Skip to content

Commit a1e159b

Browse files
notJoonnotJoon
committed
doc: update ADR
1 parent cc83333 commit a1e159b

1 file changed

Lines changed: 20 additions & 2 deletions

File tree

gno.land/adr/pr136_grc20_zkgm_local_asset_support.md

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,8 +26,10 @@ checks `ibc/` vouchers first, then `grc20reg.Get`, and treats anything else as a
2626
native banker denom.
2727

2828
Persist the asset class write-once by denom when INITIALIZE or ESCROW verifies
29-
and successfully escrows the asset. Refund and release paths consult the
30-
persisted class instead of re-reading the registry.
29+
and successfully escrows the asset. The class record lives in the proxy realm
30+
through `RecordAssetClass` and `GetAssetClass`, next to the escrow funds and the
31+
channel balance, so it survives implementation upgrades. Refund and release
32+
paths consult the persisted class instead of re-reading the registry.
3133

3234
Keep escrow funds at the ZKGM proxy realm. Add proxy-gated `EscrowGRC20` and
3335
`ReleaseGRC20` functions next to `ReleaseNative`, protected by the same
@@ -90,3 +92,19 @@ instead of proxy panics.
9092
Finally, escrow now compares the live asset class with the write-once recorded
9193
class. If a denom's class changes after its first escrow, verification returns
9294
an error instead of silently escrowing one asset type and releasing another.
95+
96+
The asset-class record was initially package state in the swappable
97+
implementation realm. `UpdateImpl` replaces that realm, so a local GRC20 order
98+
in flight across an upgrade would find an empty class map at release time, fall
99+
back to the native path, and try to release a native coin the proxy does not
100+
hold. The record now lives in the proxy realm alongside the pinned token and the
101+
channel balance, both of which already survive an implementation swap.
102+
103+
Native release also no longer relies on a raw panic for missing escrow.
104+
`ReleaseNative` checks the proxy escrow balance and returns an error when it is
105+
insufficient, and `sendNative` propagates that error so the caller converts it
106+
into an `execFatal` rollback. `dispatchExecute` recovers ordinary panics into a
107+
failure ack without rolling back state, so a raw panic from a failed release
108+
would have committed an already-applied channel balance debit. The UNESCROW
109+
receive path now verifies the channel balance before release and debits it only
110+
after release succeeds, so a failed release leaves the balance intact.

0 commit comments

Comments
 (0)