Context
LibFlow.flowERC1155 (src/lib/LibFlow.sol:122-130) passes empty "" as the data argument to every safeTransferFrom call. The original code carried a // @todo data support marker that has been split out from #305 so each TODO can be evaluated on its own.
IERC1155(transfer.token).safeTransferFrom(transfer.from, transfer.to, transfer.id, transfer.amount, "");
Question
Should ERC1155 transfers in a flow be able to carry caller-supplied data to the receiver's onERC1155Received hook?
EIP-1155 receivers must handle empty data per spec, so the current behaviour is compliant. Tradeoffs:
- For: receivers occasionally need transfer-specific context (e.g. an identifier the receiver uses to credit a position). Without
data support, integrators must encode the context out-of-band (separate call, signed message, off-chain index).
- Against: the
data field is an attacker-controlled blob from the caller's perspective — receivers that branch on data content open a DoS / griefing surface. Adding it requires the ERC1155Transfer struct to grow a bytes data field, which is a breaking ABI change for FlowTransferV1.
Decision needed
Either:
- Add
data support in a future flow-interface revision (Vnext, breaking) — design a FlowTransferV2 with bytes data, document receiver expectations, and add tests.
- Pin empty
data as final FlowV5 behaviour — close this issue with a NatSpec note in flowERC1155.
Not a correctness defect under FlowV5; deferred design question.
Context
LibFlow.flowERC1155(src/lib/LibFlow.sol:122-130) passes empty""as thedataargument to everysafeTransferFromcall. The original code carried a// @todo data supportmarker that has been split out from #305 so each TODO can be evaluated on its own.Question
Should ERC1155 transfers in a flow be able to carry caller-supplied
datato the receiver'sonERC1155Receivedhook?EIP-1155 receivers must handle empty
dataper spec, so the current behaviour is compliant. Tradeoffs:datasupport, integrators must encode the context out-of-band (separate call, signed message, off-chain index).datafield is an attacker-controlled blob from the caller's perspective — receivers that branch ondatacontent open a DoS / griefing surface. Adding it requires theERC1155Transferstruct to grow abytes datafield, which is a breaking ABI change forFlowTransferV1.Decision needed
Either:
datasupport in a future flow-interface revision (Vnext, breaking) — design aFlowTransferV2withbytes data, document receiver expectations, and add tests.dataas final FlowV5 behaviour — close this issue with a NatSpec note inflowERC1155.Not a correctness defect under FlowV5; deferred design question.