fix(iota-framework): audit issues fix

crates/iota-e2e-tests/tests/snapshot_tests.rs

@@ -63,10 +63,10 @@ async fn basic_read_cmd_snapshot_tests() -> Result<(), anyhow::Error> {
         "iota client objects 0x0000000000000000000000000000000000000000000000000000000000000000", /* empty addr */
         "iota client object 0x5",       // valid object
         "iota client object 0x5 --bcs", // valid object BCS
-        "iota client object 0x9135cb3b5aca99a1555b742bd11ddc45fba33343be182bdc161be69da2c41be1", /* valid object */
-        "iota client object 0x9135cb3b5aca99a1555b742bd11ddc45fba33343be182bdc161be69da2c41be1 --bcs", /* valid object BCS */
+        "iota client object 0xdc3328b5176269d20eb43e007785684cede5e7084268b946a6cd72348019a4ed", /* valid object */
+        "iota client object 0xdc3328b5176269d20eb43e007785684cede5e7084268b946a6cd72348019a4ed --bcs", /* valid object BCS */
         "iota client object 0x0000000000000000000000000000000000000000000000000000000000000000", /* non-existent object */
-        "iota client tx-block E5Zp4QQ84PQEceSw4JRi4VTScSAQweKSgdwp9XH4aVPd", // valid tx digest
+        "iota client tx-block 3PyZaQvbodqEbNhcY3DtEJumkvcHywdbKq3qC8g38iJj", // valid tx digest
         "iota client tx-block 11111111111111111111111111111111",             /* non-existent tx
                                                                               * digest */
     ];

crates/iota-framework-snapshot/manifest.json

@@ -18,5 +18,15 @@
       "0x000000000000000000000000000000000000000000000000000000000000000b",
       "0x000000000000000000000000000000000000000000000000000000000000107a"
     ]
+  },
+  "3": {
+    "git_revision": "1d0900383b07",
+    "package_ids": [
+      "0x0000000000000000000000000000000000000000000000000000000000000001",
+      "0x0000000000000000000000000000000000000000000000000000000000000002",
+      "0x0000000000000000000000000000000000000000000000000000000000000003",
+      "0x000000000000000000000000000000000000000000000000000000000000000b",
+      "0x000000000000000000000000000000000000000000000000000000000000107a"
+    ]
   }
 }

crates/iota-framework/packages/iota-framework/sources/coin_manager.move

@@ -26,14 +26,14 @@ module iota::coin_manager {
     /// The error returned if a attempt is made to change the maximum supply that is lower than the total supply
     const EMaximumSupplyLowerThanTotalSupply: u64 = 2;
 
-    /// The error returned if additional metadata already exists and you try to overwrite
-    const EAdditionalMetadataAlreadyExists: u64 = 3;
+    /// The error returned if a attempt is made to change the maximum supply that is higher than the maximum possible supply
+    const EMaximumSupplyHigherThanPossible: u64 = 3;
 
     /// The error returned if you try to edit nonexisting additional metadata
     const EAdditionalMetadataDoesNotExist: u64 = 4;
 
-    /// The error returned if you try to edit immutable metadata
-    const ENoMutableMetadata: u64 = 5;
+    /// The maximum supply supported by `CoinManager`
+    const MAX_SUPPLY: u64 = 18_446_744_073_709_551_614u64;
 
     /// Holds all related objects to a Coin in a convenient shared function
     public struct CoinManager<phantom T> has key, store {
@@ -196,7 +196,6 @@ module iota::coin_manager {
         manager: &mut CoinManager<T>,
         value: Value
     ) {
-        assert!(!df::exists_(&manager.id, b"additional_metadata"), EAdditionalMetadataAlreadyExists);
         df::add(&mut manager.id, b"additional_metadata", value);
     }
 
@@ -230,6 +229,7 @@ module iota::coin_manager {
         maximum_supply: u64
     ) {
         assert!(option::is_none(&manager.maximum_supply), EMaximumSupplyAlreadySet);
+        assert!(maximum_supply <= MAX_SUPPLY, EMaximumSupplyHigherThanPossible);
         assert!(total_supply(manager) <= maximum_supply, EMaximumSupplyLowerThanTotalSupply);
         option::fill(&mut manager.maximum_supply, maximum_supply);
     }
@@ -311,7 +311,7 @@ module iota::coin_manager {
     /// Get the maximum supply possible as a number. 
     /// If no maximum set it's the maximum u64 possible
     public fun maximum_supply<T>(manager: &CoinManager<T>): u64 {
-        option::get_with_default(&manager.maximum_supply, 18_446_744_073_709_551_615u64)
+        option::get_with_default(&manager.maximum_supply, MAX_SUPPLY)
     }
 
     /// Convenience function returning the remaining supply that can be minted still
@@ -383,7 +383,6 @@ module iota::coin_manager {
         manager: &mut CoinManager<T>,
         name: string::String
     ) {
-        assert!(manager.metadata_is_immutable(), ENoMutableMetadata);
         coin::update_name(&manager.treasury_cap, option::borrow_mut(&mut manager.metadata), name)
     }
 
@@ -393,7 +392,6 @@ module iota::coin_manager {
         manager: &mut CoinManager<T>,
         symbol: ascii::String
     ) {
-        assert!(manager.metadata_is_immutable(), ENoMutableMetadata);
         coin::update_symbol(&manager.treasury_cap, option::borrow_mut(&mut manager.metadata), symbol)
     }
 
@@ -403,7 +401,6 @@ module iota::coin_manager {
         manager: &mut CoinManager<T>,
         description: string::String
     ) {
-        assert!(manager.metadata_is_immutable(), ENoMutableMetadata);
         coin::update_description(&manager.treasury_cap, option::borrow_mut(&mut manager.metadata), description)
     }
 
@@ -413,7 +410,6 @@ module iota::coin_manager {
         manager: &mut CoinManager<T>,
         url: ascii::String
     ) {
-        assert!(manager.metadata_is_immutable(), ENoMutableMetadata);
         coin::update_icon_url(&manager.treasury_cap, option::borrow_mut(&mut manager.metadata), url)
     }
 

crates/iota-framework/packages/iota-framework/tests/coin_manager_tests.move

@@ -4,11 +4,14 @@
 #[test_only]
 module iota::coin_manager_tests {
 
+    use std::ascii;
+    use std::string;
+
     use iota::coin_manager;
     use iota::coin::{Self, CoinMetadata};
     use iota::test_scenario;
+    use iota::test_utils::assert_eq;
     use iota::url::{Self, Url};
-    use std::ascii::{string};
 
     public struct COIN_MANAGER_TESTS has drop {}
 
@@ -221,6 +224,40 @@ module iota::coin_manager_tests {
         scenario.end();
     }
 
+    #[test]
+    #[expected_failure(abort_code = coin_manager::EMaximumSupplyHigherThanPossible)]
+    fun test_max_supply_higher_than_maximum() {
+        let sender = @0xA;
+        let mut scenario = test_scenario::begin(sender);
+        let witness = COIN_MANAGER_TESTS{};
+
+        // Create a `Coin`.
+        let (cap, meta) = coin::create_currency(
+            witness,
+            0, 
+            b"TEST",
+            b"TEST",
+            b"TEST",
+            option::none(),
+            scenario.ctx(),
+        );
+
+        let (cmcap, metacap, mut wrapper) = coin_manager::new(cap, meta, scenario.ctx());
+
+        // Check the default maximum supply.
+        assert_eq(wrapper.maximum_supply(), 18_446_744_073_709_551_614u64);
+
+        // Update the maximum supply to be higher than is maximum possible.
+        cmcap.enforce_maximum_supply(&mut wrapper, 18_446_744_073_709_551_615u64);
+
+        transfer::public_transfer(cmcap, scenario.ctx().sender());
+        metacap.renounce_metadata_ownership(&mut wrapper);
+
+        transfer::public_share_object(wrapper);
+
+        scenario.end();
+    }
+
     #[test]
     #[expected_failure(abort_code = coin_manager::EMaximumSupplyAlreadySet)]
     fun test_max_supply_once() {
@@ -331,7 +368,7 @@ module iota::coin_manager_tests {
         let (cmcap, metacap, mut wrapper) = coin_manager::new(cap, meta, scenario.ctx());
 
         let bonus = BonusMetadata {
-            website: url::new_unsafe(string(b"https://example.com")),
+            website: url::new_unsafe(ascii::string(b"https://example.com")),
             is_amazing: false
         };
 
@@ -340,7 +377,7 @@ module iota::coin_manager_tests {
         assert!(!wrapper.additional_metadata<COIN_MANAGER_TESTS, BonusMetadata>().is_amazing);
 
         let bonus2 = BonusMetadata {
-            website: url::new_unsafe(string(b"https://iota.org")),
+            website: url::new_unsafe(ascii::string(b"https://iota.org")),
             is_amazing: true
         };
 
@@ -356,6 +393,49 @@ module iota::coin_manager_tests {
 
         scenario.end();
     }
+
+    #[test]
+    #[expected_failure(abort_code = iota::dynamic_field::EFieldAlreadyExists)]
+    fun test_double_adding_additional_metadata() {
+        let sender = @0xA;
+        let mut scenario = test_scenario::begin(sender);
+        let witness = COIN_MANAGER_TESTS{};
+
+        // Create a `Coin`.
+        let (cap, meta) = coin::create_currency(
+            witness,
+            0, 
+            b"TEST",
+            b"TEST",
+            b"TEST",
+            option::none(),
+            scenario.ctx(),
+        );
+
+        let (cmcap, metacap, mut wrapper) = coin_manager::new(cap, meta, scenario.ctx());
+
+        // Add an additional metadata.
+        let bonus1 = BonusMetadata {
+            website: url::new_unsafe(ascii::string(b"https://example1.com")),
+            is_amazing: false
+        };
+
+        metacap.add_additional_metadata(&mut wrapper, bonus1);
+
+        // Add an additional metadata one more time.
+        let bonus2 = BonusMetadata {
+            website: url::new_unsafe(ascii::string(b"https://example2.com")),
+            is_amazing: false
+        };
+
+        metacap.add_additional_metadata(&mut wrapper, bonus2);
+
+        cmcap.renounce_treasury_ownership(&mut wrapper);
+        metacap.renounce_metadata_ownership(&mut wrapper);
+        transfer::public_share_object(wrapper);
+
+        scenario.end();
+    }
 
     #[test]
     fun test_coin_manager_immutable() {
@@ -396,4 +476,48 @@ module iota::coin_manager_tests {
 
