Pallet transfers allowlist

[thea-leake]

Description

This adds a pallet to handle allowlist for transfers.

It allows users to add an allowance for an account, and if allowances present, then checks against the allowance for the sending account/currrency will be limited to the recievers for which allowances are defined, and allow/blocked at block range.

Fixes #1144

Changes and Descriptions

Adds Transfer Allowlist pallet

Allowlist pallet, and tests added.

Type of change

• [ x] New feature (non-breaking change which adds functionality)

How Has This Been Tested?

• Pallet unit tests with externalities provided mock env

Checklist:

• [x ] I have added Rust doc comments to structs, enums, traits and functions
• [x ] I have made corresponding changes to the documentation
• [ x] I have performed a self-review of my code
• [ x] My changes generate no new warnings
• [ x] I have added tests that prove my fix is effective or that my feature works
• [x ] New and existing unit tests pass locally with my changes
• [ x] I rebased on the latest main branch

[mustermeiszer]

Looks already neat!

[lemunozm]

Very neat @thea-leake and very good coverage!

I left a lot of comments, but most of them are minor suggestions & questions. Good job!

[lemunozm]

@mustermeiszer @mikiquantum should we use pallet-fees here?

[mikiquantum]

Pallet fees do not support reserve/unreserve, afaik, only one way transfer/burn/etc

[lemunozm]

But should T::Deposit::get() come from a key? At least we do so for Anchors::pre_commit().

Maybe reserve/unreserve actions need to be added to pallet-fees. 🤔

[mikiquantum]

Ah yes @lemunozm I would definitely define a key in the pallet fees and read the amount from it, that even if for now we do not support the reserve/unreserve logic yet there. That way the UIs can know up front operational costs.
@thea-leake ^^

[thea-leake]

WIP updating pallet to use fees/feekey. I've got the pallet set up for using fees pallet(config, mocks etc), and additional fee key added. Switching out deposit/reserve logic to use feekey in progress.

[thea-leake]

👍 Pallet is switched over to use fee key & getting fee val with fees pallet. Also have mock set up to set key val for allowance creation with fees pallet to ensure fees pulled w/ correct key -- FeeKey used in pallet itself is still loosely coupled in allowance pallet.

[lemunozm]

I left a comment regarding the mock part @thea-leake.

Regarding reserve()/unreserve(), @mikiquantum I've created an issue to add them to pallet-fees: #1282

[mikiquantum]

Just trying to be curious. 😄 From my limited understanding, it looks good.

[mikiquantum]

Suggested change

	/// Etherium address, for cases where we would have a standalone Eth address
	/// Ethereum address, for cases where we would have a standalone Eth address

[thea-leake]

👍 fixed

[mikiquantum]

Suggested change

	// using hash here as mulitlocation is significantly larger than any other enum type here
	// using hash here as multilocation is significantly larger than any other enum type here

[branan]

I, for one, am in favor of having a MulletLocation 😆

[thea-leake]

👍 fixed

[mikiquantum]

Suggested change

	// using hash here as mulitlocation is significantly larger than any other enum type here
	// using hash here as multilocation is significantly larger than any other enum type here

[thea-leake]

👍 fixed

[mikiquantum]

Suggested change

	#[pallet::getter(fn sender_currency_reciever_allowance)]
	#[pallet::getter(fn sender_currency_receiver_allowance)]

[thea-leake]

👍 fixed, also changed to match storage.

[mikiquantum]

Suggested change

	/// Storage item for allowances specified for a sending account, currency type and recieving location
	/// Storage item for allowances specified for a sending account, currency type and receiving location

[thea-leake]

👍 fixed

[mikiquantum]

In which scenario would this branch be possible?

[lemunozm]

I just had a comment in the same line. This case doesn't belong to the model and can never happen.

