Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow modules to self declare their module account addresses as blocked #11369

Open
4 tasks
colin-axner opened this issue Mar 14, 2022 · 2 comments
Open
4 tasks

Allow modules to self declare their module account addresses as blocked #11369

colin-axner opened this issue Mar 14, 2022 · 2 comments
Labels
C:x/auth S:proposed

Comments

@colin-axner
Copy link
Contributor

Summary

Allow modules to decide if their module account addresses should not allowed to be sent to via the bank keeper instead of asking chain developers to determine this.

Problem Definition

Many modules use invariants to compare internal tracking of module account balances against the actual balance in the bank keeper. If a send to the module account occurs without going through this module and updating its internal tracking, then invariants may break and unknown behaviour could occur depending on the module implementation.

Currently we protect against this by disallowing bank sends to module accounts by default, but it is possible for chain developers to override this (likely not understanding the consequences)

Proposal

Modules should self declare if it is safe for their module account to be sent to. In the situation where all sends to the module account must go through the module itself, it doesn't make sense to allow chain developers to override this functionality. Self declaration will lower user error

I'm unaware of where the SDK architecture is heading so I don't have a concrete proposal, but wanted to open for discussion in case someone with more context than me has a nice idea.

For Admin Use

  • Not duplicate issue
  • Appropriate labels applied
  • Appropriate contributors tagged
  • Contributor assigned/self-assigned
@aaronc
Copy link
Member

aaronc commented Mar 14, 2022
edited
Loading

I know I've proposed the solution to this in a number of places, but it's maybe not tracked clearly.

Basically what we're calling a "module account" shouldn't be a real module account but rather some sort of "module escrow" that can't receive anything via a transaction send. A real module account with a publicly accessible address should only be used for something like a group account or cosmwasm contract where sends are intended.

The balances in these "module escrows" should be tracked with internal identifier strings (i.e. the module name + some suffix) rather than addresses in a separate portion of the store from the address-based balances.

This way there's no pathway for MsgSend to ever send them coins because they simply aren't real "accounts".

@colin-axner colin-axner mentioned this issue Jul 28, 2022
Merged
9 tasks
@colin-axner colin-axner mentioned this issue Aug 4, 2022
Open
1 task
@tac0turtle
Copy link
Member

this is part of the work within the wuth working group, let me know if youd like to join @colin-axner

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C:x/auth S:proposed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aaronc @tac0turtle @colin-axner