Skip to content

x/auth: add ante decorator capping bank-transfer outputs per tx#90

Merged
marcello33 merged 3 commits into
develfrom
mardizzone/fix_122
Jun 11, 2026
Merged

x/auth: add ante decorator capping bank-transfer outputs per tx#90
marcello33 merged 3 commits into
develfrom
mardizzone/fix_122

Conversation

@marcello33

Copy link
Copy Markdown
Collaborator

Summary

Adds MsgMultiSendCapDecorator, a new ante decorator in x/auth/ante that bounds the aggregate number of bank transfer outputs in a single transaction. MsgMultiSend contributes len(Outputs), MsgSend contributes 1, and the count is aggregated across all top-level messages in the tx — so splitting transfers across multiple messages cannot exceed the cap. This keeps per-transaction execution work and proposal byte footprint proportional to what a transaction can carry under the flat-fee model.

Enforcement is gated by an activeFn func(int64) bool height predicate (nil = always on), so consumers can wire activation to a coordinated upgrade height. Both maxOutputs and activeFn are chosen by the consuming application (heimdall) when assembling its ante chain — this PR adds the decorator only and does not wire it into any default ante handler.

The decorator inspects top-level messages only; wrapper executors (e.g. authz.MsgExec) dispatch inner messages at handler time and bypass this check. That's documented on the type — applications enabling such wrappers must constrain them separately. (Heimdall does not enable authz.)

Executed tests

  • New table-driven unit tests (x/auth/ante/multisend_cap_test.go, 18 cases) covering: at/under/over cap for single MsgMultiSend; MsgSend-only counting; mixed MsgSend + MsgMultiSend aggregation at exact-cap boundaries; multi-message aggregation including bypass attempts (many half-cap messages, many single MsgSends); height-gate semantics at activation height −1 / H / +1; nil and always-false activeFn.
  • Standard CI gates (lint, unit tests).

Rollout notes

  • No behavior change from this PR alone — the decorator is inert until an application adds it to its ante chain.
  • Once wired, it changes transaction acceptance, so consuming chains (Heimdall-v2) must activate it via a height-gated activeFn as part of a coordinated upgrade; pre-activation behavior is unchanged.
  • No state migrations, no API/store changes. Upstream-compatible: additive file in x/auth/ante, no modifications to existing decorators.

@marcello33 marcello33 requested a review from a team June 11, 2026 08:41
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
10.6% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@marcello33 marcello33 merged commit 9742959 into devel Jun 11, 2026
11 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants