feat: add asset allowlist policy mechanism to stealth-sender#78
Open
postqcoin wants to merge 3 commits into
Open
feat: add asset allowlist policy mechanism to stealth-sender#78postqcoin wants to merge 3 commits into
postqcoin wants to merge 3 commits into
Conversation
Implements upgrade admin mechanism for stealth-sender contract with comprehensive adversarial test suite proving security properties. Contract changes (stealth-sender): - Add Admin and Renounced storage keys - Add admin parameter to init() for upgrade authority - Add upgrade() function using deployer().update_current_contract_wasm() - Add set_admin() for admin transfer (requires current admin auth) - Add renounce_upgrade_authority() for permanent irreversable renouncement - Add get_admin() and is_renounced() view functions Adversarial test suite: - test_non_admin_cannot_upgrade — verifies auth enforcement - test_admin_can_upgrade — happy path upgrade - test_admin_can_renounce — renounce flow - test_cannot_renounce_twice — double-renounce prevention - test_cannot_upgrade_after_renounce — post-renounce blocked - test_cannot_set_admin_after_renounce — admin change blocked post-renounce - test_admin_can_change_admin — admin transfer - test_non_admin_cannot_change_admin — admin transfer auth - test_admin_change_preserves_announcer — state preservation GOVERNANCE.md: - Documents upgrade classification per contract - Describes admin role and upgrade mechanism - Documents renounce mechanism and security properties - Lists test coverage and mainnet readiness checklist Closes wraith-protocol#57
…names Implements admin-controlled pause mechanism (circuit-breaker) for the two contracts that handle state mutations: stealth-sender: - Add Paused storage key and ContractPaused error - Add pause(), unpause(), is_paused() admin functions - Add require_not_paused() check to send() and batch_send() - Upgrade/admin functions remain operational during pause wraith-names: - Add Admin storage key and init() with admin parameter - Add Paused storage key and ContractPaused error - Add pause(), unpause(), is_paused() admin functions - Add require_not_paused() check to register(), update(), release() - resolve() and name_of() remain available (read-only) when paused Not pausable (by design): - stealth-announcer: pure event emitter, no state - stealth-registry: stateless, redeploy if needed Documentation: - PAUSE.md: per-contract pause behavior and incident response playbook - Tests: 7 new adversarial pause tests for wraith-names Closes wraith-protocol#75
Adds optional on-chain asset policy enforcement to prevent transfers of tokens with AUTH_REVOCABLE or AUTH_CLAWBACK_ENABLED flags that break Wraith's unlinkability guarantee. stealth-sender changes: - Add AssetPolicy storage key and AssetNotAllowed error - Add set_asset_policy() admin function to set/clear policy contract - Add get_asset_policy() view function - Add check_asset_policy() internal function that calls policy contract - Policy check runs before transfers in send() and batch_send() - No policy set = all assets allowed (backward compatible) New contract: wraith-asset-policy - Simple allowlist contract with admin control - allow_asset() / disallow_asset() admin functions - is_allowed() view function (callable by stealth-sender) - Default: all assets disallowed (whitelist model) - Tests: init, allow, disallow, default disallowed Design decisions: - Policy is optional (no policy = no restriction) - Policy contract is separate (callers can deploy custom policies) - Whitelist model (default deny, explicit allow) Closes wraith-protocol#51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional on-chain asset policy enforcement to prevent transfers of tokens with AUTH_REVOCABLE or AUTH_CLAWBACK_ENABLED flags that break Wraith's unlinkability guarantee.
Contract Changes
stealth-sender
New: wraith-asset-policy
Design Decisions
Security Impact
Prevents privacy leak when using assets with clawback/revocation flags. Without this check, a clawback-capable asset could be used to de-anonymize stealth address recipients.
Closes #51