Skip to content

feat(token): add mint authority model to token program#213

Merged
0x-r4bbit merged 1 commit into
mainfrom
feat/token-authority
Jul 2, 2026
Merged

feat(token): add mint authority model to token program#213
0x-r4bbit merged 1 commit into
mainfrom
feat/token-authority

Conversation

@0x-r4bbit

Copy link
Copy Markdown
Collaborator

Add an optional mint authority to fungible tokens for controlled supply: create with a designated minter, mint additional supply, rotate the authority to a new key, or permanently revoke it to fix the supply.

The authority is stored inline on TokenDefinition::Fungible as authority: Option<AccountId> (Some(id) = mintable by id, None = fixed supply). Keeping it a plain Option<AccountId> rather than a custom wrapper type leaves account state decodable by spel inspect; the require/rotate/revoke guard logic lives inline in the handlers.

LEZ rejects a transaction that lists the same account id twice, so one instruction cannot statically express both "the definition account is the authority and signs" (self/PDA authority) and "a distinct rotated account signs" (external authority) — they need opposite signer markers. Each privileged operation is therefore split into a self and an external variant:

  • Mint / SetAuthority — the definition account is the signer.
  • MintWithAuthority / SetAuthorityWithAuthority — a distinct authority account is the signer; the definition account does not sign.

Creation via NewFungibleDefinition { mint_authority, .. }; an all-zero authority id is rejected. The AMM's LP token uses self/PDA authority — its stored authority is the LP definition PDA, minted only by the pool via chained calls.

Covered by token unit tests and zkVM integration tests: creation with and without an authority, self- and external-authority mint, rotation, and external rotate/revoke. IDLs regenerated.

Add an optional mint authority to fungible tokens for controlled supply:
create with a designated minter, mint additional supply, rotate the
authority to a new key, or permanently revoke it to fix the supply.

The authority is stored inline on `TokenDefinition::Fungible` as
`authority: Option<AccountId>` (`Some(id)` = mintable by `id`, `None` =
fixed supply). Keeping it a plain `Option<AccountId>` rather than a custom
wrapper type leaves account state decodable by `spel inspect`; the
require/rotate/revoke guard logic lives inline in the handlers.

LEZ rejects a transaction that lists the same account id twice, so one
instruction cannot statically express both "the definition account is the
authority and signs" (self/PDA authority) and "a distinct rotated account
signs" (external authority) — they need opposite signer markers. Each
privileged operation is therefore split into a self and an external
variant:

- `Mint` / `SetAuthority` — the definition account is the signer.
- `MintWithAuthority` / `SetAuthorityWithAuthority` — a distinct authority
  account is the signer; the definition account does not sign.

Creation via `NewFungibleDefinition { mint_authority, .. }`; an all-zero
authority id is rejected. The AMM's LP token uses self/PDA authority — its
stored authority is the LP definition PDA, minted only by the pool via
chained calls.

Covered by token unit tests and zkVM integration tests: creation with and
without an authority, self- and external-authority mint, rotation, and
external rotate/revoke. IDLs regenerated.
@0x-r4bbit

0x-r4bbit commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator Author

This PR supersedes #125

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants