Network faucet with note-based authentication

[mmagician]

Currently, our default faucet contract is a local account with AuthRpoFalcon512Acl authentication (with distribute as the trigger procedure, and allowing anyone to call burn).

Going forward, we should deprecate this account (as it opens the door to DoS attack as described here), and instead have two types of faucets in use:

1. Local faucet with the standard AuthRpoFalcon512, with only the owner able to call distribute and burn (used for testnet faucet)
2. Network faucet with note-based authentication (used for all other faucets incl. the AggLayerFungibleFaucet

The first point is straightforward. The second needs some more work:

1. Instead of calling distribute directly from a transaction script, network accounts operate by consuming notes addressed to them. It's the note script should call distribute / burn (and for the latter, carry the specified asset).
2. The account's storage contains the AccountId of the owner. When a distribute note is consumed by the faucet, it first checks whether owner == note.sender. A burn note doesn't perform this check, allowing anyone to send BURN notes.

In terms of storage, the main difference with the current faucet is that we'd store owner's AccountId rather than their public key. One nice effect of this is that the faucet no longer cares whether the owner is a single account or a multisig.

Overall, this entails:

1. create_basic_fungible_faucet to switch back to AuthRpoFalcon512. Should be renamed to create_local_fungible_faucet (and in similar fashion, rename BasicFungibleFaucet -> LocalFungibleFaucet)
2. Create a standard DISTRIBUTE note
3. Create a standard BURN note
4. New create_network_fungible_faucet which builds a network account with a new NetworkFungibleFaucet component

+ we should rename distribute -> mint as it's a more standard term for token contracts.

Relevant discussion: 0xMiden/faucet#77

---

Open question (general)

• are authentication procedures useful for network accounts? If not, we should remove the requirement for network accounts to contain an auth procedure (more tricky because calling the auth procedure is hardcoded into the epilogue), or at least automatically insert a NoAuth procedure without explicitly requiring AccountBuilder::new(seed).with_auth_component(auth::NoAuth)

[bobbinth]

we should rename distribute -> mint as it's a more standard term for token contracts

Agreed - and the note name could be MINT as well.

are authentication procedures useful for network accounts? If not, we should remove the requirement for network accounts to contain an auth procedure (more tricky because calling the auth procedure is hardcoded into the epilogue), or at least automatically insert a NoAuth procedure without explicitly requiring AccountBuilder::new(seed).with_auth_component(auth::NoAuth)

I think they could be useful for some but not useful for others. So, I would keep the functionality of allowing users to define auth procedures for network accounts.

A more specific question for the network faucet is whether it is possible to check somehow that note.sender == owner as a part of the auth procedure. This would require tracking who called distribute procedure in the transaction kernel somehow - which would be a bigger change. This could be independently interesting though, and maybe something we should consider as a separate issue.

The main advantage here is that the MINT note could be fully generic (i.e., it doesn't care about the underlying authentication methodology).

[mmagician]

A more specific question for the network faucet is whether it is possible to check somehow that note.sender == owner as a part of the auth procedure

Exactly, that was the motivation for my question. To lay out the details fully, the way we'd do this currently is:

• encode the faucet owner's AccountId in a storage slot of the faucet's account
• the note's script calls exec.note::get_sender
• read the owner storage slot
• check if note.sender == owner

So as hinted at:

The main advantage here is that the MINT note could be fully generic

The current MINT note would explicitly encode the authentication mechanism.

---

Back to the original question:

A more specific question for the network faucet is whether it is possible to check somehow that note.sender == owner as a part of the auth procedure. This would require tracking who called distribute procedure in the transaction kernel somehow - which would be a bigger change

There are two separate parts:

1. check that note.sender == owner inside the auth procedure
2. track who called distribute in the kernel

I believe we only need the first one, plus minor changes to the miden::note library module:

1. expose miden::note::get_sender_by_idx
2. expose miden::note::get_script_root_by_idx

Excuse my MASM-lessness in the pseudocode:

const MINT_NOTE_ROOT = ... // can hardcode these
const BURN_NOTE_ROOT = ...

export.auth_network_faucet
    let owner = get_account_owner_from_storage()
    let num_input_notes = tx::get_num_input_notes()
    for i in num_input_notes:
        let script_root = note::get_script_root(i) // <---------- currently we can only get script root of the active note
        let note_caller = note::get_sender(i) // <---------- also currently not possible
        if script_root == MINT_NOTE_ROOT:
            assert(note_caller == owner)
        else if script_root == BURN_NOTE_ROOT:
            pass
        end
    end
end

With this approach, the authentication logic is purely in the auth procedure. The MINT note doesn't need to be aware of the authentication logic.

[PhilippGackstatter]

Overall I agree having the auth logic in the auth procedure is nicer as it makes the MINT note more generic. Just small comments:

• expose miden::note::get_sender_by_idx
• expose miden::note::get_script_root_by_idx

We can already do this using miden::input_note::{get_metadata, get_script_root} and extract the sender from the metadata (see how miden::note::get_sender does it, but it's probably worth adding a convenience procedure in miden lib for this).

Also nit: We'd probably want to panic if any other note script is used, something like:

if script_root == MINT_NOTE_ROOT:
    assert(note_caller == owner)
else if script_root == BURN_NOTE_ROOT:
    pass
else
    panic("unrecognized script root")
end

[partylikeits1983]

One thought: the burn note and mint note could technically be a single note with different branches. The note would read its inputs and then decide whether to call the mint or burn procedures in the network faucet. The main upside is reducing the number of note types, but for separation of concerns, especially for the AggLayer faucet, having two distinct notes is cleaner and easier to reason about.

[bobbinth]

One thought: the burn note and mint note could technically be a single note with different branches. The note would read its inputs and then decide whether to call the mint or burn procedures in the network faucet. The main upside is reducing the number of note types, but for separation of concerns, especially for the AggLayer faucet, having two distinct notes is cleaner and easier to reason about.

I would probably keep them separate exactly for the reasons you mention.

---

Overall, I think there is a trade-off we are facing here:

1. We can put authentication logic into account procedures (i.e., the mint procedure would verify that note.sender == owner). This makes account logic straight-forward, but does require the mint note to be aware of it.
2. We can put authentication logic into the auth procedure, but this makes the logic a bit less straight-forward, and could also limit functionality. For example, we wouldn't be able to introduce a new note which would call mint and maybe do something else. This is not too relevant in this case, but may be a bigger issue in a more general case.

In the context of a second point, I'm also thinking how something like ensuring that a given note did everything correctly can be enforced in the auth procedure. For example, let's say we have a network account that needs to collect fees from notes. These fees could depend on specifics of each note. Let's also say that we have a transaction that consumes $n$ notes. How can would we check in the auth procedure if each note paid the right amount of fees?

There are probably ways to do this, especially if notes don't accept non-deterministic inputs - but I wonder if we should make such note-based authentication simpler. One idea is to introduce another type of auth procedure for the account. This procedure would be similar to our current auth procedure in that it would be invoked automatically by the kernel. But instead of being invoked once in the epilogue, it would be invoked after each note execution. In a way, we could say that this procedure would be run in the "note epilogue".

Here is how this could look like:

In the above, I called the two auth procedures "note auth" and "account auth" - but probably different name would be needed.

Implementing this probably wouldn't be too difficult, but it would be a fairly significant change - so, we should evaluate all pros and cons, and do this only if we can't accomplish similar functionality with our current architecture.

[PhilippGackstatter]

The Pro I see is that it would be quite useful to have and would easily make it possible to make sure a note is well-behaved.

The Con I see is the complexity it introduces. Personally, I really like the simplicity of the current architecture, where users only have to learn and think about three bigger sections in the transaction execution flow: note scripts, tx scripts and auth procedure (in this order of execution). A note auth would introduce significantly more complexity, as it would be called after every note executes. That means there are many more "hooks" to think about, i.e. places where a user can hook into the transaction execution flow. For that reason, I would only change the architecture as a last resort, if no other solution is adequate.

As mentioned, I do see the usefulness of note auth, but I think we might be able to achieve this in other ways. For fees specifically it depends a bit on how the fee architecture ends up being, but assuming a note would directly call something like a pay_fee_tip procedure, we could store each note's fees in kernel memory and then make it introspectable by the auth procedure.
The auth procedure can then loop over 0..num_notes and inspect each note's paid fees.

Similarly, we can store the root of the account's asset vault after each note has executed in memory. That allows the auth procedure to inspect the state of the account vault after each note's execution. This should work because storing a root is very little data and all relevant merkle paths should still be in the merkle store.

Inspecting how a note affected storage might be a bit more tricky to make accessible, but maybe there is a way to do this via the delta.