Flexible Minting Policies for Token Standards

[onurinanc]

This PR corresponds to the discussion for Miden Token Standards, overall, it implements flexible and modular minting policies: OpenZeppelin/miden-confidential-contracts#39

Design specification related to this document: OpenZeppelin/miden-confidential-contracts#39 (comment)

Please see additional design discussion here: OpenZeppelin/miden-confidential-contracts#39 (reply in thread)

#! Distributes freshly minted fungible assets to the provided recipient.
#!
#! Invocation: call
pub proc distribute
   exec.mint_policies::enforce_mint_policy # previously -> exec.ownable::verify_owner
   # => [amount, tag, aux, note_type, execution_hint, RECIPIENT, pad(7)]

   exec.faucets::distribute
   # => [note_idx, pad(15)]
end

[ ] Left to-do: I would like to rename this procedure as pub proc mint as we have discussed with @bobbinth but I would like to double-check is there any other thoughts on this?

[bobbinth]

Looks good! Thank you! Not a full review yet - but I left some comments inline. The main comment so far is about splitting the component into a "policy manager" component and separate policy components (probably just a single policy component for now).

[bobbinth]

We could use word::testz procedure here to avoid the dupw.

[bobbinth]

Same comment as above.

[bobbinth]

Would be good to add some comments explaining the purpose and expected formats of the storage slots. For example, it is not immediately clear what "allowed roots" means.

[onurinanc]

All done! Please review: @bobbinth

[PhilippGackstatter]

Looks good to me!

I left a few comments related to naming and structure, e.g. whether it should be MintPolicies or MintPolicyManager.

[PhilippGackstatter]

That's a very welcome change 🙂

Since this does both minting (like miden::protocol::faucet::mint), but also creating a note, maybe we should consider mint_to_note as the name to reflect the note creation side effect in the name.

[onurinanc]

@PhilippGackstatter I think the intent of mint_to_note is good but instead what about having mint_and_create_note which semantically sounds better?

[PhilippGackstatter]

That's a bit more explicit and also a good choice. Another one might be mint_and_send (saw it in OpenZeppelin/miden-confidential-contracts#79 (comment)) which is a bit more concise but less explicit (does not mention note).

[bobbinth]

I like mint_and_send - though, not a very strong preference.

And, in a future PR, we could also add a regular mint procedure which mints an asset and adds it to the account's vault.

[PhilippGackstatter]

The faucets::distribute should probably also be renamed to mint, right?

[PhilippGackstatter]

Nit: It might be sufficient to name this owner_only, since the module is called mint_policies already, so the module-qualified name would be mint_policies::owner_only which reads naturally.

[PhilippGackstatter]

Suggested change

	# Active policy root slot.
	# Layout: [proc_root_w0, proc_root_w1, proc_root_w2, proc_root_w3]
	const MINT_POLICY_PROC_ROOT_SLOT=word("miden::standards::mint_policies::proc_root")
	# Active policy root slot.
	# Layout: [PROC_ROOT]
	const MINT_POLICY_PROC_ROOT_SLOT=word("miden::standards::mint_policies::proc_root")

Nit: Avoid specifying the individual word elements.

[PhilippGackstatter]

Nit: We can avoid the dropw by simplifying to word::eqz not assert (or assertz directly).

[PhilippGackstatter]

Should this be called MintPolicyManager and the mint_policies_library be renamed to mint_policy_manager_library along with crates/miden-standards/asm/account_components/faucets/mint_policies.masm?

I'd also suggest renaming MintPolicyConfig -> MintPolicy so we can "instantiate a mint policy manager with a mint policy".

[PhilippGackstatter]

Nit: Consider introducing a constant or variable that represents the "allowed flag" (word [1,0,0,0]).

[PhilippGackstatter]

Suggested change

	let mut rng = RpoRandomCoin::new([Felt::from(rng_seed); 4].into());
	let note = NoteBuilder::new(sender_account_id, &mut rng)
	.note_type(NoteType::Private)
	.tag(NoteTag::default().into())
	.serial_number(Word::from([rng_seed, rng_seed + 1, rng_seed + 2, rng_seed + 3]))
	.code(note_script_code)
	.build()?;
	let mut rng = RpoRandomCoin::new([Felt::from(rng_seed); 4].into());
	let note = NoteBuilder::new(sender_account_id, &mut rng)
	.note_type(NoteType::Private)
	.code(note_script_code)
	.build()?;

Nit: The serial number is generated by the RNG internally and the note tag should already be set to its default by the builder.

The NoteBuilder can also compile a string itself so no need to use CodeBuilder above.

[PhilippGackstatter]

Suggested change

.add_note_script(note_script)

Nit: Haven't checked but this is likely unnecessary.

[PhilippGackstatter]

Is this test effectively testing additional things than the other tests that use a network fungible faucet with MintPolicyConfig::OwnerOnly? I think it doesn't and if so, I'd remove it.

[bobbinth]

Looks good! Thank you! Not a full review still, but I left some comments inline.

[bobbinth]

I think the motivation here is that we create a note right after calling this procedure, and so, duplicating all note inputs would be a bit wasteful. I don't really have a strong preference here.

