In its currently implementation, the generator instance uses a simple array of addresses to whitelist users. This has a number of limitations:
Every address that will mint from a generator must be whitelisted manually (even if accessing through a contract call)
Whitelisting a contract is global in nature which introduces an exploit vector as defined below:
Project A creates a new generator instance for their project and creates a new puppet epoch pointing to it.
Project A whitelists the puppet smart contract as being able to mint from the generator instance
Project B also creates an epoch instance pointing to the generator instance that Project A created.
Project B is now able to mint from the generator instance as well because the whitelist only check the contract hash
There are two solutions:
Introduce an optional code field when whitelisting. This would allow users to populate the field with an id which is checked on invocation. This field would most likely be controlled by the smart contract so it would mitigate this issue.
Limit the scope of this release. This would mean that only COZ would have the ability to mint puppets. It would also limit the ability to create instanced scenarios on all other smart contracts which want to securely use the generator instances. We could push a new version in the future which implements this functionality, but it would be a breaking change.
In its currently implementation, the generator instance uses a simple array of addresses to whitelist users. This has a number of limitations:
Project A
creates a new generator instance for their project and creates a new puppet epoch pointing to it.Project A
whitelists the puppet smart contract as being able to mint from the generator instanceProject B
also creates an epoch instance pointing to the generator instance thatProject A
created.Project B
is now able to mint from the generator instance as well because the whitelist only check the contract hashThere are two solutions:
code
field when whitelisting. This would allow users to populate the field with anid
which is checked on invocation. This field would most likely be controlled by the smart contract so it would mitigate this issue.