"Private" EVM

[dariolina]

Allow instantiating an EVM with the same runtime as public Auto-EVM, but with (config?) parameters of an allow-list for addresses that can deploy contracts. The allow-list, by default, should contain the domain sudo (!= consensus sudo) and the domain sudo should be able to add members to it.

[NingLin-P]

There are 3 parts of work to implement "Private" EVM:

• Maintenance of the allow-list
• Access control based on the allow-list
• Apply the check

NOTE: this only disallow deploying contract on the "Private" EVM, but transfer within the domains and XDM that transfer between other domains and the consensus chain is not affected.

Maintenance of the allow-list

We need to introduce a new pallet to maintain the allow-list in the EVM domain, the allowlist should be something similar to PermissionedActionAllowedBy in the consensus chain:

subspace/crates/pallet-domains/src/lib.rs

Lines 694 to 696 in e0a3f16

	#[pallet::storage]
	pub(super) type PermissionedActionAllowedBy<T: Config> =
	StorageValue<_, sp_domains::PermissionedActionAllowedBy<T::AccountId>, OptionQuery>;

subspace/crates/pallet-domains/src/lib.rs

Lines 1528 to 1538 in e0a3f16

	/// Update permissioned action allowed by storage by Sudo.
	#[pallet::call_index(14)]
	#[pallet::weight(<T as frame_system::Config>::DbWeight::get().reads_writes(0, 1))]
	pub fn set_permissioned_action_allowed_by(
	origin: OriginFor<T>,
	permissioned_action_allowed_by: sp_domains::PermissionedActionAllowedBy<T::AccountId>,
	) -> DispatchResult {
	ensure_root(origin)?;
	PermissionedActionAllowedBy::<T>::put(permissioned_action_allowed_by);
	Ok(())
	}

NOTE: updating the allow-list requires domain sudo and currently the only way to do that is via send_domain_sudo_call (which required consensus sudo):

subspace/crates/pallet-domains/src/lib.rs

Lines 1540 to 1547 in e0a3f16

	/// Submit a domain sudo call.
	#[pallet::call_index(16)]
	#[pallet::weight(<T as frame_system::Config>::DbWeight::get().reads_writes(3, 1))]
	pub fn send_domain_sudo_call(
	origin: OriginFor<T>,
	domain_id: DomainId,
	call: Vec<u8>,
	) -> DispatchResult {

Access control based on the allow-list

The check can be implemented as a check like:

fn is_create_contract_allowed(call: &RuntimeCall, signer: &AccountId) -> bool {
    is_create_contract(call) && is_allowed(signer)
}

fn is_create_contract(call: &RuntimeCall) -> bool {
    match call {
        RuntimeCall::EVM(pallet_evm::Call::create {..}) | RuntimeCall::EVM(pallet_evm::Call::create2 {..}) => true,
        RuntimeCall::Utility(wrapped_call) => wrapped_call.is_pallet_evm_create_or_create2(),
        RuntimeCall::Ethereum(pallet_ethereum::Call::transact { transaction, ..}) => transaction.is_create(),
        _ => false
    }
}

fn is_allowed(signer: &AccountId) -> bool {
    PermissionedActionAllowedBy::<T>::get()
        .map(|allowed_by| allowed_by.is_allowed(signer))
        .unwrap_or_default()
}

Apply the check

This part is a bit tricky because pallet_ethereum::Call is self-contained and validated in a different way, while pallet_evm::Call is validated similarly to normal substrate extrinsic, see here for more detail.

For pallet_evm::Call, this check can be applied via SignedExtension, similar to the DisablePallets extension in the consensus chain, we simply need to replace contains_balance_transfer with is_create_contract_allowed in validate/validate_unsigned/pre_dispatch/pre_dispatch_unsigned.

For pallet_ethereum::Call, we need to add the check to:

subspace/domains/runtime/evm/src/lib.rs

Line 172 in e0a3f16

fn validate_self_contained(

subspace/domains/runtime/evm/src/lib.rs

Line 196 in e0a3f16

fn pre_dispatch_self_contained(

[vedhavyas]

We need to introduce a new pallet to maintain the allow-list in the EVM domain,

We already have nonce tracker pallet specific to EVM. please repurpose that. No need to create a new pallet for every feature :)

Rest of the approach looks good 👍🏼