Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Radix>Threat Model>Fungible buckets
GeneralOverview
Findings
High (1)
Medium (2)
Low (2)
Informational (1)
DiscussionUnique Characteristics of Radix
Threat ModelWhat are threat models?
1-native-blueprintsModule: Resource blueprintsResourcesConsensus managerFungible and nonfungible proofsAuthorization zonePackageFungible bucketsFungible vaultsFungible resource managersValidatorAccount lockerWorktopAccountLiquidity poolsAccess controller
2-runtime3-transactions4-kernel
Audit ResultsAssessment Results

Fungible buckets

Fungible buckets are components that are created to hold fungible resources throughout the lifetime of a transaction. The owned component (which can be a blueprint or another component) is able to take resources out and put resources into this bucket.

Fungible buckets differentiate between liquid and locked amounts. Amounts are locked when a user creates a proof-of-amount from this bucket. The proof can be used to prove to others that this user has access to the locked amount of a resource. Any non-locked funds are considered liquid and can be transferred out of the bucket.

Method: take()

The method signature is take(amount: Decimal, api: &mut Y).

This method is intended to be used to take resources out of the bucket. It returns a new bucket with the resources that were taken out.

This method simply calls take_advanced(amount, WithdrawStrategy::Exact, api). The amount argument is user controlled.

Method: take_advanced()

The method signature is take_advanced(amount: Decimal, withdraw_strategy: WithdrawStrategy, api: &mut Y).

This method contains the core logic behind taking resources out. The WithdrawStrategy is an enum:

pub enum WithdrawStrategy { Exact, Rounded(RoundingMode), }

And RoundingMode is also an enum:

pub enum RoundingMode { /// The number is always rounded toward positive infinity, e.g. `3.1 -> 4`, `-3.1 -> -3`. ToPositiveInfinity, /// The number is always rounded toward negative infinity, e.g. `3.1 -> 3`, `-3.1 -> -4`. ToNegativeInfinity, /// The number is always rounded toward zero, e.g. `3.1 -> 3`, `-3.1 -> -3`. ToZero, /// The number is always rounded away from zero, e.g. `3.1 -> 4`, `-3.1 -> -4`. AwayFromZero, /// The number is rounded to the nearest, and when it is halfway between two others, it's rounded toward zero, e.g. `3.5 -> 3`, `-3.5 -> -3`. ToNearestMidpointTowardZero, /// The number is rounded to the nearest, and when it is halfway between two others, it's rounded away from zero, e.g. `3.5 -> 4`, `-3.5 -> -4`. ToNearestMidpointAwayFromZero, /// The number is rounded to the nearest, and when it is halfway between two others, it's rounded toward the nearest even number. Also known as "Bankers Rounding". ToNearestMidpointToEven, }

When the withdraw_strategy is set to WithdrawStrategy::Rounded, the amount argument is rounded based on the RoundingMode that is set.

Afterwards, the amount itself is checked to ensure that it is nonnegative and divisible by divisibility, which is the amount of decimals this resource is using.

Then, the amount is taken out of this bucket and transferred over into a new bucket. This new bucket is then returned.

If the bucket does not have at least amount of the resource in it, the transaction is reverted. This only looks at the current liquid amount of the resource in the bucket and ignores locked resources.

Method: put()

The method signature is put(bucket: Bucket, api: &mut Y).

This method is used to take fungible resources out of another bucket and insert into the bucket that this method is called on.

There are no direct checks to ensure that the bucket argument contains a bucket that has the same type of resource as the bucket this function is called on. However, when the drop_fungible_bucket() function is called to drop the other bucket (i.e., the bucket passed in), it ensures that

  1. the other bucket does not currently have any locked funds, and

  2. the other bucket was also created by the same blueprint.

The second check in particular prevents resources between different types of buckets from getting mixed up.

Function: get_amount()

The method signature is get_amount<Y>(api: &mut Y).

This function simply adds up this bucket's liquid and locked amounts and returns it.

Function: get_resource_address()

The method signature is get_resource_address<Y>(api: &mut Y).

This function returns the address of this bucket as a ResourceAddress. This can be used to determine the type of resource stored within this bucket.

Function: create_proof_of_amount()

The method signature is create_proof_of_amount<Y>(amount: Decimal, api: &mut Y).

This function is used to create a proof-of-amount from this bucket. The proof can be used by the caller to prove that they have access to a certain amount of resources from this bucket.

When the proof is created, the amount argument is used to determine the amount of resources to lock for this proof.

This amount cannot be negative and must also be divisible by the divisibility of this resource.

Method: create_proof_of_all()

The method signature is create_proof_of_all<Y>(api: &mut Y).

This function calls create_proof_of_amount(), passing in the entire amount of the bucket as the first argument. See the above subsection for more details.

Nonfungible buckets

Nonfungible buckets are components that are created to hold nonfungible resources throughout the lifetime of a transaction. The owned component (which can be a blueprint or another component) is able to take resources out and put resources into this bucket.

Nonfungible buckets also differentiate between liquid and locked resources. Specified nonfungible IDs are locked when a user creates a proof from this bucket. The proof can be used to prove to others that this user has access to the locked nonfungible IDs. Any non-locked IDs are considered liquid and can be transferred out of the bucket.

Below is a list of all the functions and methods a nonfungible bucket exposes.

Method: take()

The method signature is take(amount: Decimal, api: &mut Y).

This method is intended to be used to take the specified amount of nonfungible resources from this bucket. It returns a new bucket with the resources that were taken out.

This method simply calls take_advanced(amount, WithdrawStrategy::Exact, api). The amount argument is user controlled.

Method: take_advanced()

The method signature is take_advanced(amount: Decimal, withdraw_strategy: WithdrawStrategy, api: &mut Y).

This method contains the core logic behind taking resources out. The withdraw_strategy works the same way as it did with the fungible bucket.

The amount itself is ensured to be positive and able to fit within a u32. There is no divisibility to check for nonfungible resources.

Since nonfungible resources are not fungible, the amount is used to determine how many resources to remove from this bucket. The resources are removed in ascending order (that is, ID 1 is removed before ID 2 and onwards).

If the bucket does not contain enough liquid resources to take out, an error is returned and the transaction is reverted.

Method: take_non_fungibles()

The method signature is take_non_fungibles<Y>(ids: &IndexSet<NonFungibleLocalId>, api: &mut Y).

This version of the take_*() function is used to take out specific nonfungible resources from this bucket by ID. The user passes in an index set of the IDs they want to take out.

If any of the IDs do not exist in this bucket or are currently locked, an error is returned and the transaction is reverted.

Method: put()

The method signature is put(bucket: Bucket, api: &mut Y).

This method is used to take nonfungible resources out of another bucket and insert into the bucket that this method is called on.

There are no direct checks to ensure that the bucket argument contains a bucket that has the same type of resource as the bucket this function is called on. However, when the drop_non_fungible_bucket() function is called to drop the other bucket (i.e., the bucket passed in), it ensures that

  1. the other bucket does not currently have any locked funds, and

  2. the other bucket was also created by the same blueprint.

The second check in particular prevents resources between different types of buckets from getting mixed up.

Function: get_non_fungible_local_ids()

The method signature is get_non_fungible_local_ids<Y>(api: &mut Y).

This function creates a new index set containing all the nonfungible resources this bucket contains, both liquid and locked. The index set is returned to the caller.

Function: contains_non_fungible()

The method signature is get_non_fungible_local_ids<Y>(id: NonFungibleLocalId, api: &mut Y).

This function is used to check whether the nonfungible resource ID specified by the id argument exists in this bucket. It checks both liquid and locked resources.

Function: get_amount()

The method signature is get_amount<Y>(api: &mut Y).

This function simply adds up this bucket's liquid and locked amounts and returns it.

Method: get_resource_address()

The method signature is get_resource_address<Y>(api: &mut Y).

This method returns the address of this bucket as a ResourceAddress. This can be used to determine the type of resource stored within this bucket.

Function: create_proof_of_non_fungibles()

The method signature is create_proof_of_non_fungibles<Y>(ids: IndexSet<NonFungibleLocalId>, api: &mut Y).

This method is used to create a proof-of-nonfungibles from this bucket. The proof can be used by the caller to prove that they have access to the set of nonfungible resources specified in the ids argument. These resources are locked for this proof.

If any of the resources specified in the ids argument do not exist in this bucket or are already locked, an error is returned and the transaction is reverted.

Method: get_resource_address()create_proof_of_all()

The method signature is create_proof_of_all<Y>(api: &mut Y).

This method calls create_proof_of_non_fungibles(), passing in an index set that contains all the nonfungible resources in this bucket. See the above subsection for more details.

Zellic © 2025Back to top ↑