[thea-leake]

I've combined the storage items for delay and count as per @mikiquantum's suggestion, which has removed that case as a possibility with the types so that branch is no longer there. :)
(was not possible to reach before, however types would have accommodated that branch)

[mikiquantum]

Wouldnt be possible to merge this storage with AccountCurrencyDelay and have a tuple value (u64, BlockNumber). There should be an storage reduction based on the storage prefix+key.

[thea-leake]

👍 Merged storage items

[lemunozm]

I had a very clean review feedback, thanks for all your detailed answer to my question/suggestions @thea-leake

[NunoAlexandre]

FYI We usually place these type aliases at the top, before pub trait Config: frame_system::Config {

[thea-leake]

👍 fixed

[NunoAlexandre]

We should make this actually implement the Default trait

[thea-leake]

👍 fixed

[NunoAlexandre]

From the /// comment, I guess this means that this allowance already exists? If so, let's make it consistent with similar error names:

Suggested change

	ConflictingAllowanceSet,
	DuplicateAllowance,

[thea-leake]

👍 fixed

[NunoAlexandre]

Can you expand on this error doc?

[thea-leake]

👍 expanded

[NunoAlexandre]

I think this would be a bit easier to read with a .map().unwrap_or() pattern. Up to you 👍

[thea-leake]

With the merging of the delay and count storage items, there's another option to check/destructure, so I've kept the match, but I agree with how it was before .map().unwrap_or() would be clearer. :)

[lemunozm]

You do not need to add pallet-fees/pallet-treasury/pallet-authorship to test this. You can do it much more manageably with the mock in libs/mocks/src/fees.rs

[thea-leake]

Ah ok, thanks! Yeah that would be a lot more convenient :) I wanted to verify the reserve/unreserve amounts, and verify the pallet was using the FeeKey correctly and ensure that the reserve/unreserve logic was all being handled correctly in here.

[lemunozm]

I imagine that 👍🏻. Please, if in the process you feel like something in the mock should be changed/improved, share it!

[mustermeiszer]

This looks really, really good, clean and nice!

But if I understood the code correctly we have 3 logical problems that must be addressed (if I got it right)

• add_or_update_allowance_delay MUST only be active after the previously set delay has passed
• remove_allowance_delay MUST only be active after the previously set delay has passed
• purge_transfer_allowance MUST only be possible of the blocked_at has already passed!

Otherwise, the protection this pallet provides only serves for honest but wrongly inputed receiving addresses. Not for protecting against malicious users who got access to a key.

If the first is enough for us, then we can remove the concept of a delay.

cc: @offerijns for clarification if protection is needed.

[mustermeiszer]

Can we hide this behind a feature flag? and maybe have a fixed codec index of 255 in order to net mess up tests that rely on decoding?

[thea-leake]

👍 I've currently got it set to the codec index of 255, and set to only std so as to not be compiled for Wasm. Though if we want to feature gate it a different way I'm ok with that too :).

[mustermeiszer]

Can we use enum ArithmeticError here instead. It impls Into<DIspatchError>.

[thea-leake]

👍 using ArithmeticErrorwith ensure ops :)

[mustermeiszer]

This should ONLY be possible of the blocked_at has already passed!

[thea-leake]

👍 updated to ensure blocked_at has already passed.

[mustermeiszer]

Suggested change

	let (count, _) =
	Self::get_account_currency_restriction_count_delay(&account_id, &currency_id)
	.unwrap_or((0, Some(0u32.into())));
	<AccountCurrencyTransferCountDelay<T>>::insert(
	&account_id,
	&currency_id,
	(count, Some(delay)),
	let (count, delay) =
	Self::get_account_currency_restriction_count_delay(&account_id, &currency_id)
	.unwrap_or((0, Some(delay)));
	<AccountCurrencyTransferCountDelay<T>>::insert(
	&account_id,
	&currency_id,
	(count, Some(delay)),

[mustermeiszer]

Well, not sure if actually advantage ^^

[mustermeiszer]

The problem here is that

• attacker can set delay to zero
• add arbitrary off-board address
• send tokens

all in one block and batch.

