Summary
pre_programmed_distribution exists on TokenDistributionRulesV0, but the token configuration update validation helper does not mention it. This is currently a code consistency issue, not a reachable security vulnerability.
Current behavior
pre_programmed_distribution is present on TokenDistributionRulesV0.validate_token_config_update_v0 validates other token distribution fields but does not explicitly handle pre_programmed_distribution.- Full data contract updates already reject token configuration changes wholesale.
- The dedicated token config update transition does not expose any
TokenConfigurationChangeItem variant that can mutate pre_programmed_distribution.
Because there is no reachable mutation path today, this should not be treated as an open security issue.
Why track this
This is still a maintenance footgun:
- The validation helper and the token distribution struct are out of sync.
- A future change could add a reachable update path for
pre_programmed_distribution and accidentally rely on the existing helper, assuming the field is already covered.
- That could turn the current inconsistency into a real authorization or immutability bug.
Suggested resolution
Pick one of these and document the intended behavior clearly:
- Make
pre_programmed_distribution explicitly immutable in validate_token_config_update_v0.
- Introduce full change-control support for
pre_programmed_distribution if post-creation updates are intended.
- Add comments or assertions that clarify the field is intentionally excluded because it is not part of the reachable token config update surface.
Acceptance criteria
- The intended mutability of
pre_programmed_distribution is explicit in code.
- The validation/update helpers and the reachable token config update surface are aligned.
- Tests cover the intended behavior so future feature work cannot silently make this field mutable without corresponding validation.
Relevant files
packages/rs-dpp/src/data_contract/associated_token/token_distribution_rules/v0/mod.rspackages/rs-dpp/src/data_contract/associated_token/token_configuration/methods/validate_token_configuration_update/v0/mod.rspackages/rs-dpp/src/data_contract/associated_token/token_configuration_item.rspackages/rs-dpp/src/data_contract/associated_token/token_configuration/methods/apply_token_configuration_item/v0/mod.rspackages/rs-dpp/src/data_contract/methods/validate_update/v0/mod.rs
Investigation note
Security review conclusion: the previously reported issue was refuted as non-exploitable in current and historical reachable paths, because pre_programmed_distribution has not been exposed through the token config update change-item surface, and whole-contract token config mutations are rejected.
Summary
pre_programmed_distributionexists onTokenDistributionRulesV0, but the token configuration update validation helper does not mention it. This is currently a code consistency issue, not a reachable security vulnerability.Current behavior
pre_programmed_distributionis present onTokenDistributionRulesV0.validate_token_config_update_v0validates other token distribution fields but does not explicitly handlepre_programmed_distribution.TokenConfigurationChangeItemvariant that can mutatepre_programmed_distribution.Because there is no reachable mutation path today, this should not be treated as an open security issue.
Why track this
This is still a maintenance footgun:
pre_programmed_distributionand accidentally rely on the existing helper, assuming the field is already covered.Suggested resolution
Pick one of these and document the intended behavior clearly:
pre_programmed_distributionexplicitly immutable invalidate_token_config_update_v0.pre_programmed_distributionif post-creation updates are intended.Acceptance criteria
pre_programmed_distributionis explicit in code.Relevant files
packages/rs-dpp/src/data_contract/associated_token/token_distribution_rules/v0/mod.rspackages/rs-dpp/src/data_contract/associated_token/token_configuration/methods/validate_token_configuration_update/v0/mod.rspackages/rs-dpp/src/data_contract/associated_token/token_configuration_item.rspackages/rs-dpp/src/data_contract/associated_token/token_configuration/methods/apply_token_configuration_item/v0/mod.rspackages/rs-dpp/src/data_contract/methods/validate_update/v0/mod.rsInvestigation note
Security review conclusion: the previously reported issue was refuted as non-exploitable in current and historical reachable paths, because
pre_programmed_distributionhas not been exposed through the token config update change-item surface, and whole-contract token config mutations are rejected.