Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: account balance logic #418

Merged
merged 1 commit into from
Jan 7, 2025
Merged

fix: account balance logic #418

merged 1 commit into from
Jan 7, 2025

Conversation

chungquantin
Copy link
Collaborator

Refactor the logic to pick the deposit_account in the transfer method. When transferring the collection item, destination account is no longer responsible for reserving deposits to create its storage record. Based on what @peterwht raised in the upstream PR, there are vulnerabilities and user experience issues identified.

  • Issue with current design: Destination accounts are not aware of the reserved deposits associated with collection items when they are transferred. This opens the door for a malicious actor to potentially create a collection and then bulk-transfer items to various on-chain accounts.

  • Proposed solution: Reserving the deposit from the item owner directly makes more sense from both a user experience and chain security perspective. By doing so, the deposit is linked to the owner, reducing the risk of exploit.

  • Drawbacks of the approach: This method, however, is not without its complexities. For example, it may seem illogical for one account to reserve a deposit on behalf of another. But we see a similar pattern in the original pallet-nfts implementation of do_mint(), where the reserved deposit for an item is not transferred to the new item owner during minting. This behavior is already accepted, albeit imperfect.

There are room for improvements with repatriations. However, from my point of view, this is not critical and we can add that in the future!

@codecov-commenter
Copy link

Codecov Report

Attention: Patch coverage is 94.44444% with 1 line in your changes missing coverage. Please review.

Project coverage is 71.15%. Comparing base (c5fd9e3) to head (9fe7d12).

Files with missing lines Patch % Lines
pallets/nfts/src/impl_nonfungibles.rs 0.00% 1 Missing ⚠️ 
@@                      Coverage Diff                       @@
##           frank/nfts-balance-deposit     #418      +/-   ##
==============================================================
- Coverage                       71.15%   71.15%   -0.01%     
==============================================================
  Files                              72       72              
  Lines                           13449    13447       -2     
  Branches                        13449    13447       -2     
==============================================================
- Hits                             9570     9568       -2     
  Misses                           3604     3604              
  Partials                          275      275
Files with missing lines Coverage Δ
pallets/nfts/src/features/atomic_swap.rs 90.78% <100.00%> (ø)
pallets/nfts/src/features/buy_sell.rs 90.69% <100.00%> (ø)
pallets/nfts/src/features/transfer.rs 83.33% <100.00%> (-0.24%) ⬇️
pallets/nfts/src/lib.rs 71.51% <100.00%> (ø)
pallets/nfts/src/tests.rs 99.91% <100.00%> (ø)
pallets/nfts/src/impl_nonfungibles.rs 22.38% <0.00%> (ø)

@Daanvdplas Daanvdplas merged commit af0b71e into frank/nfts-balance-deposit Jan 7, 2025
13 checks passed
@Daanvdplas Daanvdplas deleted the chungquantin/fix-account_balance_logic branch January 7, 2025 08:41
@chungquantin chungquantin mentioned this pull request Jan 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chungquantin @codecov-commenter @Daanvdplas