.Test.Cli.Transaction
+import qualified Cardano.Testnet.Test.Cli.Transaction.BuildEstimate
 import qualified Cardano.Testnet.Test.Cli.Transaction.RegisterDeregisterStakeAddress
+import qualified Cardano.Testnet.Test.Cli.Transaction.WithdrawalReward
 import qualified Cardano.Testnet.Test.DumpConfig
 import qualified Cardano.Testnet.Test.FoldEpochState
 import qualified Cardano.Testnet.Test.Gov.CommitteeAddNew as Gov
@@ -23,7 +28,6 @@ import qualified Cardano.Testnet.Test.Gov.DRepRetirement as Gov
 import qualified Cardano.Testnet.Test.Gov.GovActionTimeout as Gov
 import qualified Cardano.Testnet.Test.Gov.InfoAction as LedgerEvents
 import qualified Cardano.Testnet.Test.Gov.PParamChangeFailsSPO as Gov
-import  qualified Cardano.Testnet.Test.Cli.Scripts.Simple.Mint
 import qualified Cardano.Testnet.Test.Gov.ProposeNewConstitution as Gov
 import qualified Cardano.Testnet.Test.Gov.Transaction.HashMismatch as WrongHash
 import qualified Cardano.Testnet.Test.Gov.TreasuryDonation as Gov
@@ -37,9 +41,6 @@ import qualified Cardano.Testnet.Test.SanityCheck
 import qualified Cardano.Testnet.Test.SanityCheck as LedgerEvents
 import qualified Cardano.Testnet.Test.SubmitApi.Transaction
 import qualified Cardano.Testnet.Test.UpdateTimeStamps
-import qualified Cardano.Testnet.Test.Cli.Scripts.Simple.CostCalculation
-import qualified Cardano.Testnet.Test.Cli.Transaction.BuildEstimate
-import qualified Cardano.Testnet.Test.Cli.Plutus.MultiAssetReturnCollateral 
 
 import           Prelude
 
@@ -89,7 +90,7 @@ tests = do
             , T.testGroup "Simple Script"
                 [ ignoreOnWindows "Simple Script Mint" Cardano.Testnet.Test.Cli.Scripts.Simple.Mint.hprop_simple_script_mint
                 , ignoreOnWindows "Simple Reference Script Mint" Cardano.Testnet.Test.Cli.Scripts.Simple.CostCalculation.hprop_ref_simple_script_mint
-                
+
                 ]
             , T.testGroup "Plutus"
                 [ ignoreOnWindows "PlutusV3 purposes" Cardano.Testnet.Test.Cli.Plutus.Scripts.hprop_plutus_purposes_v3
@@ -115,6 +116,8 @@ tests = do
           , ignoreOnWindows "simple transaction build" Cardano.Testnet.Test.Cli.Transaction.hprop_transaction
           , ignoreOnWindows "Transaction Build Estimate" Cardano.Testnet.Test.Cli.Transaction.BuildEstimate.hprop_tx_build_estimate
           , ignoreOnWindows "register deregister stake address in transaction build"  Cardano.Testnet.Test.Cli.Transaction.RegisterDeregisterStakeAddress.hprop_tx_register_deregister_stake_address
+          , ignoreOnWindows "transaction build with withdrawal" Cardano.Testnet.Test.Cli.Transaction.WithdrawalReward.hprop_tx_withdrawal_reward
+          , ignoreOnWindows "transaction build with plutus withdrawal" Cardano.Testnet.Test.Cli.Transaction.WithdrawalReward.hprop_tx_withdrawal_reward_plutus_v3
           -- FIXME
           -- , ignoreOnMacAndWindows "leadership-schedule" Cardano.Testnet.Test.Cli.LeadershipSchedule.hprop_leadershipSchedule
 
 
@@ -0,0 +1,10 @@
+[
+    {
+        "executionUnits": {
+            "memory": 500,
+            "steps": 64100
+        },
+        "lovelaceCost": 34,
+        "scriptHash": "186e32faa80a26810392fda6d559c7ed4721a65ce1c9d4ef3e1c87b4"
+    }
+]
@@ -0,0 +1 @@
+[]