feat: lock token transfer and parameter module

[piux2]

Context for Locking Token Transfer

This feature allows us to lock token transfers, except for paying gas fees to add a package or call a contract.
The restriction will be unlocked through GovDAO voting on a proposal.

We also want a few whitelisted, unrestricted accounts to vote on the proposal since a separate fee is required to initiate and vote on proposals.

This implementation manages the lock and unlock settings in r/sys/params, where we change the chain’s parameters.
Calling lock or unlock will automatically submit a proposal to GovDAO. Once GovDAO votes and approves the proposal, the token
transfer restriction will be removed instantly.

All changes to parameters specified in r/sys/params must go through GovDAO voting.

Here are some implementation details

1. Set a flag in base account to indicate if the account is restricted for token transfer.
2. Add a restricted Denom list in the bank module
3. System contract to handle
4. Verify realm access from r/sys/params for change chain parameters.
5. Integration test to simulate the end to end unlock process
6. Load params from genesis and verify the values

Main Idea Behind the Alternative Approach To implement parameter module ( Discussion)

1. The parameter module is designed to store chain and Cosmos SDK modules' parameters. It is not an arbitrary key-value storage system for Gno contracts.
2. Parameters are abstracted within each module's genesis state.
3. Parameters can only be modified through:
   • The genesis state.
   • gno.land/r/sys/gov/dao
4. The parameter module is intended for managing parameters of other modules, not specifically for the GnoVM.
5. The parameter module and genesis state support structures, not just primitive types, as parameters.
6. The ParameterKey prefix is defined in the module's prefix key. This must be registered with the parameter module to prevent conflicts in the parameter store's keyspace.

Todo: update other params...

Contributors' checklist...

• Added new tests,
• Provided an example (e.g. screenshot) to aid review
• not needed
• No breaking changes were made,
• Added references to related issues and PRs
• Provided any useful hints for running manual tests

[codecov]

Codecov Report

Attention: Patch coverage is 70.44776% with 198 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
gnovm/stdlibs/sys/params/params.go	0.00%	30 Missing ⚠️
gnovm/stdlibs/std/params.go	50.84%	23 Missing and 6 partials ⚠️
tm2/pkg/sdk/bank/params.go	37.77%	25 Missing and 3 partials ⚠️
tm2/pkg/sdk/bank/keeper.go	71.62%	16 Missing and 5 partials ⚠️
tm2/pkg/sdk/bank/genesis.go	0.00%	15 Missing ⚠️
gno.land/pkg/gnoland/types.go	52.17%	9 Missing and 2 partials ⚠️
gno.land/pkg/sdk/vm/genesis.go	41.17%	7 Missing and 3 partials ⚠️
tm2/pkg/sdk/params/handler.go	71.87%	6 Missing and 3 partials ⚠️
tm2/pkg/sdk/params/keeper.go	86.15%	6 Missing and 3 partials ⚠️
tm2/pkg/std/errors.go	52.63%	9 Missing ⚠️
... and 7 more

📢 Thoughts on this report? Let us know!

[zivkovicmilos]

Thank you for pushing this out 🙏

I think the direction is good, but I'd love to discuss more about some implementation details. I'm mostly worried about us having a temporary implementation detail as a permanent state of a core object (check comments).

Pinging @moul to give a review as well.

Please check the CI 🙏

[Gno2D2]

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):

• IGNORE the bot requirements for this PR (force green CI check)

Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)

☑️ Contributor Actions:

1. Fix any issues flagged by automated checks.
2. Follow the Contributor Checklist to ensure your PR is ready for review.
   • Add new tests, or document why they are unnecessary.
   • Provide clear examples/screenshots, if necessary.
   • Update documentation, if required.
   • Ensure no breaking changes, or include BREAKING CHANGE notes.
   • Link related issues/PRs, where applicable.

☑️ Reviewer Actions:

1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.

📚 Resources:

• Report a bug with the bot.
• View the bot’s configuration file.

