feat: lock token transfer and parameter module

[piux2]

Context for Locking Token Transfer

This feature allows us to lock token transfers, except for paying gas fees to add a package or call a contract.
The restriction will be unlocked through GovDAO voting on a proposal.

We also want a few whitelisted, unrestricted accounts to vote on the proposal since a separate fee is required to initiate and vote on proposals.

This implementation manages the lock and unlock settings in r/sys/params, where we change the chain’s parameters.
Calling lock or unlock will automatically submit a proposal to GovDAO. Once GovDAO votes and approves the proposal, the token
transfer restriction will be removed instantly.

All changes to parameters specified in r/sys/params must go through GovDAO voting.

Here are some implementation details

1. Set a flag in base account to indicate if the account is restricted for token transfer.
2. Add a restricted Denom list in the bank module
3. System contract to handle
4. Verify realm access from r/sys/params for change chain parameters.
5. Integration test to simulate the end to end unlock process
6. Load params from genesis and verify the values

Main Idea Behind the Alternative Approach To implement parameter module ( Discussion)

1. The parameter module is designed to store chain and Cosmos SDK modules' parameters. It is not an arbitrary key-value storage system for Gno contracts.
2. Parameters are abstracted within each module's genesis state.
3. Parameters can only be modified through:
   • The genesis state.
   • gno.land/r/sys/gov/dao
4. The parameter module is intended for managing parameters of other modules, not specifically for the GnoVM.
5. The parameter module and genesis state support structures, not just primitive types, as parameters.
6. The ParameterKey prefix is defined in the module's prefix key. This must be registered with the parameter module to prevent conflicts in the parameter store's keyspace.

Todo: update other params...

Contributors' checklist...

• Added new tests,
• Provided an example (e.g. screenshot) to aid review
• not needed
• No breaking changes were made,
• Added references to related issues and PRs
• Provided any useful hints for running manual tests

[codecov]

Codecov Report

Attention: Patch coverage is 63.81910% with 144 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
gno.land/pkg/sdk/vm/params.go	40.00%	21 Missing and 3 partials ⚠️
tm2/pkg/sdk/bank/genesis.go	0.00%	24 Missing ⚠️
tm2/pkg/sdk/bank/keeper.go	71.01%	15 Missing and 5 partials ⚠️
tm2/pkg/sdk/bank/params.go	61.53%	11 Missing and 4 partials ⚠️
tm2/pkg/sdk/params/keeper.go	62.50%	10 Missing and 5 partials ⚠️
tm2/pkg/sdk/auth/genesis.go	0.00%	11 Missing ⚠️
tm2/pkg/std/errors.go	52.63%	9 Missing ⚠️
gno.land/pkg/sdk/vm/genesis.go	55.55%	6 Missing and 2 partials ⚠️
tm2/pkg/sdk/auth/params.go	77.77%	0 Missing and 4 partials ⚠️
tm2/pkg/std/coin.go	71.42%	2 Missing and 2 partials ⚠️
... and 5 more

📢 Thoughts on this report? Let us know!

[zivkovicmilos]

Thank you for pushing this out 🙏

I think the direction is good, but I'd love to discuss more about some implementation details. I'm mostly worried about us having a temporary implementation detail as a permanent state of a core object (check comments).

Pinging @moul to give a review as well.

Please check the CI 🙏

[zivkovicmilos]

Do you think we should standardize errors like these, to avoid having to import simpledao?
It would mean that the dao package would need to know about specific implementation details like errors, so I'm not sure if this is the way to go

cc @moul

[piux2]

Currently, GovDAO is a wrapper around the SimpleDAO. All voting and proposal functionality are implemented in SimpleDAO. I'm not sure if using the proposal errors defined in SimpleDAO will cause any issues down the line unless we decide to flatten the GovDAO implementation and stop wrapping the SimpleDAO package entirely.

On the other hand, whether GovDAO should be implemented as a SimpleDAO wrapper or not can be a separate topic.

[zivkovicmilos]

Which accounts are going to be unrestricted in the initial version of the chain?

[piux2]

For now, all GovDAO accounts that need to vote must be unrestricted from token transfer locking, as voting on a proposal requires sending fees to the contract.

[zivkovicmilos]

Leftover?

[piux2]

This is commented out since it conflicts with the alternative approach for the Params module in this PR. I believe we should avoid setting arbitrary parameter values in the genesis file without going through module validation.

We need to discuss it and agree on the approach.

