docs: fix transferFrom() spending limits inconsistency (TMPO2-39)#93
Open
docs: fix transferFrom() spending limits inconsistency (TMPO2-39)#93
Conversation
The Spending Limit Enforcement section implied transferFrom is indirectly controlled by spending limits and omitted startReward() from the tracked calls list. The implementation confirms transferFrom() does NOT deduct from spending limits — it is gated only by the ERC-20 allowance mechanism. - Clarify that transferFrom() is NOT subject to spending limits - Add startReward() to the list of tracked calls (matching concepts section) - Remove misleading 'indirectly control transferFrom' language Co-Authored-By: Daniel <daniel@tempo.xyz>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Author
|
Closing — PR #87 already merged the equivalent docs fix. |
Contributor
Author
|
Reopening — PR #87 removed transferFrom from the tracked list but introduced 'approvals indirectly control transferFrom spending' language, which is what the auditor flagged as contradictory. This PR removes that misleading wording and adds the missing startReward() to the tracked calls list. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes contradictory documentation about whether
transferFrom()is subject to Access Key spending limits (audit finding TMPO2-39).Motivation
The Spending Limit Enforcement section in AccountKeychain.mdx said "approvals indirectly control
transferFromspending" — implying spending limits apply totransferFrom(). The Concepts section and the implementation both confirmtransferFrom()does not deduct from spending limits.Changes
transferFrom()is NOT subject to spending limits (gated only by ERC-20 allowances)startReward()to the Spending Limit Enforcement tracked calls list (was already listed in the Concepts section and spec, but missing here)Testing
Verified against implementation in
crates/precompiles/src/tip20/mod.rs—_transfer_from()does not callcheck_and_update_spending_limit().Thread: https://tempoxyz.slack.com/archives/C0A87C21805/p1770659716460929