         scenario.end();
     }
+
+    #[test]
+    fun test_coin_manager_update_metadata() {
+        let sender = @0xA;
+        let mut scenario = test_scenario::begin(sender);
+        let witness = COIN_MANAGER_TESTS{};
+
+        // Create a `Coin`.
+        let (cap, meta) = coin::create_currency(
+            witness,
+            0, 
+            b"SYMBOL1",
+            b"NAME1",
+            b"DESCRIPTION1",
+            option::some(url::new_unsafe(ascii::string(b"https://url1.com"))),
+            scenario.ctx(),
+        );
+
+        let (cmcap, metacap, mut wrapper) = coin_manager::new(cap, meta, scenario.ctx());
+
+        // Check the original metadata.
+        assert_eq(wrapper.name(), string::utf8(b"NAME1"));
+        assert_eq(wrapper.symbol(), ascii::string(b"SYMBOL1"));
+        assert_eq(wrapper.description(), string::utf8(b"DESCRIPTION1"));
+        assert_eq(wrapper.icon_url(), option::some(url::new_unsafe(ascii::string(b"https://url1.com"))));
+
+        // Update the metadata.
+        coin_manager::update_name(&metacap, &mut wrapper, string::utf8(b"NAME2"));
+        coin_manager::update_symbol(&metacap, &mut wrapper, ascii::string(b"SYMBOL2"));
+        coin_manager::update_description(&metacap, &mut wrapper, string::utf8(b"DESCRIPTION2"));
+        coin_manager::update_icon_url(&metacap, &mut wrapper, ascii::string(b"https://url2.com"));
+
+        // Check the metadata again.
+        assert_eq(wrapper.name(), string::utf8(b"NAME2"));
+        assert_eq(wrapper.symbol(), ascii::string(b"SYMBOL2"));
+        assert_eq(wrapper.description(), string::utf8(b"DESCRIPTION2"));
+        assert_eq(wrapper.icon_url(), option::some(url::new_unsafe(ascii::string(b"https://url2.com"))));
+
+        transfer::public_transfer(cmcap, scenario.ctx().sender());
+        metacap.renounce_metadata_ownership(&mut wrapper);
+        transfer::public_share_object(wrapper);
+
+        scenario.end();
+    }
 }

crates/iota-graphql-e2e-tests/tests/available_range/available_range.exp

@@ -6,20 +6,20 @@ Response: {
   "data": {
     "availableRange": {
       "first": {
-        "digest": "Er5Smr4SVt8c5vh5Qet2SafYdtAv5tkoaAoXCfvZAgTK",
+        "digest": "DdBQpdVrXM8NVmomVxsFaxJcuDfdQaMmSN9JDr9Xumcz",
         "sequenceNumber": 0
       },
       "last": {
-        "digest": "Er5Smr4SVt8c5vh5Qet2SafYdtAv5tkoaAoXCfvZAgTK",
+        "digest": "DdBQpdVrXM8NVmomVxsFaxJcuDfdQaMmSN9JDr9Xumcz",
         "sequenceNumber": 0
       }
     },
     "first": {
-      "digest": "Er5Smr4SVt8c5vh5Qet2SafYdtAv5tkoaAoXCfvZAgTK",
+      "digest": "DdBQpdVrXM8NVmomVxsFaxJcuDfdQaMmSN9JDr9Xumcz",
       "sequenceNumber": 0
     },
     "last": {
-      "digest": "Er5Smr4SVt8c5vh5Qet2SafYdtAv5tkoaAoXCfvZAgTK",
+      "digest": "DdBQpdVrXM8NVmomVxsFaxJcuDfdQaMmSN9JDr9Xumcz",
       "sequenceNumber": 0
     }
   }
@@ -39,20 +39,20 @@ Response: {
   "data": {
     "availableRange": {
       "first": {
-        "digest": "Er5Smr4SVt8c5vh5Qet2SafYdtAv5tkoaAoXCfvZAgTK",
+        "digest": "DdBQpdVrXM8NVmomVxsFaxJcuDfdQaMmSN9JDr9Xumcz",
         "sequenceNumber": 0
       },
       "last": {
-        "digest": "6CKQTqZ35xpPufsJ9GNwWihYg7jZmeyjvqqSD32bD9KG",
+        "digest": "2q9Vokrv1osF4LL8HfrjU68d6XNyi5QkyXDGe2x4EXPz",
         "sequenceNumber": 2
       }
     },
     "first": {
-      "digest": "Er5Smr4SVt8c5vh5Qet2SafYdtAv5tkoaAoXCfvZAgTK",
+      "digest": "DdBQpdVrXM8NVmomVxsFaxJcuDfdQaMmSN9JDr9Xumcz",
       "sequenceNumber": 0
     },
     "last": {
-      "digest": "6CKQTqZ35xpPufsJ9GNwWihYg7jZmeyjvqqSD32bD9KG",
+      "digest": "2q9Vokrv1osF4LL8HfrjU68d6XNyi5QkyXDGe2x4EXPz",
       "sequenceNumber": 2
     }
   }