Skip to content

Subnet sale offer#2745

Open
l0r1s wants to merge 10 commits into
devnet-readyfrom
subnet-sale-offer
Open

Subnet sale offer#2745
l0r1s wants to merge 10 commits into
devnet-readyfrom
subnet-sale-offer

Conversation

@l0r1s

@l0r1s l0r1s commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Summary

This PR adds subnet sale offers to the Subtensor pallet.

The goal is to let a subnet owner announce that a subnet is for sale, optionally restricted to a specific buyer coldkey. Once an offer exists, a later crowdloan lease flow can target that offer, pay the seller, and transform the subnet into a lease atomically.

Creating an offer stores the sale terms by netuid and freezes the seller coldkey and current subnet owner hotkey while the offer is active. This prevents the seller from mutating the relevant accounts during the sale process. The seller or root can cancel the offer, and sale-offer state is also cleaned up if the subnet is removed.

The PR also adds a CheckSubnetSale dispatch extension so frozen sale accounts are rejected at dispatch time. Seller coldkeys may still cancel their sale offer, owner hotkeys are blocked unless the call is MEV-protected, and root bypasses the guard.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment thread pallets/subtensor/src/guards/check_subnet_sale.rs
@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

BASELINE scrutiny: l0r1s has write permission, an established account, substantial prior contribution history, and no trusted Gittensor allowlist match. Branch subnet-sale-offer -> devnet-ready.

No .github/ai-review/*, .github/copilot-instructions.md, Cargo.toml, Cargo.lock, or build-script changes are present in this diff.

Findings

Sev File Finding
MEDIUM pallets/subtensor/src/guards/check_subnet_sale.rs:60 Seller cannot cancel when coldkey is also owner hotkey inline

Prior-comment reconciliation

  • 55c47d32: not addressed — The current diff still rejects cancel_sale_offer when the signer is also present in SubnetSaleFrozenHotkeys; the added test asserts that rejection.

Conclusion

The diff does not look malicious, but the sale guard can still strand a seller whose coldkey is also the subnet owner hotkey by blocking the only non-root cancellation path.


📜 Previous run (superseded)
Sev File Finding Status
MEDIUM pallets/subtensor/src/guards/check_subnet_sale.rs:60 Seller cannot cancel when coldkey is also owner hotkey ➡️ Carried forward to current findings
The current diff still rejects cancel_sale_offer when the signer is also present in SubnetSaleFrozenHotkeys; the added test asserts that rejection.

# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

return Err(Error::<T>::ColdkeyLockedDuringSale.into());
}

if is_sale_frozen_owner_hotkey && !is_mev_protected {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Seller cannot cancel when coldkey is also owner hotkey

Creating an offer freezes both the seller coldkey and the current owner hotkey. If those are the same account, the earlier coldkey branch allows cancel_sale_offer, but this owner-hotkey branch immediately rejects the same cancellation with HotkeyLockedDuringSale. The existing owner-hotkey setter only rejects system accounts, so this state is reachable and leaves the seller unable to cancel without root intervention. Let cancel_sale_offer pass this branch too; do_cancel_sale_offer still enforces that a signed caller must be the offer seller.

Suggested change
if is_sale_frozen_owner_hotkey && !is_mev_protected {
if is_sale_frozen_owner_hotkey && !is_sale_cancel && !is_mev_protected {

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

return Err(Error::<T>::ColdkeyLockedDuringSale.into());
}

if is_sale_frozen_owner_hotkey && !is_mev_protected {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Seller cannot cancel when coldkey is also owner hotkey

do_create_sale_offer allows seller == owner_hotkey, then freezes the same account in both maps. For that account, cancel_sale_offer passes the coldkey check but is rejected here as a frozen owner hotkey, leaving the seller unable to use the only non-root cancellation path while both keys remain frozen. Let sale cancellation pass this guard too; do_cancel_sale_offer already enforces that only the seller or root can actually cancel.

Suggested change
if is_sale_frozen_owner_hotkey && !is_mev_protected {
if is_sale_frozen_owner_hotkey && !is_sale_cancel && !is_mev_protected {

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant