Problem
A token contract can be created with base_supply greater than its own max_supply. There is no creation-time guard comparing the two — the create validator only rejects base_supply > i64::MAX.
The result is an inconsistent token that is unrecoverable:
- It is created with total supply equal to
base_supply, already over the cap.
base_supply is immutable on contract update, so the over-cap state cannot be corrected from that side.- Every mint is then permanently rejected with
TokenMintPastMaxSupplyError, since current supply already exceeds max_supply.
- Lowering
max_supply to match is also blocked (TokenSettingMaxSupplyToLessThanCurrentSupplyError); the only escape is raising max_supply to >= current supply, assuming the max-supply change rules allow it.
Example: base_supply = 100_000, max_supply = Some(50_000) → contract is created with supply 100_000 and can never mint.
Where
packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/data_contract_create/basic_structure/v0/mod.rs — the per-token checks reject base_supply > i64::MAX but do not compare base_supply against max_supply.
Expected
Reject contract creation when base_supply > max_supply (where max_supply is set), with a graceful consensus error, alongside the existing base_supply > i64::MAX check.
Test
Documented by the #[ignore]d test test_data_contract_creation_with_base_supply_over_max_supply_should_cause_error added in #3849, which runs a real DataContractCreateTransition and asserts the intended rejection. It currently fails (creation succeeds with an over-cap supply); remove #[ignore] once the guard is added.
Related: #3848 (minting past i64::MAX on an uncapped token returns InternalError).
Problem
A token contract can be created with
base_supplygreater than its ownmax_supply. There is no creation-time guard comparing the two — the create validator only rejectsbase_supply > i64::MAX.The result is an inconsistent token that is unrecoverable:
base_supply, already over the cap.base_supplyis immutable on contract update, so the over-cap state cannot be corrected from that side.TokenMintPastMaxSupplyError, since current supply already exceedsmax_supply.max_supplyto match is also blocked (TokenSettingMaxSupplyToLessThanCurrentSupplyError); the only escape is raisingmax_supplyto >= current supply, assuming the max-supply change rules allow it.Example:
base_supply = 100_000,max_supply = Some(50_000)→ contract is created with supply100_000and can never mint.Where
packages/rs-drive-abci/src/execution/validation/state_transition/state_transitions/data_contract_create/basic_structure/v0/mod.rs— the per-token checks rejectbase_supply > i64::MAXbut do not comparebase_supplyagainstmax_supply.Expected
Reject contract creation when
base_supply > max_supply(wheremax_supplyis set), with a graceful consensus error, alongside the existingbase_supply > i64::MAXcheck.Test
Documented by the
#[ignore]d testtest_data_contract_creation_with_base_supply_over_max_supply_should_cause_erroradded in #3849, which runs a realDataContractCreateTransitionand asserts the intended rejection. It currently fails (creation succeeds with an over-cap supply); remove#[ignore]once the guard is added.Related: #3848 (minting past i64::MAX on an uncapped token returns InternalError).