Open JakeHartnell opened 9 months ago
A small bit of cleanup from the Audit Report:
The x/tokenfactory module address should be whitelisted upon contract instantiation to ensure token mints work as intended. When minting funds to the recipient, the sender will be the x/tokenfactory module address (https://github.com/osmosis-labs/osmosis/blob/b90dfad7f2ab8ecdd2806cb51dfa9a72fb80a469/x/tokenfactory/keeper/bankactions.go#L26). If the address is not whitelisted, the mint transaction will fail in the beforesend_hook function (https://github.com/DA0-DA0/dao-contracts/blob/37125086a464050af62bb4d15d936653cae61f31/contracts/external/cw-tokenfactory-issuer/src/hooks.rs#L14). In order to retrieve the x/tokenfactory module address in the contract, a QueryModuleAccountByNameRequest query (https://github.com/cosmos/cosmos-sdk/blob/main/proto/cosmos/auth/v1beta1/query.proto#L147) needs to be implemented to return the module address by its name. However, this requires Osmosis to whitelist the (https://github.com/osmosis-labs/osmosis/blob/v19.2.0/wasmbinding/stargate_whitelist.go#L45-L170)Stargate query first, which they have not (https://github.com/osmosis-labs/osmosis/blob/v19.2.0/wasmbinding/stargate_whitelist.go#L45-L170). There is a merged pull request that whitelists the query (https://github.com/osmosis-labs/osmosis/pull/6586), so QueryModuleAccountByNameRequest will likely be available in the next release.
The x/tokenfactory module address should be whitelisted upon contract instantiation to ensure token mints work as intended. When minting funds to the recipient, the sender will be the x/tokenfactory module address (https://github.com/osmosis-labs/osmosis/blob/b90dfad7f2ab8ecdd2806cb51dfa9a72fb80a469/x/tokenfactory/keeper/bankactions.go#L26). If the address is not whitelisted, the mint transaction will fail in the beforesend_hook function (https://github.com/DA0-DA0/dao-contracts/blob/37125086a464050af62bb4d15d936653cae61f31/contracts/external/cw-tokenfactory-issuer/src/hooks.rs#L14).
x/tokenfactory
beforesend_hook
In order to retrieve the x/tokenfactory module address in the contract, a QueryModuleAccountByNameRequest query (https://github.com/cosmos/cosmos-sdk/blob/main/proto/cosmos/auth/v1beta1/query.proto#L147) needs to be implemented to return the module address by its name. However, this requires Osmosis to whitelist the (https://github.com/osmosis-labs/osmosis/blob/v19.2.0/wasmbinding/stargate_whitelist.go#L45-L170)Stargate query first, which they have not (https://github.com/osmosis-labs/osmosis/blob/v19.2.0/wasmbinding/stargate_whitelist.go#L45-L170). There is a merged pull request that whitelists the query (https://github.com/osmosis-labs/osmosis/pull/6586), so QueryModuleAccountByNameRequest will likely be available in the next release.
QueryModuleAccountByNameRequest
As the feature is not yet ready and not critical, we're acknowledging it for now. When upstream deps have support for the QueryModuleAccountByNameRequest query, we can make the UX a bit better for this particular edge case.
A small bit of cleanup from the Audit Report:
As the feature is not yet ready and not critical, we're acknowledging it for now. When upstream deps have support for the
QueryModuleAccountByNameRequestquery, we can make the UX a bit better for this particular edge case.