Expand asset layout from one to two words

[PhilippGackstatter]

Based on the discussion in #1068 and the call from yesterday, we need to refactor our current asset model to enable two things:

• Faucets should be able to hook logic into asset transfers, e.g. faucet is called when an asset is added to an account vault (on_asset_added_to_account) or added to a note (on_asset_added_to_note), and maybe others. For example, this enables faucets to implement block lists, which is required for compliant, private stablecoins. This will be discussed in a separate issue.
• Prepare for allowing custom asset layouts.

Prepare means that we won't need to implement this full flexibility right away, but set everything in place so we can easily enable that flexibility later in a non-breaking way. Despite this, the second step is still the much larger piece of work.

Built-In Assets

If we don't enable full flexibility right away, we need an intermediary solution with which assets can be built. In essence, this will continue to be the existing Asset. At the asset layout level, this should be a specialized version of what later becomes the generalized definition of assets. This generalized definition will require assets to be represented as an ASSET_VAULT_KEY and an ASSET_VALUE. The core need for this split into key and value is to allow users up to 4 field elements of custom data, and more importantly allow asset definitions where ASSET_VALUE is the hash of the asset, e.g. the root of a merkle tree or a sequential hash.

The specialized version of fungible assets is then today's FungibleAsset expanded from one to two words:

• ASSET_VAULT_KEY = [0, 0, faucet_id_suffix, faucet_id_prefix].
• ASSET_VALUE = [amount, 0, 0, 0].

Side Note: This would subsequently also allow us to consider representing larger amounts than the current FungibleAsset::MAX_AMOUNT by using more of the available space (see also #1951).

NonFungibleAsset expanded from one to two words would be:

• ASSET_VAULT_KEY = [hash0, hash1, faucet_id_suffix, faucet_id_prefix].
  • The reason for including the hash into the vault key is to ensure vault key uniqueness.
• ASSET_VALUE = [hash0, hash1, hash2, hash3].

In Rust code terms, after the expansion, this would be:

pub struct Asset {
    key: AssetVaultKey,
    value: AssetValue,
}

pub enum AssetValue {
    Fungible(FungibleAsset),
    NonFungible(NonFungibleAsset),
}

Asset Model

We had two versions of approach 3: The SMT/double-tree approach and the flat approach.

With the expansion into two words, both flat and SMT approach are suitable. As discussed in the call, the flat approach seems to be sufficient, even though the SMT approach has the upper hand on the level of flexibility, due to managing an entire SMT. In my mind, the main advantage of the flat approach is that seems powerful enough and is easier to implement due to not requiring an SMT data structure in an Asset, and does not require merkle paths of length 64 and 128 for asset witnesses. I can't find many other major differences when comparing other properties between both approaches. Both should be able to allow representing complex assets, e.g. assets that need more than 4 felts.

The above fungible asset definition's vault key would be a specialized version of the generalized vault key, e.g. ASSET_VAULT_KEY = [asset_id_suffix = 0, asset_id_prefix = 0, faucet_id_suffix, faucet_id_prefix]. For non-fungible assets, the asset ID would be randomized by inclusion of the hash and prevent merging/splitting them.

Once we enable the generalized asset model, we'd overall have the following asset definitions:

• A "built-in" fungible asset and non-fungible asset as defined above - practically equivalent to what we have now.
• A custom asset for later use.

Or, in Rust terms:

pub struct Asset {
    key: AssetVaultKey,
    value: AssetValue,
}

pub enum AssetValue {
    Fungible(FungibleAsset),
    NonFungible(NonFungibleAsset),
    Custom(CustomAsset),
}

Open Questions

Non-Fungible Assets

I'm questioning whether the definition of non-fungible assets we have "built-in" the protocol would still be useful, once users have the ability to define their own asset layouts. So: Should we keep a "built-in" or "specialized" version of non-fungible assets in the protocol? This is mainly in the interest of reducing overall complexity.

