Skip to content

fix(governance): add 10 RTC proposal fee to create_proposal (M4)#6303

Open
waefrebeorn wants to merge 34 commits into
Scottcjn:mainfrom
waefrebeorn:fix-m4-governance-fee
Open

fix(governance): add 10 RTC proposal fee to create_proposal (M4)#6303
waefrebeorn wants to merge 34 commits into
Scottcjn:mainfrom
waefrebeorn:fix-m4-governance-fee

Conversation

@waefrebeorn
Copy link
Copy Markdown

@waefrebeorn waefrebeorn commented May 25, 2026

Summary

M4 - MED: governance.py: propose() no fee validation

The create_proposal endpoint had no financial barrier to submitting governance proposals. This enables spam governance attacks.

Fix

  • Added PROPOSAL_FEE_RTC = 10 constant
  • Checks proposer balance_rtc in balances table before creating proposal
  • Deducts 10 RTC on successful creation
  • Graceful fallback if balances table doesn't exist
  • HTTP 402 if insufficient balance

RTC Wallet for bounty: RTC17c0d21f04f6f65c1a85c0aeb5d4a305d57531096

waefrebeorn added 30 commits May 25, 2026 01:16
@waefrebeorn
update battleship: add A18 + exhausted cells + PR tracking
05b4762
@waefrebeorn
battleship: add A19 (beacon_api field lengths -> PR Scottcjn#6262)
5160879
@waefrebeorn
battleship: add A20 (bridge address lengths -> PR Scottcjn#6263)
0e12446
@waefrebeorn
battleship: add A21 (airdrop field lengths -> PR Scottcjn#6264)
4b9683c
@waefrebeorn
battleship: add A22 (lock_ledger -> PR Scottcjn#6265)
f9ce59b
@waefrebeorn
battleship: add A23 (sync endpoints -> PR Scottcjn#6266)
c02eefa
@waefrebeorn
fix: cap unbounded string fields in bridge/bridge_api.py (A24)
b9388aa 
Adds max_length parameter to _clean_string_field and caps all user input
fields in POST route handlers:

- /lock: sender_wallet(128), target_wallet(128), tx_hash(128), receipt_signature(256)
- /confirm: proof_ref(256), notes(1024)
- /release: release_tx(128), notes(1024)

Prevents storage of arbitrarily large strings in bridge_ledger DB.
@waefrebeorn
docs: add A24 to BATTLESHIP_PROGRESS
2832c96
@waefrebeorn
fix: cap wallet address in faucet.py (A25)
1c9b2dc
@waefrebeorn
docs: add A25 to BATTLESHIP_PROGRESS
e8300bd
@waefrebeorn
fix: cap miner_id in sophia_api.py (A26)
914245d
@waefrebeorn
docs: add A26 to BATTLESHIP_PROGRESS
b78ae6a
@waefrebeorn
fix: cap unbounded path params in explorer (A27/A29) and p2p (A28)
7af5c79
@waefrebeorn
docs: add A27-A29 to BATTLESHIP_PROGRESS
36d0d6a
@waefrebeorn
fix: cap string fields in testnet faucet and rent-a-relic (A30-A31)
70d458d
@waefrebeorn
docs: add A30-A31 to BATTLESHIP_PROGRESS
d6060c8
@waefrebeorn
fix: cap address/search in explorer-api (A32-A33)
48ff7ce
@waefrebeorn
docs: add A32-A33 to BATTLESHIP_PROGRESS
ace2a62
@waefrebeorn
fix: cap unbounded path params in 4 route files (A34-A37)
29e80ee
@waefrebeorn
docs: add A34-A37 to BATTLESHIP_PROGRESS
fdefdd7
@waefrebeorn
fix: cap unbounded fields in contributor_registry and hall_of_rust (A…
3702de5 
…38-A39)
@waefrebeorn
docs: add A38-A39 to BATTLESHIP_PROGRESS
f182f1e
@waefrebeorn
fix: cap string fields in machine_passport_api.py (A40)
c8e41f4
@waefrebeorn
docs: add A40 to BATTLESHIP_PROGRESS
f5c9173
@waefrebeorn
fix: cap agent_name in bottube_mood_engine.py (A41)
b2a729d
@waefrebeorn
docs: add A41 to BATTLESHIP_PROGRESS
45597b8
@waefrebeorn
docs: expand grid to 400 cells, vault 56 accomplished, add Row S stub…
c6180af 
…s + Row M error handling + Row T test gaps + Row E infrastructure
@waefrebeorn
docs: S1 completed (PR Scottcjn#6286), next S2
c44b7ea
@waefrebeorn
docs: S3 done (PR Scottcjn#6287), S2 removed (false positive-tests only)
1bf19c1
@waefrebeorn
docs: mark S4-S7, S13, S17-S20 done on battleship board
f277aa2
@waefrebeorn
docs: mark S8-S12 done on battleship board
6a56b42
@waefrebeorn
docs: mark S26 done on board
208ba1e
@waefrebeorn
docs: mark S15 done
d1d68d9
@waefrebeorn
fix(governance): add 10 RTC proposal fee check to create_proposal (M4)
2040078 
M4 - MED: propose() no fee validation

- Added PROPOSAL_FEE_RTC = 10 constant
- Before creating proposal, checks miner balance in balances table
- Deducts 10 RTC from proposer on successful creation
- Graceful fallback if balances table doesn't exist
- Returns 402 Payment Required if insufficient balance

Prevents governance spam by requiring a small stake.
@github-actions github-actions Bot added documentation Improvements or additions to documentation BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related api API endpoint related size/M PR: 51-200 lines labels May 25, 2026
jaxint
jaxint approved these changes May 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jaxint jaxint left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Great work on this PR. 🚀

@jaxint jaxint mentioned this pull request May 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jaxint jaxint jaxint approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

api API endpoint related BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) documentation Improvements or additions to documentation node Node server related size/M PR: 51-200 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waefrebeorn @jaxint