Enforce conviction

[gztensor]

Description

This PR enables conviction enforcement. If

• a non-owner hotkey A has conviction higher than owner's hotkey,
• total conviction on the subnet is >= 10% of SubnetAlphaOut, and
• subnet is at least 1 year old,

the ownership will be changed to coldkey that is owner of hotkey A.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Other (please describe):

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have run ./scripts/fix_rust.sh to ensure my code is formatted and linted correctly
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Re-enabled conviction scan can make on_initialize unbounded

run_coinbase is invoked from block_step() in on_initialize, which returns a fixed weight. This call reaches change_subnet_owner_if_needed(), which calls get_total_conviction() and subnet_king(); those iterate HotkeyLock::<T>::iter_prefix(netuid) and DecayingHotkeyLock::<T>::iter_prefix(netuid) and build a BTreeMap over all matching hotkeys. Those maps are not bounded in the fixed hook weight, and the PR now runs the scans on every successful subnet epoch. An attacker can grow lock aggregate entries and force epoch blocks to do storage work proportional to lock-map size, risking overweight/slow block execution. Keep this disabled until the ownership check is made bounded, amortized, or otherwise accurately accounted in block weight.

Suggested change

	// Change subnet owner based on conviction.
	Self::change_subnet_owner_if_needed(netuid);
	// Reserved for potential future enhancements.
	// Ownership update logic based on conviction is currently inactive by design.
	// Self::change_subnet_owner_if_needed(netuid);

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

BASELINE scrutiny: established repo write contributor, author/committer match, no Gittensor allowlist hit; branch feat/enforce-conviction -> devnet-ready.

No prior Skeptic findings were present. The PR does not modify .github/ai-review/*, .github/copilot-instructions.md, or dependency files.

Findings

Sev	File	Finding
HIGH	pallets/subtensor/src/coinbase/run_coinbase.rs:415	Re-enabled conviction scan can make on_initialize unbounded	inline

Conclusion

The change re-enables a runtime hook that performs unbounded lock-map scans during coinbase/on-initialize processing, creating a steady-state block production DoS risk. This should stay disabled until conviction enforcement is implemented with bounded per-block work or separately accounted execution.

---

# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE