Restrict PTBs that use Random #16077
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
benr-ml
changed the title
benr-ml
changed the title
There was a problem hiding this comment.
I suppose we could do these checks at signing, but it would be the first such check (though maybe we check for mut clock usage at signing? so its kind of similar)
If we keep this check at signing (which I'm fine with I suppose), thoughts on adding an invariant violation (or something similar) to the execution layer?
Not sure I follow - Why do you consider this as "checks at signing"? Anyhow, I can move it to |
Handle transaction is called during signing (and then again during certificate execution), so we will not sign a transaction that uses randomness incorrectly. Which is kind of neat since we can do it quickly. My point was I was initially expecting these rules to be "type system"-like rules, all of which for PTBs are done dynamically during execution, see https://github.com/MystenLabs/sui/blob/main/sui-execution/latest/sui-adapter/src/programmable_transactions/execution.rs |
|
Adding some other folks who might also have opinions about where these checks go |
Pretty sure we check for mut clock usage at signing as well. Given that this is easy to check at signing I see no reason not to, but if it makes more sense to keep all the PTB checks in one place and do them at execution only, I'm okay with that as well. |
IIRC for clock, we go a step further and make sure you cannot publish code that takes an @benr-ml, I think since we do that for clock, it makes sense for this to also be a static rule. |
benr-ml
force-pushed
the
ben/restrict_tx
branch
from
e23749d
to
78fb5f1
Compare
benr-ml
force-pushed
the
ben/restrict_tx
branch
from
78fb5f1
to
8bc11d5
Compare
benr-ml
force-pushed
the
ben/restrict_tx
branch
from
eb54fe9
to
e2e5428
Compare
benr-ml
force-pushed
the
ben/restrict_tx
branch
from
907390f
to
be223af
Compare
## Description PTBs can only have `TransferObjects` or `MergeCoins` following a command that uses `Random`, enforced by validators when receiving a signed transaction. ## Test Plan New transactional tests --- If your changes are not user-facing and do not break anything, you can skip the following section. Otherwise, please briefly describe what has changed under the Release Notes section. ### Type of Change (Check all that apply) - [x] protocol change - [ ] user-visible impact - [ ] breaking change for a client SDKs - [ ] breaking change for FNs (FN binary must upgrade) - [x] breaking change for validators or node operators (must upgrade binaries) - [ ] breaking change for on-chain data layout - [ ] necessitate either a data wipe or data migration ### Release notes PTBs can only have `TransferObjects` or `MergeCoins` following a command that uses `Random`, enforced by validators when receiving a signed transaction.
Description
PTBs can only have
TransferObjectsorMergeCoinsfollowing a command that usesRandom.Test Plan
New transactional tests
If your changes are not user-facing and do not break anything, you can skip the following section. Otherwise, please briefly describe what has changed under the Release Notes section.
Type of Change (Check all that apply)
Release notes
Programmable transaction blocks (PTBs) can only have
TransferObjectsorMergeCoinsfollowing a command that usesRandom.