Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fixNFTokenRemint: prevent NFT re-mint: #4406

Merged
merged 43 commits into from
Mar 20, 2023
Merged

fixNFTokenRemint: prevent NFT re-mint: #4406

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
e5d61cf
initial commit
shawnxie999 Jan 17, 2023
95f644f
wip
shawnxie999 Jan 18, 2023
60ab256
Add fixUnburnableNFToken feature (#4391)
ledhed2222 Jan 18, 2023
9561268
NFToken new sequence construct
shawnxie999 Jan 18, 2023
51fe860
conflict
shawnxie999 Feb 1, 2023
dc4f146
clang
shawnxie999 Feb 1, 2023
6211841
update test
shawnxie999 Feb 1, 2023
fa19aa2
[Amendment] Allow NFT to be burned when number of offers is greater t…
shawnxie999 Feb 2, 2023
6233a8c
Merge branch 'feature/nft-fixes' into nft-remint
shawnxie999 Feb 3, 2023
5425a32
[FOLD]minor comment
shawnxie999 Feb 3, 2023
a48a437
add const
shawnxie999 Feb 9, 2023
ce42b74
[Amendment] Fix 3 issues around NFToken offer acceptance (#4380)
ledhed2222 Feb 9, 2023
40c55e9
[Amendment] Prevent brokered sale of NFToken to owner: (#4403)
scottschurr Feb 10, 2023
9c3855b
Merge branch 'feature/nft-fixes' into nft-remint
shawnxie999 Feb 13, 2023
c95f9e8
[FOLD] clang
shawnxie999 Feb 13, 2023
1a276a0
Add fixUnburnableNFToken feature (#4391)
ledhed2222 Jan 18, 2023
31959db
Allow NFT to be burned when number of offers is greater than 500 (#4346)
shawnxie999 Feb 2, 2023
bdaeee2
Fix 3 issues around NFToken offer acceptance (#4380)
ledhed2222 Feb 9, 2023
df7eb5d
Prevent brokered sale of NFToken to owner: (#4403)
scottschurr Feb 10, 2023
0c77813
Only account specified as destination can settle through brokerage: (…
dangell7 Feb 13, 2023
05602af
Rename to fixNonFungibleTokensV1_2 and some cosmetic changes (#4419)
ledhed2222 Feb 13, 2023
99ff97f
Resolve conflicts
shawnxie999 Feb 13, 2023
d464543
Add remint tests and flag change
shawnxie999 Feb 13, 2023
4a26e80
resolve conflicts
shawnxie999 Feb 14, 2023
facf8f0
[FOLD] refactor sequence generation
shawnxie999 Feb 14, 2023
4ef2890
[FOLD] clang
shawnxie999 Feb 14, 2023
386ffec
[FOLD] newline
shawnxie999 Feb 14, 2023
53f3238
[FOLD] remove new lines
shawnxie999 Feb 14, 2023
8747f8e
[FOLD] clang
shawnxie999 Feb 14, 2023
c4d4487
[FOLD] reserve field values for amm and hooks
shawnxie999 Feb 14, 2023
d04f37f
[FOLD] function renaming
shawnxie999 Feb 15, 2023
9bfa3ed
[fold] remove auto and addressed some comments
shawnxie999 Mar 7, 2023
5a174b3
[fold]param renaming
shawnxie999 Mar 7, 2023
8041edd
[fold] refactor tests
shawnxie999 Mar 7, 2023
f874f0f
[fold] clang
shawnxie999 Mar 7, 2023
fdb7a92
[fold]readd comment
shawnxie999 Mar 8, 2023
a217f29
[fold] refactor tokenSeq code
shawnxie999 Mar 8, 2023
ae09383
[fold] fix comments
shawnxie999 Mar 8, 2023
ac8712e
udpate comment
shawnxie999 Mar 8, 2023
7d6644f
enable/disable `fixNFTokenRemint` flag in test
shawnxie999 Mar 16, 2023
dacbb52
[fold]calng
shawnxie999 Mar 16, 2023
acf0873
add test feature flag in burn test
shawnxie999 Mar 16, 2023
6461c58
[fold]clang
shawnxie999 Mar 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions src/ripple/app/tx/impl/DeleteAccount.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,23 @@ DeleteAccount::preclaim(PreclaimContext const& ctx)
if ((*sleAccount)[sfSequence] + seqDelta > ctx.view.seq())
return tecTOO_SOON;