Debug

Automated Checks

Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 The pull request was created from a fork (head branch repo: piux2/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request

Manual Checks

**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

• Any user with comment edit permission

[thehowl]

I was asked by Manfred to provide some feedback on the two different approaches. I don't have strong opinions one way or the other, here's what I consider:

• I think having the possibility for the on-chain code to specify params for things that don't exist yet will allow us to configure parameters via the GovDAO for features that are yet to be added with a chain upgrade, while with the struct-based approach the chain upgrade would need to also set the defaults for any new parameter.
• The struct-based approach makes it so that param-setting is more intentional; on this regard, one thing that I think we could do if we were to keep the "generic" approach is to enforce keys to only use lowercase ASCII symbols, so we avoid any potential "misleading" upgrades that take advantage of weird unicode symbols or ambiguous characters.
• The struct based approach, though, makes it easier to statically analyse and inspect all chain parameters, and how exactly they're used.

If I was forced to choose, the "generic" approach seems to me simple to understand and to build on top of, and like I would shoot myself less frequently in the foot. But I'm not heavily swinging either way.

[piux2]

@thehowl @moul The issue is not limited to key name and type validation. Allowing the creation and update of arbitrary chain parameters is unsafe and could lead to undetectable mistakes, potentially leaving the chain vulnerable to exploitation later.

It's like using a map when we should be using a struct to pass parameters to the critical sections of a program.

Here are some specifics:

1. Hard to Verify Proposals

In practice, proposals like this are difficult to verify in terms of their behavior and consequences because the behavior is implemented in the code itself.

gno/examples/gno.land/r/gov/dao/v2/prop4_filetest.gno

Line 11 in 3fd5571

mExec := params.NewStringPropExecutor("prop1.string", "value1")

2. Configuration-Implementation Mismatch

Configurations can easily become out of sync with the code implementation without being noticed. This makes it challenging to track how these settings are linked in the code and how they impact chain behavior. This issue is especially problematic when we need to support backward-compatible features.

3. Example

This constant does not match the genesis configuration, meaning changes in the genesis will never update the value of chainDomainParamPath as intended.

gno/gno.land/genesis/genesis_params.toml

Line 10 in 3fd5571

["gno.land/r/sys/params.vm"]

gno/gno.land/pkg/sdk/vm/params.go

Line 7 in 3fd5571

chainDomainParamPath = "gno.land/r/sys/params.chain_domain.string"

It could get worse. Imagine if this property were created by GovDao instead of the genesis. All these small mistakes would be extremely difficult to detect. The old key could remain in the chain even after creating a new key chainDomainParamPath = "gno.land/r/sys/params.vm.chain_domain.string" to correct it. Because old keys can persist unnoticed on the chain, they could lead to unexpected results if we accidentally use an outdated on-chain key in the code.

[zivkovicmilos]

@piux2 @moul

I'll try to sum up my primary concerns with this PR, and we just need to agree if we're okay with this at this point in the chain's lifecycle:
I honestly believe this PR introduces more coupling, and tech debt that will need to be paid at some point (with interest). I've tried to note in the comments on my first review pass the critical areas. This is the first thing we all need to swallow, before we even start discussing the implementation details.

Things that keep me worried about the implementation:

• Unrestricted in BaseAccount, whose place there has far-reaching implications, long after we enable token transfers (this generally concerns use-case specific code we're introducing now, to live on forever in core types)
• amino.Marshal for custom params structs -- at this point I don't have a better proposal, but something is holding me back from saying "okay" to this. Launching a v2 of a struct is going to be a nightmare to maintain, and track. It's also going to require a lot of handler code, to ensure backwards compatibility between protocol upgrades
• We introduced InitGenesis and SetParams for keepers, but these are not called in a standard way by the app bootstrap process -- they're custom calls. On the surface they enforce structure, but nothing is stopping us from changing the signature of SetParams for the banker module for example, while keeping the rest unchanged (no interface call is enforced).

What I like about the PR:

• It moves the responsibility of "params" from a single central keeper, to individual modules, that define what they need and what "params" look like. I think this is the scalable way to go, and easier to understand in code

In terms of which approach to go with, maybe we can opt for a fusion of the two ideas?