Workload

One of the reasons for doing this incremental approach and "preparation" is to reduce the work load we have to do now. However, we need to prepare things in a non-breaking way for custom assets to avoid breaking changes. I haven't looked deep enough into the overall amount of work, but do wonder whether preparing things for custom assets doesn't mean implementing most of it already, in which case, going the implementation all the way may be fine. I think this may become a bit clearer when working on the one to two word expansion.

One advantage of the built-in asset is that we can use it for the purpose of fees, and even with custom assets, we'd need a solution for this anyway. The custom approach will likely have some benefits that the built-in way will not have, but maybe those benefits won't be needed, so maybe it is fine to have.

Next Steps

The immediate next step is to expand Assets from one to two words, as described above, as it is a major breaking change. Separately, I'll open an issue to discuss the design for hooks/callbacks for faucets which are much less breaking so can come a bit later.

cc @onurinanc @MCarlomagno

[bobbinth]

This looks great! Thank you for writing it up. I largely agree with the above. A few comments:

One of the reasons for doing this incremental approach and "preparation" is to reduce the work load we have to do now. However, we need to prepare things in a non-breaking way for custom assets to avoid breaking changes. I haven't looked deep enough into the overall amount of work, but do wonder whether preparing things for custom assets doesn't mean implementing most of it already, in which case, going the implementation all the way may be fine. I think this may become a bit clearer when working on the one to two word expansion.

One advantage of the built-in asset is that we can use it for the purpose of fees, and even with custom assets, we'd need a solution for this anyway. The custom approach will likely have some benefits that the built-in way will not have, but maybe those benefits won't be needed, so maybe it is fine to have.

I think of this slightly differently. The main benefit of this approach is that we are introducing extensible "categories" of assets, and the fungible built-in asset is just one such category. This gives us flexibility to update how assets work in the future without causing major breaking changes. The categories will primarily deffer in two dimensions:

• Is this category a "built-in" asset - i.e., does the protocol know how to merge/split the asset.
• The callback interface defined for this category.

With this framework in mind, we can think of built-in fungible assets as the first category:

• We know the layout of the assets and so know how to merge/split them in the kernel.
• We know we don't need callbacks for moving this asset around.

Another category could be fungible assets that we know how to merge/split, but which also require a callback on when an asset is added to the vault.

Yet another category could be an asset which requires callbacks for merging/splitting, and the callback interface here would be different from the previous one.

Again, the flexibility here comes from the fact that we can introduce new categories of assets that have callback interfaces we didn't think of before. For example, maybe we need to add a callback when an asset is added to a note, or maybe we need to change what parameters we pass to a given callback etc. The number of categories will probably be pretty small (e.g., I don't imagine we'd need more than half a dozen, even in a medium term), but it does let us start with something pretty simple, and expand from there.

I'm questioning whether the definition of non-fungible assets we have "built-in" the protocol would still be useful, once users have the ability to define their own asset layouts. So: Should we keep a "built-in" or "specialized" version of non-fungible assets in the protocol? This is mainly in the interest of reducing overall complexity.

That's a good question. I think more broadly the question is what is the initial set of asset categories we want to have. I think we can be fairly certain that "fungible assets w/o callbacks" is the first category, but beyond that, I'm not sure yet - and I think some of this will become clear once we start thinking through callback interfaces. To list out some options of what we could have:

1. Non-fungible assets w/o callbacks.
2. Fungible assets with simple predicate-like callbacks - e.g., on_asset_added_to_vault and on_asset_added_to_note.
3. Non-fungible assets with similar predicate-like callbacks.
4. Custom assets which has the logic for merging/splitting assets on adding/removing from vault.
5. Maybe something else?

And we may decide that we only want categories 2 and 4 out of this list, and can add more categories later on.

[PhilippGackstatter]

I'll comment on @bobbinth's post later, but wanted to mention something else. The current definition of asset vault keys we have are:

fungible:     [0, 0, faucet_id_suffix, faucet_id_prefix]
non-fungible: [faucet_id_prefix, hash1, hash2, hash0']

The reason we put hash0 at index 3 for non-fungible assets is so that two assets issued by the same faucet end up in a different SMT leaf. That's because SMT leaves are identified by the third element in a Word, and we generally want only a few values to end up in the same leaf and the max capacity is 1024 in any case.