// When fixNFTokenRemint is enabled, we don't allow an account to be
// deleted if <FirstNFTokenSequence + MintedNFTokens> is within 256 of the
// current ledger. This is to prevent having duplicate NFTokenIDs after
// account re-creation.
//
// Without this restriction, duplicate NFTokenIDs can be reproduced when
// authorized minting is involved. Because when the minter mints a NFToken,
// the issuer's sequence does not change. So when the issuer re-creates
// their account and mints a NFToken, it is possible that the
// NFTokenSequence of this NFToken is the same as the one that the
// authorized minter minted in a previous ledger.
if (ctx.view.rules().enabled(fixNFTokenRemint) &&
((*sleAccount)[~sfFirstNFTokenSequence].value_or(0) +
(*sleAccount)[~sfMintedNFTokens].value_or(0) + seqDelta >
ctx.view.seq()))
return tecTOO_SOON;
Comment on lines +217 to +232
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Imagine someone issuing a million "Silly Billy" NFTs, with the first minted in ledger 77,777,777.

This check will prevent the issuer from deleting the account until, at the earliest, ledger 78,778,032; that's not gonna happen for around 4 million seconds, or around a month and a half.

Copy link
Collaborator Author

@shawnxie999 shawnxie999 Mar 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, unfortunately this check needs to be in. Without it, the scenario below produces duplicate NFTID:

  1. Alice's account sequence is at 1
  2. Bob is Alice's authorized minter
  3. Bob mints 500 NFTs for Alice (NFTs will have sequences 1 - 501, since NFT sequence is computed by FirstNFTokenSequence + MintedNFTokens)
  4. Alice deletes her account at ledger 257 (enforced by AccountDelete amendment)
  5. Alice re-creates her account at ledger 258
  6. Alice mints a NFT. FirstNFTokenSequence initialized to her account sequence (258), and MintedNFTokens to 0. This newly minted NFT would have a sequence number of 258, which is a duplicate of what she issued through authorized minting before she deleted her account.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand. My point was that this kind of test means it's hard for someone to know when their account can be deleted and, depending on the number of NFTs they issue. For some accounts (those which don't have FirstNFTokenSequence set) the answer is "immediately" and for others it's "well, sometime in the future."

Copy link
Collaborator Author

@shawnxie999 shawnxie999 Mar 1, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I don't think this will be a common issue, since this restriction is only applicable for authorized minting situations.

If the issuer has never issued an NFT through authorized minting, then, FirstNFTokenSequence + MintedNFTokens <= AccountRoot Sequence will always be true, which means the AccountDelete amendment (ledger > Account Sequence + 256) already contains the new restriction.


// Verify that the account does not own any objects that would prevent
// the account from being deleted.
Keylet const ownerDirKeylet{keylet::ownerDir(account)};
Expand Down
63 changes: 57 additions & 6 deletions src/ripple/app/tx/impl/NFTokenMint.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,15 +160,66 @@ NFTokenMint::doApply()
// Should not happen. Checked in preclaim.
return Unexpected(tecNO_ISSUER);

// Get the unique sequence number for this token:
std::uint32_t const tokenSeq = (*root)[~sfMintedNFTokens].value_or(0);
if (!ctx_.view().rules().enabled(fixNFTokenRemint))
{
std::uint32_t const nextTokenSeq = tokenSeq + 1;
if (nextTokenSeq < tokenSeq)
return Unexpected(tecMAX_SEQUENCE_REACHED);
// Get the unique sequence number for this token:
std::uint32_t const tokenSeq =
(*root)[~sfMintedNFTokens].value_or(0);
{
std::uint32_t const nextTokenSeq = tokenSeq + 1;
if (nextTokenSeq < tokenSeq)
return Unexpected(tecMAX_SEQUENCE_REACHED);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so you're just checking for int overflow based on ledger seq? that seems unnecessary

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd leave the check as is, as it's basically free (from a computational point of view).


