Register origin #174
Register origin #174
Conversation
|
Are we trying to avoid an SDK release? or a runtime release? or be fully decoupled from both? |
| @@ -55,6 +56,7 @@ pub type SnowbridgeExporter = EthereumBlobExporter< | |||
| // Ethereum Bridge | |||
| parameter_types! { | |||
| pub storage EthereumGatewayAddress: H160 = H160(hex_literal::hex!("EDa338E4dC46038493b885327842fD3E301CaB39")); | |||
| pub storage EnableRegisterToken: bool = false; | |||
There was a problem hiding this comment.
Set this flag to be true through System::set_storage when code has been audited.
Yeah, try to be fully decoupled from both. Mentioned in #174 (comment) |
|
I'm not convinced the added complexity is worth it. Changing storage still requires root/whitelisted referenda. It's also frowned upon in OpenGov any time we're "arbitrarily" changing storage using Root. You could create an But I would still not do it, more code to maintain for little to no added benefit. Still need root referenda. At least with runtime upgrade we could batch more things in same upgrade referenda. |
I would assume it's much easier to do a |
That's a good point. @acatangiu Does that mean you're fine with the current impl the sudo call and we make a runtime upgrade to make it permissionless after audited? |
yes, that will be good |
| @@ -134,6 +135,28 @@ where | |||
| No, | |||
| } | |||
|
|
|||
| pub struct EnsureOriginWithControlFlag<T, F, A>(core::marker::PhantomData<(T, F, A)>); | |||
There was a problem hiding this comment.
not sure we need this somewhat complicated struct..
Instead of switching the boolean generic param on this struct, we can start with simple EnsureRoot struct, then after audit switch (in runtime config) to simple EnsureSigned struct.
| @@ -188,6 +190,8 @@ impl snowbridge_pallet_system::Config for Runtime { | |||
| type Helper = (); | |||
| type DefaultPricingParameters = Parameters; | |||
| type InboundDeliveryCost = EthereumInboundQueue; | |||
| type RegisterTokenOrigin = | |||
| EnsureOriginWithControlFlag<Runtime, EnableRegisterToken, TreasuryAccount>; | |||
There was a problem hiding this comment.
does TreasuryAccount even have any funds on BridgeHub?
better to just make the tx free for Root rather than try to pay from Treasury account on BH
| @@ -175,6 +198,8 @@ pub mod pallet { | |||
|
|
|||
| #[cfg(feature = "runtime-benchmarks")] | |||
| type Helper: BenchmarkHelper<Self::RuntimeOrigin>; | |||
|
|
|||
| type RegisterTokenOrigin: EnsureOrigin<Self::RuntimeOrigin, Success = AccountIdOf<Self>>; | |||
There was a problem hiding this comment.
maybe
| type RegisterTokenOrigin: EnsureOrigin<Self::RuntimeOrigin, Success = AccountIdOf<Self>>; | |
| type RegisterTokenOrigin: EnsureOrigin<Self::RuntimeOrigin, Success = Self::RuntimeOrigin>; |
then you could:
let pays_fee = match origin {
RawOrigin::Root => PaysFee::<T>::No,
RawOrigin::Signed(who) => PaysFee::<T>::Yes(who),
and avoid having to use special account for Root case
| @@ -617,12 +642,12 @@ pub mod pallet { | |||
| location: Box<VersionedLocation>, | |||
| metadata: AssetMetadata, | |||
| ) -> DispatchResult { | |||
| ensure_root(origin)?; | |||
| let who = T::RegisterTokenOrigin::ensure_origin(origin)?; | |||
There was a problem hiding this comment.
I've realized that if we make token registration permissionless, the origin should be an XCM location (i.e Transact.OriginKind = Xcm), and we should verify that the origin location is an immediate parent of the token location.
Otherwise any random user can register a token with incorrect or misleading metadata.
For example if the token location is /Para(2048)/PalletInstance(7)/GeneralIndex(1), then the only origin location allowed to register it is /Para(2048)/PalletInstance(7).
There was a problem hiding this comment.
How would you register a token like KILT?
- By sending an XCM directly from KILT parachain? That would require they setup an HRMP channel with bridge hub just for registration and they have an extrinsic/governance to send_xcm directly from the KILT origin.
- Impersonating KILT using governance from the relaychain.
I think we should just stick to root for now as all options require governance and we can change the registration model later.
There was a problem hiding this comment.
Yeah good point - another idea I had was to move the registration extrinsic to AH which of course can read the asset metadata directly from storage.
There was a problem hiding this comment.
but for now, yes, we should stick with root
This reverts commit c699503.
alistair-singh
force-pushed
the
polkadot-native-assets-custom-origin
branch
from
3f0c982
to
dfa5f83
Compare
There was a problem hiding this comment.
Needs substantial changes due to the vulnerability in #174 (comment)
You can make it very simple for now, just have simple |
No description provided.