[mustermeiszer]

Same goes as above.

[mustermeiszer]

Suggested change

	#[pallet::storage]
	#[pallet::getter(fn get_account_currency_restriction_count_delay)]
	pub type AccountCurrencyTransferCountDelay<T: Config> = StorageDoubleMap<
	_,
	Twox64Concat,
	T::AccountId,
	Twox64Concat,
	T::CurrencyId,
	(u64, Option<T::BlockNumber>),
	OptionQuery,
	>;
	struct Delay<BlockNumber> {
	current: BlockNumber,
	valid_until: Option<BlockNumber>,
	}
	#[pallet::storage]
	#[pallet::getter(fn get_account_currency_restriction_count_delay)]
	pub type AccountCurrencyTransferCountDelay<T: Config> = StorageDoubleMap<
	_,
	Twox64Concat,
	T::AccountId,
	Twox64Concat,
	T::CurrencyId,
	(u64, Option<Delay<T::BlockNumber>>),
	OptionQuery,
	>;

[mustermeiszer]

Maybe we use this, and have the following extrinsics

• add_delay

  • if AccountCurrencyTransferCountDelay is (count, None) → simply add new delay of kind Delay {current: delay, next: None}

• update_delay

  • if AccountCurrencyTransferCountDelay is (count, Some(delay) → only add if the delay.valid_until has passed

• purge_delay → is possible to remove storage if count is zero and valid_until has passed

• rm_delay → only works

  • if AccountCurrencyTransferCountDelay is (count, Some(delay) → and valid_until is None and then sets valid_until as now + delay.current

[thea-leake]

Currently have the pallet updated to use new delay and allow delay purge or modification after current delay has passed--with a set future modifiable extrinsic exposed with the functionality of rm_delay. Looking into refactoring the storage at the moment to clean up the readability of the matching/destructuring (due to the nested options etc).

[lemunozm]

I would go with mock fees to simplify this before merging it 🤓

All this could be simplified to:

impl pallet_mock_fees::Config for Runtime {
	type Balance = Balance;
	type FeeKey = u8;
}

You can check pallet-anchors or pallet-nft as an example of how to use it in the tests

[thea-leake]

Yeah having the mocks would definitely be cleaner, I think it would be best to switch to the mocks after benchmarking is done so that the weight/time from those dependencies are taken into account (though in this case it shouldn't really affect the benchmarks much if at all), then switch to use the mocks so the tests aren't coupled with the other pallet dependencies/changes.

[lemunozm]

I think it would be best to switch to the mocks after benchmarking is done so that the weight/time from those dependencies are taken into account

Mocks will run only under test. The real benchmarks that generates the weights will run without test and will use the correct implementations coming from the runtime. So there is no issue with benchmark times using trait mocks.

Anyway, no hurry!

[mustermeiszer]

If clauses are checking the wrong way for times. Otherwise changes look good!

[mustermeiszer]

No requirement. But might be good to get started with using this always.

Suggested change

	#[pallet::pallet]
	#[pallet::generate_store(pub(super) trait Store)]
	pub struct Pallet<T>(_);
	/// The current storage version.
	const STORAGE_VERSION: StorageVersion = StorageVersion::new(0);
	#[pallet::pallet]
	#[pallet::generate_store(pub(super) trait Store)]
	#[pallet::storage_version(STORAGE_VERSION)]
	pub struct Pallet<T>(_);

[mustermeiszer]

Suggested change

	/// Updates an allowance delay, only callable is the delay has been set to allow future modifications and
	/// Updates an allowance delay, only callable if the delay has been set to allow future modifications and

[mustermeiszer]

Must be

if current_block < modifiable_at

[mustermeiszer]

Change as talked about (see slack for requirements)

[mustermeiszer]

Must be

if current_block < modifiable_at

[mustermeiszer]

That looks really nice! Thanks for closing so quickly. I would say lets merge it.

[mustermeiszer]

Re-approve