(*root)[sfMintedNFTokens] = nextTokenSeq;
}
shawnxie999 marked this conversation as resolved.
Show resolved Hide resolved
ctx_.view().update(root);
return tokenSeq;
}

// With fixNFTokenRemint amendment enabled:
//
// If the issuer hasn't minted an NFToken before we must add a
// FirstNFTokenSequence field to the issuer's AccountRoot. The
// value of the FirstNFTokenSequence must equal the issuer's
// current account sequence.
//
// There are three situations:
// o If the first token is being minted by the issuer and
// * If the transaction consumes a Sequence number, then the
// Sequence has been pre-incremented by the time we get here in
// doApply. We must decrement the value in the Sequence field.
// * Otherwise the transaction uses a Ticket so the Sequence has
// not been pre-incremented. We use the Sequence value as is.
// o The first token is being minted by an authorized minter. In
// this case the issuer's Sequence field has been left untouched.
// We use the issuer's Sequence value as is.
shawnxie999 marked this conversation as resolved.
Show resolved Hide resolved
if (!root->isFieldPresent(sfFirstNFTokenSequence))
{
std::uint32_t const acctSeq = root->at(sfSequence);

(*root)[sfMintedNFTokens] = nextTokenSeq;
root->at(sfFirstNFTokenSequence) =
ctx_.tx.isFieldPresent(sfIssuer) ||
ctx_.tx.getSeqProxy().isTicket()
? acctSeq
: acctSeq - 1;
}

std::uint32_t const mintedNftCnt =
(*root)[~sfMintedNFTokens].value_or(0u);

(*root)[sfMintedNFTokens] = mintedNftCnt + 1u;
if ((*root)[sfMintedNFTokens] == 0u)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't need to change - but i don't think you need the u specifier since you've already specified that the type is unsigned and arithmetic with a mix of signed/unsigned values should leave the value unsigned in this case.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is a conservative approach to make sure things are correctly typed proposed by @scottschurr

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ledhed2222, what you describe is not always the case. There are situations where operations on a combination of unsigned and signed integers produce a signed value. See "Usual Arithmetic Conversions": https://en.cppreference.com/w/cpp/language/usual_arithmetic_conversions#Integer_conversion_rank

You'll notice that the rules changed with C++11 and again with C++23.

What the rules seem to be pretty good at holding onto is that if both arguments are unsigned then the result will be unsigned. Since the literals 0 and 1 are implicitly signed, they can influence the type yielded by the operation. That's why, since overflow is possible in this calculation, using 0u and 1u is safer; they are explicitly unsigned.

I did not go to the effort of determining exactly what conversions the compiler would make -- I'm not that smart. I just applied a heuristic so I'm increasing the likelihood the compiler will do what I want.

return Unexpected(tecMAX_SEQUENCE_REACHED);

// Get the unique sequence number of this token by
// sfFirstNFTokenSequence + sfMintedNFTokens
std::uint32_t const offset = (*root)[sfFirstNFTokenSequence];
std::uint32_t const tokenSeq = offset + mintedNftCnt;

// Check for more overflow cases
if (tokenSeq + 1u == 0u || tokenSeq < offset)
return Unexpected(tecMAX_SEQUENCE_REACHED);

ctx_.view().update(root);
return tokenSeq;
}();
Expand Down
3 changes: 2 additions & 1 deletion src/ripple/protocol/Feature.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ namespace detail {
// Feature.cpp. Because it's only used to reserve storage, and determine how
// large to make the FeatureBitset, it MAY be larger. It MUST NOT be less than
// the actual number of amendments. A LogicError on startup will verify this.
static constexpr std::size_t numFeatures = 57;
static constexpr std::size_t numFeatures = 58;

/** Amendments that this server supports and the default voting behavior.
Whether they are enabled depends on the Rules defined in the validated
Expand Down Expand Up @@ -344,6 +344,7 @@ extern uint256 const featureDisallowIncoming;
extern uint256 const featureXRPFees;
extern uint256 const fixUniversalNumber;
extern uint256 const fixNonFungibleTokensV1_2;
extern uint256 const fixNFTokenRemint;

} // namespace ripple

Expand Down
1 change: 1 addition & 0 deletions src/ripple/protocol/SField.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -400,6 +400,7 @@ extern SF_UINT32 const sfMintedNFTokens;
extern SF_UINT32 const sfBurnedNFTokens;
extern SF_UINT32 const sfHookStateCount;
extern SF_UINT32 const sfEmitGeneration;
extern SF_UINT32 const sfFirstNFTokenSequence;

// 64-bit integers (common)
extern SF_UINT64 const sfIndexNext;
Expand Down
1 change: 1 addition & 0 deletions src/ripple/protocol/impl/Feature.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -454,6 +454,7 @@ REGISTER_FEATURE(DisallowIncoming, Supported::yes, DefaultVote::no)
REGISTER_FEATURE(XRPFees, Supported::yes, DefaultVote::no);
REGISTER_FIX (fixUniversalNumber, Supported::yes, DefaultVote::no);
REGISTER_FIX (fixNonFungibleTokensV1_2, Supported::yes, DefaultVote::no);
REGISTER_FIX (fixNFTokenRemint, Supported::yes, DefaultVote::no);

// The following amendments have been active for at least two years. Their
// pre-amendment code has been removed and the identifiers are deprecated.
Expand Down
1 change: 1 addition & 0 deletions src/ripple/protocol/impl/LedgerFormats.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ LedgerFormats::LedgerFormats()
{sfNFTokenMinter, soeOPTIONAL},
{sfMintedNFTokens, soeDEFAULT},
{sfBurnedNFTokens, soeDEFAULT},
{sfFirstNFTokenSequence, soeOPTIONAL},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note - this will require change to the SDKs I believe

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would you confirm this? doesn't block this PR but when a TX modifies this value and one of the libraries is trying to parse the metadata from that TX I think it will raise an exception

},
commonFields);

Expand Down
3 changes: 3 additions & 0 deletions src/ripple/protocol/impl/SField.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,9 @@ CONSTRUCT_TYPED_SFIELD(sfMintedNFTokens, "MintedNFTokens", UINT32,
CONSTRUCT_TYPED_SFIELD(sfBurnedNFTokens, "BurnedNFTokens", UINT32, 44);
CONSTRUCT_TYPED_SFIELD(sfHookStateCount, "HookStateCount", UINT32, 45);
CONSTRUCT_TYPED_SFIELD(sfEmitGeneration, "EmitGeneration", UINT32, 46);
// Three field values of 47, 48 and 49 are reserved for
// LockCount(Hooks), VoteWeight(AMM), DiscountedFee(AMM)
CONSTRUCT_TYPED_SFIELD(sfFirstNFTokenSequence, "FirstNFTokenSequence", UINT32, 50);
shawnxie999 marked this conversation as resolved.
Show resolved Hide resolved

// 64-bit integers (common)
CONSTRUCT_TYPED_SFIELD(sfIndexNext, "IndexNext", UINT64, 1);
Expand Down
18 changes: 14 additions & 4 deletions src/test/app/NFTokenBurn_test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -380,8 +380,16 @@ class NFTokenBurn_test : public beast::unit_test::suite
auto internalTaxon = [&env](
Account const& acct,
std::uint32_t taxon) -> std::uint32_t {
std::uint32_t const tokenSeq = {
env.le(acct)->at(~sfMintedNFTokens).value_or(0)};
std::uint32_t tokenSeq =
env.le(acct)->at(~sfMintedNFTokens).value_or(0);

