feat(token): add mint authority model to token program#213
Merged
Conversation
0d490f4 to
cb596b4
Compare
cb596b4 to
faa8371
Compare
gravityblast
approved these changes
Jul 2, 2026
Add an optional mint authority to fungible tokens for controlled supply:
create with a designated minter, mint additional supply, rotate the
authority to a new key, or permanently revoke it to fix the supply.
The authority is stored inline on `TokenDefinition::Fungible` as
`authority: Option<AccountId>` (`Some(id)` = mintable by `id`, `None` =
fixed supply). Keeping it a plain `Option<AccountId>` rather than a custom
wrapper type leaves account state decodable by `spel inspect`; the
require/rotate/revoke guard logic lives inline in the handlers.
LEZ rejects a transaction that lists the same account id twice, so one
instruction cannot statically express both "the definition account is the
authority and signs" (self/PDA authority) and "a distinct rotated account
signs" (external authority) — they need opposite signer markers. Each
privileged operation is therefore split into a self and an external
variant:
- `Mint` / `SetAuthority` — the definition account is the signer.
- `MintWithAuthority` / `SetAuthorityWithAuthority` — a distinct authority
account is the signer; the definition account does not sign.
Creation via `NewFungibleDefinition { mint_authority, .. }`; an all-zero
authority id is rejected. The AMM's LP token uses self/PDA authority — its
stored authority is the LP definition PDA, minted only by the pool via
chained calls.
Covered by token unit tests and zkVM integration tests: creation with and
without an authority, self- and external-authority mint, rotation, and
external rotate/revoke. IDLs regenerated.
faa8371 to
40ea847
Compare
Collaborator
Author
|
This PR supersedes #125 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add an optional mint authority to fungible tokens for controlled supply: create with a designated minter, mint additional supply, rotate the authority to a new key, or permanently revoke it to fix the supply.
The authority is stored inline on
TokenDefinition::Fungibleasauthority: Option<AccountId>(Some(id)= mintable byid,None= fixed supply). Keeping it a plainOption<AccountId>rather than a custom wrapper type leaves account state decodable byspel inspect; the require/rotate/revoke guard logic lives inline in the handlers.LEZ rejects a transaction that lists the same account id twice, so one instruction cannot statically express both "the definition account is the authority and signs" (self/PDA authority) and "a distinct rotated account signs" (external authority) — they need opposite signer markers. Each privileged operation is therefore split into a self and an external variant:
Mint/SetAuthority— the definition account is the signer.MintWithAuthority/SetAuthorityWithAuthority— a distinct authority account is the signer; the definition account does not sign.Creation via
NewFungibleDefinition { mint_authority, .. }; an all-zero authority id is rejected. The AMM's LP token uses self/PDA authority — its stored authority is the LP definition PDA, minted only by the pool via chained calls.Covered by token unit tests and zkVM integration tests: creation with and without an authority, self- and external-authority mint, rotation, and external rotate/revoke. IDLs regenerated.