Merge pull request #55 from SundaeSwap-finance/pi/SSW-202-metadata-datum

Resolve SSW-202
SundaeSwap-finance · Mar 1, 2024 · b731c1f · b731c1f
2 parents d43f212 + f2ee6ad
commit b731c1f
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 9 deletions.
diff --git a/validators/pool.ak b/validators/pool.ak
@@ -24,7 +24,6 @@ use types/pool.{
   WithdrawFees,
 }
 use types/settings.{SettingsDatum, find_settings_datum}
-
 /// The core / base "pooled AMM" script for the SundaeSwap v3 protocol
 ///
 /// Parameterized by the Settings policy ID, which makes the script unique, as well as lets us validate / read global settings.
@@ -421,12 +420,14 @@ validator(settings_policy_id: PolicyId) {
         expect Some(metadata_output) =
           list.at(ctx.transaction.outputs, metadata_output_ix)
         expect metadata_output.address == settings_datum.metadata_admin
-        expect
-          value.quantity_of(
-            metadata_output.value,
-            own_policy_id,
-            new_pool_ref_token,
-          ) == 1
+        expect value.quantity_of(metadata_output.value, own_policy_id, new_pool_ref_token) == 1
+        // We also check that the datum on the metadata output is void; It would be complex and in-flexible to enforce any particular structure on this, so we
+        // instead leave it to the metadata admin to spend the output and provide it the correct datum; We also don't want to leave it unspecified, because
+        // 1) the metadata admin might actually be a script address, in which case having no datum will permanently lock the metadata
+        // 2) the pool minter might include malicious metadata, such as an icon pointing at hardcore porn; until the metadata admin spent it, this would appear in users wallets,
+        //    and potentially even on access UIs for the Sundae protocol
+
+        expect metadata_output.datum == InlineDatum(Void)
 
         // And check that the datum is initialized correctly; This is part of why we have a minting policy handling this,
         // as it allows us to authenticate the providence of the datum.
@@ -571,4 +572,4 @@ fn compare_asset_class(a: AssetClass, b: AssetClass) {
 pub fn int_to_ident(n: Int) -> Ident {
   expect n < 256
   bytearray.push(#"", n)
-}
+}
diff --git a/validators/tests/pool.ak b/validators/tests/pool.ak
@@ -627,7 +627,7 @@ fn mint_test_modify(
     value.from_asset(pool_script_hash, new_pool_ref_token, 1)
       |> value.merge(value.from_lovelace(2_000_000))
   let ref_output =
-    new_tx_output(user_address, 0, NoDatum) // we can probably get rid of the rider, it gets auto added
+    new_tx_output(user_address, 0, InlineDatum(Void)) // we can probably get rid of the rider, it gets auto added
       |> add_asset_to_tx_output(ref_output_val)
       |> modify_ref_output
 
@@ -677,4 +677,20 @@ test mint_test_wrong_address () fail {
     identity
   )
   minted
+}
+
+// make sure we can't include any spam on the datum
+test mint_test_nonvoid_datum() fail {
+  let minted = mint_test_modify(
+    identity,
+    identity,
+    fn (ref_metadata_output) {
+      Output {
+        ..ref_metadata_output,
+        datum: InlineDatum("Evil data")
+      }
+    },
+  identity
+  )
+  minted
 }