@jonjove

This looks good. I left a few very minor comments on one of the tests. But I also had some thoughts while reviewing the PR that aren't necessarily specific to any single line:

• I'm not sure that the defensive programming approach that we took in this PR is the right one. I am of the opinion that, starting from protocol 10 (or maybe 13) we should throw if we reach addBalance, addBuyingLiabilities, etc with !isAuthorizedToMaintainLiabilities. I think this is the correct approach because we are already depending on the client code to check that it is correct between isAuthorizedToMaintainLiabilities and isAuthorized. If the client code has permitted those functions to be reached in the case mentioned above, then there is definitely a logic error. We shouldn't carry on processing the transaction if there is definitely a logic error, instead we should return txINTERNAL_ERROR.

I added a commit that throws if we reach those methods starting in protocol 10. I like this approach as the assumptions made are clear and enforced.

• We added defensive programming checks to getMaxAmountReceive but they are missing from the analogous function getAvailableBalance (which didn't require any changes in this PR).

I added an authorization check in getAvailableBalance. This isn't necessary, but I think it makes sense because there's no reason to retrieve the balance of an unauthorized asset (since nothing can be done with that asset).

• The changes in the first commit were based off of the assumption that we always check authorization before reaching those functions, but that isn't true on the path through releaseLiabilities (see, for example, ManageOfferOpFrameBase.cpp:224 and note that the offer loaded there does not necessarily have the same assets as specified in the operation). Now assuming that everything works correctly, this shouldn't cause any issues because an offer in the ledger should have authorized trust lines. But we took similar precautions at OfferExchange.cpp:1112.

This is an interesting scenario. The authorization shouldn't matter since releaseLiabilities is removing offers. However, if there are unauthorized offers in the ledger, we will throw in addBuyingLiabilities and addSellingLiabilities (with my latest change). Because of the new invariants, I think the check at OfferExchange.cpp:1112 is unnecessary because releaseLiabilities is called on the existing offer at OfferExchange.cpp:1100, which will do the auth check anyways. If you agree, I will remove the check on OfferExchange.cpp:1112.

This is an interesting scenario. The authorization shouldn't matter since releaseLiabilities is removing offers. However, if there are unauthorized offers in the ledger, we will throw in addBuyingLiabilities and addSellingLiabilities (with my latest change). Because of the new invariants, I think the check at OfferExchange.cpp:1112 is unnecessary because releaseLiabilities is called on the existing offer at OfferExchange.cpp:1100, which will do the auth check anyways. If you agree, I will remove the check on OfferExchange.cpp:1112.

Yes, I agree that the check on OfferExchange.cpp:1112 is unnecessary now. I think it would be worth adding a comment where releaseLiabilitites is used on OfferExchange.cpp:1099 indicating that this is being checked there. Have you checked that everything makes sense at other places where releaseLiabilities is used, such as AllowTrustOpFrame.cpp:135 (there are a few other places too)?

Yeah the other releaseLiabilities calls look good. Related to this - Do you think it makes sense to throw if unauthorized liabilities are being released? Obviously the scenario shouldn't happen, but if it was encountered for some reason, you could make the argument that the offers should still be pulled (and log an error).

r+ 1ca2deb