• keep "params" as individual fields, as opposed to structs
• keep the ownership / management of "params" on the modules (a version introduced in this PR)

I'm more inclined to opt for the field approach Manfred initially advocated for, because it seems more durable and future-proof. We already support most field types, so I can't foresee an issue when we need to change values or update structs (completely revamp what "params" are). We also don't encounter the amino.Marshal moment, which opens up a pandora box of its own, that I'd prefer to keep closed and sealed shut 🙂

[piux2]

@zivkovicmilos

This PR supports both individual field parameters and struct types.

The most important gap we aim to resolve between this PR and the existing params implementation is the following:

a) The current implementation treats the Param module as a native store, allowing arbitrary chain parameter key-value pairs to be added from both genesis and GovDao.

b) This PR predefines chain parameters in the code, allowing only their values to be modified from genesis and GovDao.

[zivkovicmilos]

Went through the PR again from scratch because of the changes, and it took me a minute 🙏

I think the PR applies most of the changes we've left in the comments. Apart from what @moul is discussing on the format, I think it looks alright, given what we want to accomplish now ahead of the launch.

Unblocking the PR 🙏

[jaekwon]

MathString? realm isn't used so more efficient.

[jaekwon]

I think we should replace with gno.IsRealm. It's got a bit more logic.

[jaekwon]

it should be fmt.Sprintf("%s:%s.%s", pk.Module, pk.Realm, pk.Key).
"vm:" should not be hard coded here so different modules can have "realms" too.

type ParamKey struct {
Module string // NOTE comes first
Realm string
Key string
Type string
}

[piux2]

If 'auth:gno.land/r/sys/params.tx_size_cost_per_byte.string' is considered a valid key, how can we validate a user's intention to modify either a predefined module parameter (such as 'auth:max_memo_bytes' or 'auth:tx_size_cost_per_byte') or 'gno.land/r/sys/params.tx_size_cost_per_byte.string', which is not valid in the auth module?

gno/tm2/pkg/sdk/auth/params.go

Line 26 in 955e1ca

type Params struct {

Does it also conflict with an earlier defined rule that everything modified from the contract must start with "vm:" ?

[jaekwon]

!accr.IsUnrestricted() and accr.IsRestricted() are NOT the same thing.

Please replace this with !accr.IsUnrestricted() and remove all references of code of "IsRestricted()", because that should really be a separate flag, perhaps with a different name to avoid confusion.

Example: Normally you might have Alice, Bob, Carl, David, and say only Alice is Unrestricted.

With the transfer lock, only Alice can send, Bob, Carl, David cannot. After the transfer lock is released, everyone can send. Bob, Carl, and David are not restricted, and never were individually, and yet accr.IsRestricted() would still return true. Semantically wrong.

And if David were a bad actor, his account might be "Frozen". So accr.IsFrozen() might be true, but it's not the same flag (nor the inversion of) IsUnrestricted.

[piux2]

agree, done.

[jaekwon]

It is weird to make setting a parameter be stateful like this.

We don't need "AddRestrictedDenoms" and "DelAllRestrictedDenoms", there is one parameter named "RestrictedDenoms", and there only need be one function named "bank.SetRestrictedDenoms(ctx, string)".

Then if value != "" { should also disappear.

[piux2]

This is because the RestrictedDenom string allows multiple values. However, when we vote to add a RestrictedDenom from the contract, people do not necessarily know or need to know what has been added previously. That is why I used 'Add' instead of directly calling SetRestrictedDenoms to set entire restricted demons list from the GNO contract.

[jaekwon]

Replace AddRestrictedDenoms/DelRestrictedDenoms/DelAllRestrictedDenoms with simply. "SetRestrictedDenoms".

https://github.com/gnolang/gno/pull/3176/files#r1962837296

[jaekwon]

Rather than storing the whole thing under "key" as a single object {...},
every field in param should be broken up, and stored either as "module:_.key" or "module.key".
This requires reflection, like reflect.ValueOf(param).Field(i).Tag and .Name, and whatever logic amino uses to derive the json key name.