Now, consider two non-fungible assets issued by the same faucet with the previously suggested definition of a generalized asset vault key:

asset0_key: [asset_id_suffix = 10, asset_id_prefix = 11, faucet_id_suffix = A, faucet_id_prefix = B]
asset1_key: [asset_id_suffix = 20, asset_id_prefix = 21, faucet_id_suffix = A, faucet_id_prefix = B]

This means, even though their asset IDs are different, they would end up in the same SMT leaf due to their third element being identical.

On the other hand, we have mergable assets, like fungible assets, that are supposed to have the same vault key, and so their asset ID limbs can be set to 0, i.e.:

asset2_key: [asset_id_suffix = 0, asset_id_prefix = 0, faucet_id_suffix = C, faucet_id_prefix = D]
asset3_key: [asset_id_suffix = 0, asset_id_prefix = 0, faucet_id_suffix = C, faucet_id_prefix = D]

But, at the same time, different faucets need to have different vault keys, so we cannot swap the asset_id_prefix to the third element to solve the SMT leaf collision, since this would put all fungible assets in the same leaf.

One simple solution to this is to combine asset ID and faucet ID to get the actual vault key's third element. The straightforward way to do this is to hash the vault key. That way, we'd get different vault keys (and in particular, the element that identifies the SMT leaf) for assets that share the same faucet ID but have different asset IDs, while retaining identical vault keys for assets that share both faucet ID and asset ID, e.g.:

hash(asset0_key) = E
hash(asset1_key) = F
hash(asset2_key) = hash(asset3_key) = G

[bobbinth]

This means, even though their asset IDs are different, they would end up in the same SMT leaf due to their third element being identical.

Ah yes - good point!

One simple solution to this is to combine asset ID and faucet ID to get the actual vault key's third element. The straightforward way to do this is to hash the vault key.

Yes, I think this will work. It'll basically be very similar to what we do with storage map keys where we have "raw keys" and "hashed keys".

Somewhat relatedly, I realized that with the new approach, we actually get lower collision-resistance for non-fungible assets as compared to what we had before. Specifically, previously, 3 elements of the asset value hash went into the key, but now this is reduced to only 2 elements.

I don't think that is a big issue - but definitely something to be aware off as the faucets would need to ensure somehow that they don't issue two assets that collide unintentionally.

[PhilippGackstatter]

Since it's all very dependent, I'll post a full proposal for both what callbacks and what the asset structure could look like that should be able to represent most of what @bobbinth mentioned.

Terminology

Built-In Asset

For the following, I'll assume the existence of a built-in fungible asset type. It is equivalent to the current FungibleAsset. What makes this asset built-in is that the tx kernel does not need to fetch the merge and split procedures from the issuing faucet. Instead, these procedures are built-in (and for the purpose here are equivalent to what is currently FungibleAsset::{add, sub}).

The same could theoretically be done for NonFungibleAsset, but whether that's needed is up for discussion. To keep the examples simpler, it is omitted.

Asset Type

In the current approach to assets, each faucet issues a unique type of asset. For instance, two fungible assets USDC and AUSD are of different types.

Callbacks

Starting with callbacks, since they're a bit more independent from the asset structure itself.

In my mind, a simple approach to callbacks would be to assign indices to concrete callbacks, for instance:

• 0 -> procedure for merging assets of the same type, i.e. merge.
• 1 -> procedure for splitting assets of the same type, i.e. split.
• 2 -> procedure called when an asset is added to an account's vault, i.e. on_asset_added_to_account.
• 3 -> procedure called when an asset is added to a note, i.e. on_asset_added_to_note.

We'll define a standard slot name, e.g. miden::protocol::asset::callbacks that contains a storage list (or hacking around it with a storage map until it comes) with procedure MAST roots.

As an example, a faucet that issues a callback-enabled and built-in fungible asset, could have a callbacks storage slot list like this:

[
  // merge
  0x0000000000000000000000000000000000000000000000000000000000000000
  // split
  0x0000000000000000000000000000000000000000000000000000000000000000
  // on_asset_added_to_account
  0x497690421c9bb611b124c489557dbd65a8729db802a86199500749ec97b0342d
]

When the asset is moved, the tx kernel checks the asset (see below for details) and will see that it is callback-enabled. So, it looks up in kernel memory whether it has already cached this storage list by the issuing faucet. Since it hasn't, it is fetched in a single call and stored.

When the asset is moved to an account or a note, the kernel will check the list and see if on_asset_added_to_account or on_asset_added_to_note must be invoked:

• on_asset_added_to_account is present and not the empty word, so it must be invoked.
• on_asset_added_to_note is not present in the list (index (3) of on_asset_added_to_note not present in list), so it must not be invoked.

If a callback should be invoked, the tx kernel would then dyncall the fetched MAST root.

Since it's a built-in asset, the tx kernel knows how to merge and split the asset, and so these list entries are asserted to be empty words (or alternatively ignored, but that's just a silent problem waiting to happen elsewhere).

I think the benefit of this structure is that:

• If an asset is callback-enabled, we fetch the callbacks list once, lazily, when it is needed and cache it. This should be the smallest overhead possible for callbacks.
• New callbacks can be added later without breaking any earlier callback interfaces. E.g. we can introduce 4 -> on_asset_added_to_account_v2 later without issues.
  • In particular, the tx kernel should not require that the length of the callbacks list is equal to the currently highest possible length of the list, else a later increase of that number would break any faucet accounts that have not yet upgraded.
• Upgrading from on_asset_added_to_account to on_asset_added_to_account_v2 can be done simply by setting the former to the empty word and the latter to a non-empty word.
• The callback complexity is contained almost exclusively in this structure. In particular, which version of a callback should be used is not encoded in account ID bits or elsewhere. Only the callback enabled/disabled flag needs to be part of the asset structure.
• It works conceptually like dynamic syscalls of tx kernel procedures via indices.

The next steps on this front would be defining what the interfaces of each callback look like exactly, but this depends a bit on the rest.

Asset Structure

This section should make the previously mentioned asset structure more concrete to set everything up for callbacks and support for built-in and custom assets.

Callbacks

The only types of assets that do not require any callbacks (= FPI calls) are built-in ones, as mentioned above. Any custom asset's merge and split procedures must be fetched since they are not built-in. Based on the above callback structure, this would already fetch all callbacks anyway and so, the benefit to representing a "custom asset without callbacks" is small: It only saves us a check in tx kernel memory, not an FPI call itself.

Conclusion: Enabling and disabling callbacks only makes sense for built-in assets.

Asset Configuration

Asset configuration means what type of asset it is and whether or not it requires callbacks. We can place this asset configuration into potentially two places: Either the account ID or the 8 least significant bits of the felt that also contains the account ID suffix, which is unused. Currently, the account ID determines the asset type, e.g. different IDs are different types. The account ID also determines whether it can issue fungible or non-fungible assets.

After the removal of the protocol-reserved faucet sysdata storage slot, there seems to no longer be a need for distinguishing between faucet and non-faucet accounts or between fungible and non-fungible faucets.

Conclusion: Asset type is best defined at the asset level instead of at the account level, meaning we can put asset configuration into the unused space in the account ID suffix.

This sounds like we're putting asset configuration into the account ID, but: An account ID has 120 bits. Two felts have 128 bits of space, and so we're using unused space which is conceptually separate from the account ID.
This also means users don't need to decide what types of assets they want to issue when building an account, but much later in the process of writing a smart contract, which seems like a benefit.

Side note: In combination with deciding account mutability at the account interface level, we could get rid of AccountType altogether.

Multiple Asset Types per Account

Do we want one account to be able to issue multiple types of assets? For instance, the same account could issue a standard Eth asset and also a TimelockedEth or StakedEth type.

