Register origin

[yrong]

No description provided.

[alistair-singh]

Are we trying to avoid an SDK release? or a runtime release? or be fully decoupled from both?

[yrong]

Set this flag to be true through System::set_storage when code has been audited.

[yrong]

Are we trying to avoid an SDK release? or a runtime release? or be fully decoupled from both?

Yeah, try to be fully decoupled from both. Mentioned in #174 (comment)

[acatangiu]

I'm not convinced the added complexity is worth it. Changing storage still requires root/whitelisted referenda.

It's also frowned upon in OpenGov any time we're "arbitrarily" changing storage using Root. You could create an ensure_root call to enable/disable this which would "look" better in OpenGov (not messing with storage directly).

But I would still not do it, more code to maintain for little to no added benefit. Still need root referenda. At least with runtime upgrade we could batch more things in same upgrade referenda.

[yrong]

I'm not convinced the added complexity is worth it. Changing storage still requires root/whitelisted referenda.

I would assume it's much easier to do a set_storage than upgrading pallet logic. If that's not the case, then yes the added complexity is not worthwhile.

[yrong]

But I would still not do it, more code to maintain for little to no added benefit. Still need root referenda. At least with runtime upgrade we could batch more things in same upgrade referenda.

That's a good point. @acatangiu Does that mean you're fine with the current impl the sudo call and we make a runtime upgrade to make it permissionless after audited?

[acatangiu]

But I would still not do it, more code to maintain for little to no added benefit. Still need root referenda. At least with runtime upgrade we could batch more things in same upgrade referenda.

That's a good point. @acatangiu Does that mean you're fine with the current impl the sudo call and we make a runtime upgrade to make it permissionless after audited?

yes, that will be good

[acatangiu]

not sure we need this somewhat complicated struct..

Instead of switching the boolean generic param on this struct, we can start with simple EnsureRoot struct, then after audit switch (in runtime config) to simple EnsureSigned struct.

[acatangiu]

does TreasuryAccount even have any funds on BridgeHub?

better to just make the tx free for Root rather than try to pay from Treasury account on BH

[acatangiu]

maybe

Suggested change

	type RegisterTokenOrigin: EnsureOrigin<Self::RuntimeOrigin, Success = AccountIdOf<Self>>;
	type RegisterTokenOrigin: EnsureOrigin<Self::RuntimeOrigin, Success = Self::RuntimeOrigin>;

then you could:

let pays_fee = match origin {
	RawOrigin::Root => PaysFee::<T>::No,
	RawOrigin::Signed(who) => PaysFee::<T>::Yes(who),

and avoid having to use special account for Root case

[vgeddes]

I've realized that if we make token registration permissionless, the origin should be an XCM location (i.e Transact.OriginKind = Xcm), and we should verify that the origin location is an immediate parent of the token location.

Otherwise any random user can register a token with incorrect or misleading metadata.

For example if the token location is /Para(2048)/PalletInstance(7)/GeneralIndex(1), then the only origin location allowed to register it is /Para(2048)/PalletInstance(7).

[alistair-singh]

How would you register a token like KILT?

1. By sending an XCM directly from KILT parachain? That would require they setup an HRMP channel with bridge hub just for registration and they have an extrinsic/governance to send_xcm directly from the KILT origin.
2. Impersonating KILT using governance from the relaychain.

I think we should just stick to root for now as all options require governance and we can change the registration model later.

[vgeddes]

Yeah good point - another idea I had was to move the registration extrinsic to AH which of course can read the asset metadata directly from storage.

[vgeddes]

but for now, yes, we should stick with root

[vgeddes]

Needs substantial changes due to the vulnerability in #174 (comment)

[acatangiu]

Needs substantial changes due to the vulnerability in #174 (comment)

You can make it very simple for now, just have simple EnsureRoot struct that allows only root and we use that. We can defer finding the right permissionless filter for later. The important part now is to have configurable filter type in the pallet that we can change later without having to change the pallet.