Conversation
Co-authored-by: Daniel Robinson <1187252+danrobinson@users.noreply.github.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d4ace-79d9-72f9-82eb-9e5ca32fe32d
decofe
requested review from
0xKitsune,
dankrad,
danrobinson,
howydev and
legion2002
as code owners
Rewrite motivation to focus on block building cost, clarify that FeeAMM whitelisting is still required for mint. Remove inaccurate paragraph about public AMM surface. Co-authored-by: Daniel Robinson <1187252+danrobinson@users.noreply.github.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d4ace-79d9-72f9-82eb-9e5ca32fe32d
decofe
left a comment
decofe
left a comment
There was a problem hiding this comment.
TIP-1042 Review
protocolVersion → T5
Frontmatter is missing protocolVersion. Should be T5.
Security / Correctness Issues
-
Exemption scope must be call-site-scoped, not address-wide. The spec correctly describes exempting FeeManager in the fee-collection path only and preserving checks on public AMM ops. But the implementation must be careful: if the exemption is implemented as "skip TIP-403 when
msg.sender == FeeManagerorto == FeeManager," it could accidentally exempt public-facing functions. The exemption should be gated on the specific internal code path (e.g., a flag or call context), not just address equality. -
mintauthorization check — single-sided mint clarification. Themintfunction acceptsuserTokenandvalidatorTokenbut only transfersvalidatorToken. The new check treats mint as if the caller were transferringuserTokento the pool. This is a good design, but:- If there are multiple
mintoverloads or paths (single-sided, dual-sided), specify which ones get the new check. - The check uses
isAuthorizedSender(userTokenPolicyId, msg.sender)— this checks whether the caller can senduserToken. But the caller isn't actually sendinguserToken. Make sure the semantic intent ("caller is opting into userToken ecosystem") is clear.
- If there are multiple
-
Stranded fees edge case is well-documented — validators setting their fee token to a non-whitelisted token will have uncollectable fees. Wallet/validator tooling should surface this. Good that it's called out.
-
Interaction with TIP-1033 (two-hop routing). If two-hop routing goes through an intermediate token, does the fee-collection exemption apply to both hops? The spec should confirm that the FeeManager TIP-403 exemption covers the intermediate transfer as well, since both hops occur within the fee-collection path.
Suggested changes
Add to frontmatter:
protocolVersion: T52 participants
Reopen of #3227 with new TIP number. Exempts the FeeAMM address from TIP-403 checks during fee collection while preserving full enforcement on public AMM operations (mint, burn, rebalanceSwap, distributeFees). Also adds a new authorization gate on
mintrequiring the caller to be authorized on theuserToken.Co-Authored-By: Daniel Robinson 1187252+danrobinson@users.noreply.github.com
Prompted by: dan