// If fixNFTokenRemint amendment is on, we must
// add FirstNFTokenSequence.
if (env.current()->rules().enabled(fixNFTokenRemint))
tokenSeq += env.le(acct)
->at(~sfFirstNFTokenSequence)
.value_or(env.seq(acct));

return toUInt32(
nft::cipheredTaxon(tokenSeq, nft::toTaxon(taxon)));
};
Expand Down Expand Up @@ -786,8 +794,10 @@ class NFTokenBurn_test : public beast::unit_test::suite
FeatureBitset const all{supported_amendments()};
FeatureBitset const fixNFTDir{fixNFTokenDirV1};

testWithFeats(all - fixNonFungibleTokensV1_2 - fixNFTDir);
testWithFeats(all - fixNonFungibleTokensV1_2);
testWithFeats(
all - fixNonFungibleTokensV1_2 - fixNFTDir - fixNFTokenRemint);
testWithFeats(all - fixNonFungibleTokensV1_2 - fixNFTokenRemint);
testWithFeats(all - fixNFTokenRemint);
testWithFeats(all);
}
};
Expand Down
35 changes: 30 additions & 5 deletions src/test/app/NFTokenDir_test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,8 +190,14 @@ class NFTokenDir_test : public beast::unit_test::suite
Account const& account = accounts.emplace_back(
Account::base58Seed, std::string(seed));
env.fund(XRP(10000), account);
env.close();

// Do not close the ledger inside the loop. If
// fixNFTokenRemint is enabled and accounts are initialized
// at different ledgers, they will have different account
// sequences. That would cause the accounts to have
// different NFTokenID sequence numbers.
}
env.close();

// All of the accounts create one NFT and and offer that NFT to
// buyer.
Expand Down Expand Up @@ -408,8 +414,14 @@ class NFTokenDir_test : public beast::unit_test::suite
Account const& account = accounts.emplace_back(
Account::base58Seed, std::string(seed));
env.fund(XRP(10000), account);
env.close();

// Do not close the ledger inside the loop. If
// fixNFTokenRemint is enabled and accounts are initialized
// at different ledgers, they will have different account
// sequences. That would cause the accounts to have
// different NFTokenID sequence numbers.
}
env.close();

// All of the accounts create one NFT and and offer that NFT to
// buyer.
Expand Down Expand Up @@ -652,8 +664,14 @@ class NFTokenDir_test : public beast::unit_test::suite
Account const& account =
accounts.emplace_back(Account::base58Seed, std::string(seed));
env.fund(XRP(10000), account);
env.close();

// Do not close the ledger inside the loop. If
// fixNFTokenRemint is enabled and accounts are initialized
// at different ledgers, they will have different account
// sequences. That would cause the accounts to have
// different NFTokenID sequence numbers.
}
env.close();

// All of the accounts create one NFT and and offer that NFT to buyer.
std::vector<uint256> nftIDs;
Expand Down Expand Up @@ -827,8 +845,14 @@ class NFTokenDir_test : public beast::unit_test::suite
Account const& account =
accounts.emplace_back(Account::base58Seed, std::string(seed));
env.fund(XRP(10000), account);
env.close();

// Do not close the ledger inside the loop. If
// fixNFTokenRemint is enabled and accounts are initialized
// at different ledgers, they will have different account
// sequences. That would cause the accounts to have
// different NFTokenID sequence numbers.
}
env.close();

// All of the accounts create seven consecutive NFTs and and offer
// those NFTs to buyer.
Expand Down Expand Up @@ -1078,7 +1102,8 @@ class NFTokenDir_test : public beast::unit_test::suite
FeatureBitset const fixNFTDir{
fixNFTokenDirV1, featureNonFungibleTokensV1_1};

testWithFeats(all - fixNFTDir);
testWithFeats(all - fixNFTDir - fixNFTokenRemint);
testWithFeats(all - fixNFTokenRemint);
testWithFeats(all);
}
};
Expand Down
Loading