Spun out of #2964 (Approach 2, originally proposed by @PhilippGackstatter in PR #2958 (#2958 (comment))).
Mirror the pattern from AuthMultisig::compute_transaction_threshold — instead of listing procedures that trigger a signature, list the procedures that are exempt from it. Anything not on the exempt list defaults to requiring a signature, so forgetting to register a new setter can never silently leave it permissionless. This also removes the allow_unauthorized_output_notes and allow_unauthorized_input_notes flags.
Note: on its own this does not fix the original fee-drain bug, but it is a sound improvement that pairs well with sub-issues 1 and 3.
Sub-issue of #2964
Spun out of #2964 (Approach 2, originally proposed by @PhilippGackstatter in PR #2958 (#2958 (comment))).
Mirror the pattern from
AuthMultisig::compute_transaction_threshold— instead of listing procedures that trigger a signature, list the procedures that are exempt from it. Anything not on the exempt list defaults to requiring a signature, so forgetting to register a new setter can never silently leave it permissionless. This also removes theallow_unauthorized_output_notesandallow_unauthorized_input_notesflags.Note: on its own this does not fix the original fee-drain bug, but it is a sound improvement that pairs well with sub-issues 1 and 3.
Sub-issue of #2964