This flexibility comes with an increase in complexity, and I'm not sure whether it's truly needed, yet. I would appreciate comments on this.

Asset Definition

With this in mind, this is one possible structure:

// Asset definition
// ------------------------------------------

/// An asset consists of a key that identifies it in the vault and a value, representing the
/// asset data itself, e.g. the amount of a token.
pub struct Asset {
    key: AssetVaultKey,
    value: AssetValue,
}

/// The key of the asset in the asset vault SMT (caveat below).
///
/// Convertable to Word:
/// ```text
/// [
///   asset_id_suffix (64 bits),
///   asset_id_prefix (64 bits),
///   [faucet_id_suffix (56 bits) | asset_type (8 bits)],
///   faucet_id_prefix (64 bits)
/// ]
/// ```
///
/// This key is hashed for use in the actual asset vault SMT - see
/// https://github.com/0xMiden/miden-base/issues/2328#issuecomment-3807237394.
pub struct AssetVaultKey {
    faucet_id: AccountId,
    asset_type: AssetType,
    asset_id_prefix: Felt,
    asset_id_suffix: Felt,
}

/// The type of asset that takes up 8 bits.
///
/// It's bit layout is:
/// ```text
/// [asset_value_type (2 bits) | asset_type_id (6 bits)]
/// ```
///
/// For instance, take a faucet that issues a token `TOK`.
/// - It issues that token as AssetType::BuiltInWithoutCallback using the built-in fungible
///   asset layout that the tx kernel has a built-in way of merging and splitting.
/// - The same faucet can also issue `StakedTok` as `AssetType::Custom { value_type:
///   AssetValueType::Small, asset_type: 0}`, which is a staked version of `TOK`. This asset is
///   completely distinct from the other asset, as if it was issued by another faucet.
pub enum AssetType {
    /// The built-in fungible asset type with out any callbacks.
    ///
    /// Encodes to value 62 (to allow users to assign asset type IDs starting from 0).
    BuiltInWithoutCallback,

    /// The built-in fungible asset type with callbacks.
    ///
    /// Encodes to value 63 (to allow users to assign asset type IDs starting from 0).
    BuiltInWithCallback,

    /// Made usable only after mainnet.
    Custom {
        layout: AssetValueType,
        /// The ID used to distinguish asset kinds by the same faucet, e.g. assets representing
        /// WrappedEth and StakedEth.
        ///
        /// For AssetValueType::Small, must be in 0..=61 to not overlap with the built-in
        /// ones. For AssetValueType::Large, can be in 128..=191.
        ///
        /// Impl Note: Should not be a bare u8 to be able to enforce the above constraints.
        asset_type: u8,
    },
}

/// Determines how the asset is represented.
/// Encoded in 0..=3 and these are the two most significant bits in the AssetType.
#[repr(u8)]
pub enum AssetValueType {
    Small = 0b00,
    Large = 0b10,
}

/// Determines how the asset is represented.
///
/// - A BuiltInFungibleAsset is a small asset: It fits into a Word, i.e. `[amount, 0, 0, 0]`.
/// - LargeAssets can be enabled after mainnet to represent assets that do not fit into a word.
pub enum AssetValue {
    Small(Word),
    Large(LargeAsset),
}

/// Could represent an asset as a small number of elements with its ASSET_VALUE representation
/// being the sequential hash of the elements. Or, alternatively, a representation based on
/// an SMT. To be determined.
/// 
/// Would not be constructable at mainnet time.
pub struct LargeAsset {
    commitment: Word,
    elements: Vec<Felt>,
}