[zivkovicmilos]

There is tight coupling here. The account keeper must have a previously initialized account in order for us to modify it in another func

Can't we keep the store of unrestricted accounts somewhere, instead of keeping the Unrestricted information on the account itself?

My biggest concern is that we're coupling temporary logic (account balance transfer locks) into a structure that will be encoded and saved permanently to disk. Every time we use the account, even in 10 years, we will have to keep track of its "restricted state".

This is why I'm suggesting we go with an approach that isn't so coupled

[piux2]

There are two reasons for implementing it this way:

1. There was a previous requirement to track and unlock token transfers on an individual account basis, not just for whitelisted accounts. That is the reason the restricted state is on the account level. We can revisit the requirement, otherwise, we will need to track the restricted state for a long time.

2. The whitelisted unrestricted accounts need to be validated to ensure they exist when we load the genesis state.

[zivkovicmilos]

Why panic?

[zivkovicmilos]

Just a note we don't initialize this new field in DefaultParams

[piux2]

By default, there are no unrestricted accounts since token transfer locking is off. Unrestricted accounts should be added to the genesis file when token locking is set to true. These accounts can be added manually or through a separate genesis command later in the production deployment.

[Gno2D2]

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):

• IGNORE the bot requirements for this PR (force green CI check)

Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)

☑️ Contributor Actions:

1. Fix any issues flagged by automated checks.
2. Follow the Contributor Checklist to ensure your PR is ready for review.
   • Add new tests, or document why they are unnecessary.
   • Provide clear examples/screenshots, if necessary.
   • Update documentation, if required.
   • Ensure no breaking changes, or include BREAKING CHANGE notes.
   • Link related issues/PRs, where applicable.

☑️ Reviewer Actions:

1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.

📚 Resources:

• Report a bug with the bot.
• View the bot’s configuration file.

Debug

Automated Checks

Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 The pull request was created from a fork (head branch repo: piux2/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request

Manual Checks

**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

• Any user with comment edit permission

[thehowl]

I was asked by Manfred to provide some feedback on the two different approaches. I don't have strong opinions one way or the other, here's what I consider:

• I think having the possibility for the on-chain code to specify params for things that don't exist yet will allow us to configure parameters via the GovDAO for features that are yet to be added with a chain upgrade, while with the struct-based approach the chain upgrade would need to also set the defaults for any new parameter.
• The struct-based approach makes it so that param-setting is more intentional; on this regard, one thing that I think we could do if we were to keep the "generic" approach is to enforce keys to only use lowercase ASCII symbols, so we avoid any potential "misleading" upgrades that take advantage of weird unicode symbols or ambiguous characters.
• The struct based approach, though, makes it easier to statically analyse and inspect all chain parameters, and how exactly they're used.

If I was forced to choose, the "generic" approach seems to me simple to understand and to build on top of, and like I would shoot myself less frequently in the foot. But I'm not heavily swinging either way.

[piux2]

@thehowl @moul The issue is not limited to key name and type validation. Allowing the creation and update of arbitrary chain parameters is unsafe and could lead to undetectable mistakes, potentially leaving the chain vulnerable to exploitation later.

It's like using a map when we should be using a struct to pass parameters to the critical sections of a program.

Here are some specifics:

1. Hard to Verify Proposals

In practice, proposals like this are difficult to verify in terms of their behavior and consequences because the behavior is implemented in the code itself.

gno/examples/gno.land/r/gov/dao/v2/prop4_filetest.gno

Line 11 in 3fd5571

mExec := params.NewStringPropExecutor("prop1.string", "value1")

2. Configuration-Implementation Mismatch

Configurations can easily become out of sync with the code implementation without being noticed. This makes it challenging to track how these settings are linked in the code and how they impact chain behavior. This issue is especially problematic when we need to support backward-compatible features.

3. Example

This constant does not match the genesis configuration, meaning changes in the genesis will never update the value of chainDomainParamPath as intended.

gno/gno.land/genesis/genesis_params.toml

Line 10 in 3fd5571

["gno.land/r/sys/params.vm"]

gno/gno.land/pkg/sdk/vm/params.go

Line 7 in 3fd5571

chainDomainParamPath = "gno.land/r/sys/params.chain_domain.string"

It could get worse. Imagine if this property were created by GovDao instead of the genesis. All these small mistakes would be extremely difficult to detect. The old key could remain in the chain even after creating a new key chainDomainParamPath = "gno.land/r/sys/params.vm.chain_domain.string" to correct it. Because old keys can persist unnoticed on the chain, they could lead to unexpected results if we accidentally use an outdated on-chain key in the code.