fix(core): reject receiving objects owned by AA accounts #9869
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… that checks what happens if the gas coin is locked by validators in TX1 and then TX2 is sequenced by consensus before TX1.
|
The latest updates on your projects. Learn more about Vercel for GitHub. 6 Skipped Deployments
|
iota-ci
added
sc-platform
3 tasks
miker83z
force-pushed
the
vm-lang/aa-auth/9862-remove-receive-aa-accounts
branch
from
bf4bf69 to
abad653
Compare
muXxer
approved these changes
Jan 20, 2026
Dkwcs
reviewed
Jan 20, 2026
Dkwcs
reviewed
Jan 21, 2026
alexsporn
reviewed
Jan 21, 2026
miker83z
force-pushed
the
vm-lang/aa-auth/9862-remove-receive-aa-accounts
branch
from
c891ab4 to
9277a76
Compare
piotrm50
approved these changes
Jan 22, 2026
This reverts commit 49a5f4e.
miker83z
changed the title
miker83z
changed the base branch from
vm-lang/aa-auth/9371-Test-the-receiving-gas-coin-in-two-separate-TXs
to
vm-lang/aa-auth/8805-beta-feature-branch
alexsporn
approved these changes
Jan 26, 2026
…aa-auth/9862-remove-receive-aa-accounts
Dkwcs
reviewed
Jan 26, 2026
| mutated: object(2,0), object(2,2), object(5,0) | ||
| gas summary: computation_cost: 1000000, computation_cost_burned: 1000000, storage_cost: 3351600, storage_rebate: 3351600, non_refundable_storage_fee: 0 | ||
| Error: Transaction Effects Status: Move Runtime Abort. Location: iota::transfer::receive_impl (function index 12) at offset 0, Abort Code: 5 | ||
| Debug of error: MoveAbort(MoveLocation { module: ModuleId { address: iota, name: Identifier("transfer") }, function: 12, instruction: 0, function_name: Some("receive_impl") }, 5) at command Some(0) |
Contributor
There was a problem hiding this comment.
Does this error explain the receiving case enough?
Contributor
Author
There was a problem hiding this comment.
No, but that's the only one we could obtain through a native function I guess.
valeriyr
reviewed
Jan 26, 2026
| cfg.max_auth_gas = Some(250_000_000); | ||
| // Increase the base cost for transfer receive object in devnet, since the | ||
| // implementation now does check if parent is not an account. | ||
| cfg.transfer_receive_object_cost_base = Some(100); |
Contributor
There was a problem hiding this comment.
Just to clarify, how was the new value calculated?
The current cost is 52, dynamic_field_has_child_object_cost_base equals 100.
Should the new value be 52 + 100 = 152?
Member
There was a problem hiding this comment.
the current value of 52 covers the cost of:
- querying the database against an objects id, loading up the child,
- comparing the type of the loaded object to the one expected.
With the receive parent check, we only do essentially 1, as we know that under that key there can only be stored a dynamic field with a certain type, so no need to check. Therefore, the new check only adds an additional database query which makes us think that roughly double the cost is appropriate, hence 100
Member
There was a problem hiding this comment.
@valeriyr we could also do 104 if you deem the heavy lifting is the db query.
Contributor
There was a problem hiding this comment.
I am asking because, as far as I see, we added the same check as can be found here(child_object_exists is the only function that is called here):
It costs
100.
Dkwcs
reviewed
Jan 26, 2026
| transfer_freeze_object_cost_base: 52 | ||
| transfer_share_object_cost_base: 52 | ||
| transfer_receive_object_cost_base: 52 | ||
| transfer_receive_object_cost_base: 100 |
Contributor
There was a problem hiding this comment.
Just would like to know - what is the mechanism for changing those values? (Why 100 not other value, like 152? )
Dkwcs
reviewed
Jan 26, 2026
| const E_UNABLE_TO_RECEIVE_OBJECT: u64 = 3; | ||
| // Represents the case where it is trying to receive an object owned by an | ||
| // account. | ||
| const E_ACCOUNT_CANNOT_RECEIVE_OBJECT: u64 = 5; |
Contributor
There was a problem hiding this comment.
Should it be 4 instead of 5? In order to maintain logical error numbering
Contributor
Author
There was a problem hiding this comment.
Number 4 only appears on the Move side, we should take into consideration that also on the rust side
valeriyr
reviewed
Jan 26, 2026
valeriyr
reviewed
Jan 26, 2026
| /// Uniquely identifies a function in a module | ||
| pub struct FnInfoKey { | ||
| pub fn_name: String, | ||
| pub mod_name: String, |
Contributor
There was a problem hiding this comment.
Why do we need a module name here? Does it mean that FnInfoKey currently doesn't identify a function uniquely?
