search

gnolang / gno

Gno: An interpreted, stack-based Go virtual machine to build succinct and composable apps + Gno.land: a blockchain for timeless code and fair open-source.
https://gno.land/
Other
895 stars 372 forks source link

[question] How to handle contract grc20 treasury ? #634

Open albttx opened 1 year ago

albttx commented 1 year ago

Hey, i'm currently working on a Merkle Airdrop realm, and i'm facing an implementation decision, and i'd love to have your inputs

context: i developed:

In my first implementation, the struct MerkleAirdrop contained a token *grc.AdminToken, but i believe it's a security issue, and i have updated to a grc20.IGRC

So when i call p/demo/airdrop.MerkleAirdrop.Claim() i need to call the GRC20 Transfer or TransferFrom function, but the issue is that the spender is std.GetOrigCaller(), which lead to an allowance error.

i would need the spender to be the contract address (std.GetOrigPkgAddr())

I see multiple solutions to that (not always good)

  1. Set an foo20.Approve to all airdroped users, IMHO: non-sense
  2. Add a getter like foo20.GetAdmin with a whitelist of address to access the *AdminToken IMHO: not good for security reasons
  3. Update std.GetOrigCaller() to a new system like std.GetCallers() and have an array of callers (when a contract call a contract that call a contract ...) to be able to check all allowance, or just std.GetLastCaller?
  4. Have a solution to change the Caller from the contract as the contractAddr, like the test function std.TestSetOrigCaller(std.GetOrigPkgAddr())
  5. Use a Banker system for ERC20? Banker are for coins only, not tokens right ?

Or do you have another idea ? Am i missing something ?

wwqiu commented 1 year ago

Maybe this will help you. https://github.com/gnolang/gno/pull/473 https://github.com/gnolang/gno/pull/335

moul commented 1 year ago

Related with #757, #683

jaekwon commented 1 year ago

Can you show some code links so I know what to look at?

We will be implementing a "GetRealmCaller" which gets the last realm that ultimately called the current function. This function should generally be used, (instead of "GetOrigCaller" which is only the tx signer).

Banker could be used, but we would have to figure out coin issuance management at the SDK banker level. So I guess, not at first. First we can implement a pure Gno one to get the interfaces right.

Have a solution to change the Caller from the contract as the contractAddr, like the test function std.TestSetOrigCaller(std.GetOrigPkgAddr())

Only for testing, we can't support that in production without opening a can of worms we prob don't want.

Use a Banker system for ERC20? Banker are for coins only, not tokens right ?

What's the difference?