fix(oracle): use weight parameter in NewClaim constructor

[giwaov]

Summary

Second round of security audit fixes addressing three code defects found across the oracle and tokenfactory modules.

Changes

1. Fix NewClaim Weight parameter (x/oracle/types/ballot.go)

The NewClaim constructor accepted a weight parameter but incorrectly assigned the power value to the Weight field:

// Before (bug):
Weight: power,

// After (fix):
Weight: weight,

This caused the Weight field to always equal Power, ignoring the intended weight argument passed by callers.

2. Propagate errors from RemoveExcessFeeds (x/oracle/keeper/keeper.go)

RemoveExcessFeeds silently dropped errors from ExchangeRate.Remove(), logging them but always returning nil. This masked cleanup failures and allowed stale exchange rates to persist without the caller knowing.

The fix tracks removal errors and returns the last error while still attempting all removals:

// Before (bug):
continue  // error silently dropped, function returns nil

// After (fix):
removeErr = err  // error tracked and returned

3. Nil check in GetAuthorityMetadata (x/tokenfactory/keeper/admins.go)

GetAuthorityMetadata called proto.Unmarshal with nil bytes when a denom had no authority metadata in the store. proto.Unmarshal(nil, ...) silently succeeds and returns an empty struct with Admin="", masking the absence of the denom metadata.

Added a nil check on store bytes to return an explicit error instead of silently returning empty metadata.

Testing

• Changes are minimal and follow existing code patterns
• Each fix addresses a clear code defect verified by source code review

[coderabbitai]

Walkthrough

A bug fix to the NewClaim constructor in the oracle module's ballot types, where the Weight field is now correctly initialized from the weight parameter instead of being assigned the power value. A corresponding changelog entry was added to document this fix.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• NewClaim() assigns power to Weight field instead of weight parameter #293: Directly addresses the same bug fix in NewClaim, correcting the Weight field assignment to use the weight parameter rather than the power value.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description documents all three originally proposed fixes but the actual changeset now contains only the NewClaim Weight fix after the reviewer requested narrowing the PR scope.	Update the description to remove references to the excess feed cleanup and tokenfactory metadata fixes, keeping only the NewClaim Weight fix that is actually in the changeset.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly describes the main change: fixing the Weight parameter initialization in the NewClaim constructor within the oracle module.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

x/tokenfactory/keeper/admins.go (1)

17-19: LGTM! Good fix to explicitly handle missing metadata.

This correctly prevents proto.Unmarshal(nil, ...) from silently returning an empty struct with Admin="", which could mask authorization issues.

Consider using a sentinel error for better caller discrimination between "not found" vs "unmarshal failure":

💡 Optional: Use sentinel error for better error handling

+var ErrNoAuthorityMetadata = errors.New("no authority metadata found")
+
 func (k Keeper) GetAuthorityMetadata(ctx context.Context, denom string) (types.DenomAuthorityMetadata, error) {
 	bz := k.GetDenomPrefixStore(sdk.UnwrapSDKContext(ctx), denom).Get([]byte(types.DenomAuthorityMetadataKey))
 	if bz == nil {
-		return types.DenomAuthorityMetadata{}, fmt.Errorf("no authority metadata found for denom: %s", denom)
+		return types.DenomAuthorityMetadata{}, fmt.Errorf("%w for denom: %s", ErrNoAuthorityMetadata, denom)
 	}

This allows callers (e.g., gRPC handlers, wasm bindings) to use errors.Is(err, ErrNoAuthorityMetadata) to distinguish "not found" from other failures.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@x/tokenfactory/keeper/admins.go` around lines 17 - 19, Introduce a
package-level sentinel error (e.g., var ErrNoAuthorityMetadata = errors.New("no
authority metadata")) and replace the current nil-check return (the block that
returns fmt.Errorf("no authority metadata found for denom: %s", denom) when bz
== nil) with a wrapped sentinel error such as fmt.Errorf("%w: denom %s",
ErrNoAuthorityMetadata, denom); update callers to discriminate using
errors.Is(err, ErrNoAuthorityMetadata) where appropriate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@x/oracle/keeper/keeper.go`:
- Around line 269-278: RemoveExcessFeeds currently returns the last removal
error which fails tests and can halt the chain; change it to be non-failing:
iterate activesToClear, call k.ExchangeRate.Remove(ctx, denom), log any error
with ctx.Logger().Error (including denom and err) and do not assign or return an
error (return nil at end) so all errors are observable but block processing
continues; if you intend to propagate errors instead, replace the current logic
with an aggregator (collect all errors from k.ExchangeRate.Remove into a
combined error) and update the RemoveExcessFeeds tests to expect that aggregated
error.

---

Nitpick comments:
In `@x/tokenfactory/keeper/admins.go`:
- Around line 17-19: Introduce a package-level sentinel error (e.g., var
ErrNoAuthorityMetadata = errors.New("no authority metadata")) and replace the
current nil-check return (the block that returns fmt.Errorf("no authority
metadata found for denom: %s", denom) when bz == nil) with a wrapped sentinel
error such as fmt.Errorf("%w: denom %s", ErrNoAuthorityMetadata, denom); update
callers to discriminate using errors.Is(err, ErrNoAuthorityMetadata) where
appropriate.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e66b27c0-1fb2-4b61-ae29-f81433ad420c

📥 Commits

Reviewing files that changed from the base of the PR and between b103c1c and 6295109.

📒 Files selected for processing (3)

• x/oracle/keeper/keeper.go
• x/oracle/types/ballot.go
• x/tokenfactory/keeper/admins.go

[Copilot]

Pull request overview

This PR adjusts tokenfactory authority-metadata retrieval behavior, fixes a bug in oracle claim construction, and changes oracle cleanup behavior when removing excess exchange-rate feeds.

Changes:

• Tokenfactory: return an error when authority metadata is missing for a denom.
• Oracle types: fix NewClaim to set Weight from the provided weight parameter (instead of power).
• Oracle keeper: change RemoveExcessFeeds to return a (last) removal error instead of always returning nil.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
x/tokenfactory/keeper/admins.go	Adds missing-metadata handling to GetAuthorityMetadata.
x/oracle/types/ballot.go	Fixes incorrect field assignment in NewClaim.
x/oracle/keeper/keeper.go	Alters RemoveExcessFeeds error propagation semantics.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Thaleszh]

Hello @giwaov, we reviewed the issues you opened and some of them are not real, but some are!

Can you take a look again on the issues that remained open? Also, feel free to discuss any of the issues we closed.

After that, you will be needing to refactor both this PR and your other one, since they include changes we don't agree with (solving non-issues).

[giwaov]

Hey @Thaleszh, thanks for taking the time to review everything. Appreciate the thorough feedback.

I've gone through the closed issues and the reasoning makes sense the proto types guaranteeing non-nil values in the store (#294) and the intentional best-effort design for RemoveExcessFeeds (#295) are things I missed during the audit. Good to know.

I've updated both PRs accordingly:

• This PR (fix(oracle): use weight parameter in NewClaim constructor #288) now only contains the NewClaim Weight fix (ballot.go)
• PR fix(oracle): add denom length validation and query result limits #287 now only contains the denom length validation (types.go) and the unbounded query limits (query_server.go)

The rejected changes have been removed from both branches. Let me know if anything else needs adjusting. Thank you.

[Thaleszh]

Can you rename the PR to reflect the changes?
Also add to changelog the fix done on the PR, under unreleased.

[giwaov]

Hey @Thaleszh, done!

• PR title updated to reflect the current scope
• Changelog entry added under Unreleased for the NewClaim weight fix

Let me know if anything else needs adjusting, thank you.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!