x/auth: add ante decorator capping bank-transfer outputs per tx#90
Merged
Conversation
|
|
pratikspatil024
approved these changes
Jun 11, 2026
kamuikatsurgi
approved these changes
Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


Summary
Adds
MsgMultiSendCapDecorator, a new ante decorator inx/auth/antethat bounds the aggregate number of bank transfer outputs in a single transaction.MsgMultiSendcontributeslen(Outputs),MsgSendcontributes 1, and the count is aggregated across all top-level messages in the tx — so splitting transfers across multiple messages cannot exceed the cap. This keeps per-transaction execution work and proposal byte footprint proportional to what a transaction can carry under the flat-fee model.Enforcement is gated by an
activeFn func(int64) boolheight predicate (nil = always on), so consumers can wire activation to a coordinated upgrade height. BothmaxOutputsandactiveFnare chosen by the consuming application (heimdall) when assembling its ante chain — this PR adds the decorator only and does not wire it into any default ante handler.The decorator inspects top-level messages only; wrapper executors (e.g.
authz.MsgExec) dispatch inner messages at handler time and bypass this check. That's documented on the type — applications enabling such wrappers must constrain them separately. (Heimdall does not enableauthz.)Executed tests
x/auth/ante/multisend_cap_test.go, 18 cases) covering: at/under/over cap for singleMsgMultiSend;MsgSend-only counting; mixedMsgSend+MsgMultiSendaggregation at exact-cap boundaries; multi-message aggregation including bypass attempts (many half-cap messages, many singleMsgSends); height-gate semantics at activation height −1 / H / +1; nil and always-falseactiveFn.Rollout notes
activeFnas part of a coordinated upgrade; pre-activation behavior is unchanged.x/auth/ante, no modifications to existing decorators.