• AssetType has two concrete variants for enabling built-in assets with and without callbacks, since the callback distinction isn't necessary for custom assets, as mentioned above.
• AssetType also allows for multiple assets per account, but if we decide this isn't needed, it can become simpler.
• We will ultimately need to be able to distinguish between simple and complex assets, termed small and large here, and maybe even other ones. For that reason, an account can issue at most 64 small asset types and at most 64 large asset types. 128 values are reserved for future use (i.e. future AssetValueTypes). The ranges are setup so that, if we find we just need more small assets, we can simply extend the allowed range of small assets from 64 to 128.
• So, evolving AssetType is possible by using the unused space. Alternatively, if we want to evolve AssetType in an otherwise breaking way, we could do this by increasing the account ID version and enabling the new functionality under that new version. This would be a last resort, though.
• Except for a mention of callbacks in AssetType, this structure for asset definitions is independent of anything that happens in the structure for asset callbacks. So, this gets close to decoupling them.

At mainnet time, I imagine we'd have this structure setup in Rust, but make the LargeAsset and AssetType::Custom unusable/unconstructable. That way enabling these later is not a breaking change.

Built-In Asset Definition

The above structure includes AssetType::{BuiltIn*} to specify that the built-in merge/split procedures should be used. However, it doesn't include the definition of the built-in fungible asset directly. This is to keep the number of variants lower. Instead, this can be represented more like how other asset standards would be represented, i.e. by defining conversion from and to Asset:

// Built-In Fungible Asset
// ------------------------------------------

/// Identical to the current FungibleAsset plus a callback flag (there may be better ways to do
/// this).
pub struct BuiltInFungibleAsset {
    faucet_id: AccountId,
    amount: u64,
    has_callbacks: bool,
}

impl From<BuiltInFungibleAsset> for Asset {
    fn from(fungible_asset: BuiltInFungibleAsset) -> Self {
        let asset_type = if fungible_asset.has_callbacks {
            AssetType::BuiltInWithCallback
        } else {
            AssetType::BuiltInWithoutCallback
        };

        let key = AssetVaultKey {
            faucet_id: fungible_asset.faucet_id,
            asset_id_prefix: Felt::ZERO,
            asset_id_suffix: Felt::ZERO,
            asset_type,
        };
        let value = Word::new([
            Felt::try_from(fungible_asset.amount).expect("TODO"),
            Felt::ZERO,
            Felt::ZERO,
            Felt::ZERO,
        ]);

        Asset { key, value: AssetValue::Small(value) }
    }
}

impl TryFrom<Asset> for BuiltInFungibleAsset {
    type Error = AssetError;

    fn try_from(_value: Asset) -> Result<Self, Self::Error> {
        todo!()
    }
}

This could technically even be defined in miden-standards, in which case it could also be called StandardFungibleAsset. It may or may not make sense to have in miden-protocol, e.g. for use in merging two assets in AccountDelta::merge. I'm not sure yet.

Otherwise, this built-in asset is mostly just one way of defining an asset, and should fit relatively nicely into the overall picture once we have fully customizable assets.

Account Delta

We want the overall architecture to support constructing two transactions where one has delta Remove(30 USDC) and the other Add(40 USDC). At the batch or block level, these deltas should be merged into a single Add(10 USDC).

To do this, the delta needs to be aware of how USDC is merged and split, but unfortunately these aren't sufficient.

Consider the following:

Add(30) + Add(40) = Add(merge(30, 40)) = Add(70)
Remove(30) + Remove(40) = Remove(merge(30, 40)) = Remove(70)

For matching delta operations (add + add, remove + remove), merge is sufficient.

The more interesting case is when we have different delta operations, e.g. Remove(30) + Add(40), where we should end up with Add(10). More generally:

Remove(X) + Add(Y)
if Y == X: Cancels out
if Y > X: Add(split(Y, X)) # "split X off Y"
if Y < X: Remove(split(X, Y)) # "split Y off X"

So, to "merge" these correctly, we need to compare assets, so we can correctly split off X from Y, or Y from X. To do this, we need every asset to implement Ord, i.e. comparison, in addition to merge and split. So, this would be another callback.

Like merge and split, these only have to be implemented for assets that can be merged or split in the first place. A non-fungible asset with unique asset IDs does not have to implement this.

