Skip to content

Evaluate rejecting non-incentivized dated MASP assets #4954

New issue
New issue
Open
Open
Evaluate rejecting non-incentivized dated MASP assets#4954
Labels
MASPUXbreaking:consensusConsensus breaking change that requires a hard-forkvalidity-predicate
@grarco

Description

@grarco
grarco
opened on Nov 4, 2025

The MASP vp currently allows shielding dated assets (with an epoch) even when they are not part of the incentive program.

namada/crates/shielded_token/src/vp.rs

Lines 719 to 740 in ef427a4

} else {
// Otherwise note the contribution to this transparent input.
// This branch represents the case of an asset not being part
// of the conversion tree: the asset can carry no epoch at all
// or any epoch (even a future one). Given the way we construct
// conversions it's not an issue if we later add it to the
// conversion tree: if the epoch preceeds the one at which we
// start computing rewards or is missing, then this asset will
// not be entitled. If it had instead been constructed with a
// future epoch that matches or follows the one at which we
// start giving out rewards, then it will be entitled (and
// there's no issue with that since it was clearly in the pool
// even before that time)
let amount =
token::Amount::from_masp_denominated(vin.value, *digit);
*bal_ref = bal_ref
.checked_sub(&ValueSum::from_pair(token.clone(), amount))
.ok_or_else(|| {
Error::new_const("Underflow in bundle balance")
})?;
}
}

As mentioned in the comment this does not pose an issue in terms of safety but it could be a problem in terms of UX. More specifically, since the asset carries an epoch but it's not part of the incentivized assets, it could be problematic for a client to decode this asset when syncing its shielded wallet. Decoding relies on the the data published by the update_allowed_conversion function run by the protocol with every new masp epoch. On top of that, the wallet can also try to create decodings for undated assets. But if the AssetType of a note carries an epoch without being an incentivized token, then no decoding will be available to clients which will have an hard time decoding the asset (possibly a brute-force might be the only solution).

Because of this we could consider if rejecting these assets in the MASP vp could lead to a better experience for the user.

Metadata

Metadata

Assignees

No one assigned

    Labels

    MASPUXbreaking:consensusConsensus breaking change that requires a hard-forkvalidity-predicate

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions