Motoko request: Type size limit annotations

I’ve now done three audits and everyone fails and has issues dealing with ingress and canister to canister DDoS cycle drain attacks where with ICRC1 where an attacker can put a huge memo or huge sub account.

Ingress inspect_message can help, but much less can be done about canister to canister other than checking as early as possible and trapping if you see a violation.

It would be really great, even if it is only with public actor method and queries to be able to declare something:

public type TransferArgs = {
to : {
owner : Principal;
subaccount : opt Blob<32|32>; // must be Len 32 if included
memo : opt [Nat8]<|32>; //can be len 0-32


It would be nice if the compiled motoko would just trap for us on those violations. It would remove a significant amount of boilerplate from everyone’s code that is releasing production actors.

Perhaps there is better sugar here, but that is the idea.


Thanks for the report. We are working on a solution at the Candid level. Basically, users can optionally specify a size limit on the Candid types during deserialization. The spec for this config is just up for review: spec: candid type selector by chenyan-dfinity · Pull Request #555 · dfinity/candid · GitHub.

At the moment, we only implemented this for Rust bindgen and random value generation. We will start to implement this for deserialization soon. For Motoko, we also need to figure out a good syntax to specify these limits, probably with some decoration.


If we can get something like this it would be a huge relief.

I also like the idea of using a separate file to define our configuration.