All of this makes me a bit worried about the overall complexity put on users. I guess in the majority of cases, the Ord implementation would conceptually have to be just this:

impl Ord for MyFungibleAsset {
    fn cmp(&self, other: &Self) -> core::cmp::Ordering {
        self.amount.cmp(&other.amount)
    }
}

So, maybe it is fine?

The only way I can think of to provide the merge, split and compare procedures to the Rust implementation of the AccountDelta is by extracting the MASM instructions from the faucet's MastForest and then calling them via the FastProcessor when needed. For this we can have something like:

/// A wrapper around an [`Asset`] that is composable, i.e. supports merging and splitting of
/// assets of the same type.
/// 
/// Created during `TransactionEvent::AccountVaultAfterAddAsset` and similar events.
pub struct ComposableAsset {
    asset: Asset,
    /// The procedure in the mast forest that implements the logic for merging an asset.
    merge: MastNodeId,
    /// The procedure in the mast forest that implements the logic for splitting an asset.
    split: MastNodeId,
    /// The procedure in the mast forest that implements the logic for comparing an asset.
    compare: MastNodeId,
    /// The mast forest containing only the above procedures.
    forest: MastForest,
}

The delta would then consist of such ComposableAssets to support merging.

Feedback/Bikeshedding on any part of this is appreciated!

[bobbinth]

Thank you very much for writing up such a detailed description! A lot of this makes sense - though, I'm still thinking through the details.

One thing I think where we may have a bit of a disconnect is in where we try to get now. Basically, I'm thinking of the programmable assets in 3 categories:

1. Built-in assets - i.e., the FungibleAsset.
2. Simple assets with callbacks - these are assets where we do have callbacks, but the merging/splitting logic is the same as for built-in assets.
3. Fully custom assets - these are the assets that require custom merge/split logic.

I believe the writeup above focuses on categories 1 and 3, and doesn't mention category 2.

The main reasons for splitting things this way is that we can get the first and second categories pretty easily, and leave the third category for the future. The main concern here is the handling of asset deltas both in and out of the kernel.

Specifically, to properly support the 3rd category, we'd need to refactor how our delta works - see below.

The only way I can think of to provide the merge, split and compare procedures to the Rust implementation of the AccountDelta is by extracting the MASM instructions from the faucet's MastForest and then calling them via the FastProcessor when needed.

This is probably the main reason why I don't think we can support fully custom assets right now. This approach would not work in the node as applying asset updates needs to be as fast as possible, and we can't run the VM for each such update. In the longer term, we'd need to have two different types of asset deltas:

1. Relative - e.g., +10, -5 etc.
2. Absolute - i.e., final value: 123

For signature purposes we'd use relative deltas but the kernel would be committing to absolute deltas.

This extra complexity is what I'm trying to avoid right now.

[PhilippGackstatter]

• Built-in assets - i.e., the FungibleAsset.
• Simple assets with callbacks - these are assets where we do have callbacks, but the merging/splitting logic is the same as for built-in assets.
• Fully custom assets - these are the assets that require custom merge/split logic.

I think these categories correspond exactly to the different asset types I mentioned:

pub enum AssetType {
    BuiltInWithoutCallback,
    BuiltInWithCallback,
    Custom {
        layout: AssetValueType,
        asset_type: u8,
    },
}

The first and second use the same built-in merge/split logic, but with or without callbacks enabled.

• Relative - e.g., +10, -5 etc.
• Absolute - i.e., final value: 123

Ah, thanks. I think I didn't get this idea at first, but now it makes sense.

Since the tx kernel already commits to the "final account commitment", I think it might be sufficient if we have this "absolute account delta" only in Rust, attached to ProvenTransactions that update public accounts. As long as during batch/block building, the current state + absolute delta result in the new commitment, everything should be fine. This should make implementing it much easier, so this would help get to generalized assets sooner rather than having the tx kernel track the absolute delta itself.

The more I've worked on the asset refactor, the more I think it would be ideal if the "built-in" assets were just miden-standards, as it would keep the tx kernel much simpler in the long run.