But it does make me think that this procedure is specifically related to sending notes. So, maybe the name here should reflect this? Something like enforce_mint_and_send_policy?

[bobbinth]

I actually don't mind enforce_ prefix, but also don't have anything against the execute_ prefix.

[bobbinth]

Once we have the Ownable2Step component, we'd need to add it here too, right?

[bobbinth]

Looks great! Thank you! I think we are pretty close. I left some more comments inline. The main one is about potentially making MintPolicyManager into a stand-alone component. We could also decide to do it in a follow-up PR to merge this PR sooner.

[bobbinth]

Not for this PR, but we should probably think about allowing updates to policy allowlist (i.e., adding or removing policies). Should be pretty easy to do - we'd probably need something like add_allowed_policy and remove_allowed_policy procedures.

[onurinanc]

I believe this would be a parallel work to upgradable/updatable contracts. The main reason is that, even if we provide adding/removing allowed policies, if the account code is not upgradable, this won't make any sense since the corresponding code won't be the part of the account. This is the main reason why I didn't include updating the allowed policies in this PR. That means, when upgrading the account code, the user can also update the allowed policies. So, I think that there is no need for updating the allowed policies.

[bobbinth]

Agreed - but let's create an issue for this (or add to a list of follow-ups that we'd want to tackle in the future).

[bobbinth]

In other places, we started to encapsulate this into a separate method. For example, here it could be:

impl OwnerControlled {

    pub fn component_metadata() -> AccountComponentMetadata {
        let storage_schema = StorageSchema::new(vec![
            OwnerControlled::active_policy_proc_root_slot_schema(),
            OwnerControlled::allowed_policy_proc_roots_slot_schema(),
            OwnerControlled::policy_authority_slot_schema(),
        ])
        .expect("storage schema should be valid");

        AccountComponentMetadata::new(OwnerControlled::NAME, [AccountType::FungibleFaucet])
            .with_description(
                "Mint policy owner controlled component for network fungible faucets",
            )
            .with_storage_schema(storage_schema);
    }
}

And then here, this becomes just:

let metadata = OwnerControlled::component_metadata();

[PhilippGackstatter]

Looks good to me!

I'll approve since most of my comments apply to follow-ups.

[PhilippGackstatter]

Generally agreed that it seems better to have a base MintPolicyManager component that can be extended in plug & play fashion with additional mint policy components.

Not a strong opinion whether we should do it in this PR or later.

[PhilippGackstatter]

This procedure validates the mint policy, but get_mint_policy does not. Depending on the perspective, both are valid approaches:

• We can say that since set_mint_policy validates the procedure when setting, so the stored mint policy is valid.
• The only exception to the above is that the account deployer could set an invalid root, and so we could also say that we should always validate the mint policy on retrieval.

So far, I think we have usually used the first approach, though this was mostly for component-internal data. I'm not sure how much damage a malicious deployer could do by setting an invalid mint policy root, probably not much other than making their own account unusable, so I'd go with approach 1.

This makes me wish we could let every account component have some on-chain validation of its storage at account creation time so we could always go with the first approach and provide stronger guarantees.

[onurinanc]

I think this is a good point! I agree that we would have stronger guarantees with on-chain validation, but it also adds more complexity for account creation, and this also needs an execution order design and rules between the other account components. I'm not exactly sure which one is the right direction.

[PhilippGackstatter]

I think we should introduce an enum for the policy authority, because it's otherwise hard to understand which zero represents the actual config and what that zero represents. Something like:

#[repr(u8)]
pub enum MintPolicyAuthority {
    AuthControlled = 0,
    OwnerControlled = 1,
}

impl From<MintPolicyAuthority> for StorageSlot { ... }

impl AuthControlled {
    pub fn mint_policy_authority(&self) -> MintPolicyAuthority {
        MintPolicyAuthority::AuthControlled
    }
}

And then here we'd have:

let policy_authority_slot = StorageSlot::from(auth_controlled.mint_policy_authority);

[PhilippGackstatter]

These definitions are duplicated in crates/miden-standards/src/account/mint_policies/auth_controlled.rs, would be great to deduplicate, but also fine to do as part of the MintPolicyManager refactor.

The "miden::standards::mint_policy_manager::policy_authority" slot could be defined on the previously proposed MintPolicyAuthority enum.

[onurinanc]

All done! The corresponding issues for the follow-up PRs are opened! @bobbinth @PhilippGackstatter

[bobbinth]

Looks good! Thank you! I left just two small comments inline.

I think we should also create an issue with all the remaining follow-ups. These include:

• Extracting policy manager into its own component.
• Potentially collapsing basic and network faucets into a single component.
• Adding ability to update policy allowlist (though, this probably would be a separate issue which would be blocked on code upgrade functionality).
• Anything else?

[bobbinth]

I've started moving these static variables into relevant modules (e.g., see here). We can do this in a follow-up though.

[onurinanc]

I've left it in the follow-up as the static variables would change.

[bobbinth]

Would be great to add doc comments both to the enum itself as well as to the variants explaining their meaning and purpose.

[PhilippGackstatter]

Looks good to me!

[PhilippGackstatter]

Might be good to expose this as a pub fn, so

impl MintPolicyAuthority {
    pub fn slot() -> &'static StorageSlotName { ... }
}