Do we have a test that shows the issue?
Contributor
Author
There was a problem hiding this comment.
Does it mean that FnInfoKey currently doesn't identify a function uniquely?
Exactly, this is like this also upstream (but it only affects test attributes in that case)
miker83z
merged commit 4091901
into
vm-lang/aa-auth/8805-beta-feature-branch
39 checks passed
miker83z
added a commit
that referenced
this pull request
Jan 26, 2026
# Description of change Based on this scenario -> #9371 Receiving objects could be used to make AA TX certificates invalid, even after these were signed by the majority of validators. This PR makes so that any TX trying to receive an object owned by an AA account (i.e., an object having a `AuthenticatorFunctionRef` dynamic field) would abort execution (a validator could still sign the certificate, but the execution makes sure that the received objects will not be received and won't bump the sequence number). This PR also fixes a small issue related to duplicate function names in a package. ## Links to any relevant issues Closes #9371 Fixes #9862 ## How the change has been tested - [x] Basic tests (linting, compilation, formatting, unit/integration tests) - [x] Patch-specific tests (correctness, functionality coverage) - [x] I have added tests that prove my fix is effective or that my feature works - [x] I have checked that new and existing unit tests pass locally with my changes --------- Co-authored-by: Dkwcs <pavlo.botnar@gmail.com>
miker83z
added a commit
that referenced
this pull request
Jan 26, 2026
# Description of change Based on this scenario -> #9371 Receiving objects could be used to make AA TX certificates invalid, even after these were signed by the majority of validators. This PR makes so that any TX trying to receive an object owned by an AA account (i.e., an object having a `AuthenticatorFunctionRef` dynamic field) would abort execution (a validator could still sign the certificate, but the execution makes sure that the received objects will not be received and won't bump the sequence number). This PR also fixes a small issue related to duplicate function names in a package. ## Links to any relevant issues Closes #9371 Fixes #9862 ## How the change has been tested - [x] Basic tests (linting, compilation, formatting, unit/integration tests) - [x] Patch-specific tests (correctness, functionality coverage) - [x] I have added tests that prove my fix is effective or that my feature works - [x] I have checked that new and existing unit tests pass locally with my changes --------- Co-authored-by: Dkwcs <pavlo.botnar@gmail.com>
miker83z
added a commit
that referenced
this pull request
Jan 26, 2026
# Description of change Based on this scenario -> #9371 Receiving objects could be used to make AA TX certificates invalid, even after these were signed by the majority of validators. This PR makes so that any TX trying to receive an object owned by an AA account (i.e., an object having a `AuthenticatorFunctionRef` dynamic field) would abort execution (a validator could still sign the certificate, but the execution makes sure that the received objects will not be received and won't bump the sequence number). This PR also fixes a small issue related to duplicate function names in a package. ## Links to any relevant issues Closes #9371 Fixes #9862 ## How the change has been tested - [x] Basic tests (linting, compilation, formatting, unit/integration tests) - [x] Patch-specific tests (correctness, functionality coverage) - [x] I have added tests that prove my fix is effective or that my feature works - [x] I have checked that new and existing unit tests pass locally with my changes --------- Co-authored-by: Dkwcs <pavlo.botnar@gmail.com>
miker83z
added a commit
that referenced
this pull request
Jan 27, 2026
# Description of change Based on this scenario -> #9371 Receiving objects could be used to make AA TX certificates invalid, even after these were signed by the majority of validators. This PR makes so that any TX trying to receive an object owned by an AA account (i.e., an object having a `AuthenticatorFunctionRef` dynamic field) would abort execution (a validator could still sign the certificate, but the execution makes sure that the received objects will not be received and won't bump the sequence number). This PR also fixes a small issue related to duplicate function names in a package. ## Links to any relevant issues Closes #9371 Fixes #9862 ## How the change has been tested - [x] Basic tests (linting, compilation, formatting, unit/integration tests) - [x] Patch-specific tests (correctness, functionality coverage) - [x] I have added tests that prove my fix is effective or that my feature works - [x] I have checked that new and existing unit tests pass locally with my changes --------- Co-authored-by: Dkwcs <pavlo.botnar@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of change
Based on this scenario -> #9371 Receiving objects could be used to make AA TX certificates invalid, even after these were signed by the majority of validators.
This PR makes so that any TX trying to receive an object owned by an AA account (i.e., an object having a
AuthenticatorFunctionRefdynamic field) would abort execution (a validator could still sign the certificate, but the execution makes sure that the received objects will not be received and won't bump the sequence number).This PR also fixes a small issue related to duplicate function names in a package.
Links to any relevant issues
Closes #9371
Fixes #9862
How the change has been tested