Is your feature request related to a problem? Please describe.
Users may forget their passphrase and the current way to reset is manual.
Implementing an automated account recovery would be a decent improvement to UX.
Describe the solution you'd like
Every Identity (Account) is created so that the second controlling wallet is the AdEx recovery wallet. Replace that with a smart contract, AdExRecoveryDAO that is a basic timelock.
This contract has to have:
An admin, that can be changed
The AdEx multisig will be the admin
The admin can cancel recoveries
A boolean mapping of addresses that can propose recovery; the admin can change those w/o delay
For example, the relayer can propose recoveries
A mapping of proposed recoveries (by hash) to the time the recovery becomes possible
A delay time that can be changed by the admin, but no lower than a set minimum
A function that allows each recovery request to be cancelled immediately by the account that is being recovered
Security implications: the only procedure that needs to have a timelock is the recovery itself. The goal of this is to allow the admin to save accounts if a proposer key (eg the relayer) is compromised.
The procedure would be the following:
User requests account recovery
They receive a magic link on their email that they can use to recover their account: on this link, they can either change their passphrase (which results in re-creating the quick account) or set a MetaMask address
initially we can implement only the passphrase change
Once the request is submitted, the relayer triggers a transaction to AdExRecoveryDAO that proposes the recovery and sends an email to the user that their recovery was successfully requested and they need to wait
Once the proposal has matured, the relayer triggers a transaction to AdExRecoveryDAO to finalize the recovery - once the tx is mined, an email will be sent to the user that their recoveyr was successful; this can be checked via cron
Migrating current accounts: to allow current accounts to enable the new recovery mechanism, prompt them with a modal that would issue a TX that would call setPrivilege twice to add the new recovery mechanism and remove the old one.
The Platform should request logs from the AdExRecoveryDAO contract, and if it identifies a pending recovery request for the current account, it should show a large warning banner and a button that allows the user to cancel it. Logic here is, if the relayer is compromised and it requests recovery of accounts, the user can cancel it
The account page should have "Remove recovery service" button, with a modal explaining you that you're taking full responsibility and whether you agree or not, and an explainer that explains what the recovery service is.
We should write a blog post explaining how passphrase recovery works in AdEx, "how AdEx protects your account" or something similar
Additional context
@IvoPaunov will implement the UI and the relayer changes
Is your feature request related to a problem? Please describe. Users may forget their passphrase and the current way to reset is manual.
Implementing an automated account recovery would be a decent improvement to UX.
Describe the solution you'd like Every Identity (Account) is created so that the second controlling wallet is the AdEx recovery wallet. Replace that with a smart contract,
AdExRecoveryDAO
that is a basic timelock.This contract has to have:
Security implications: the only procedure that needs to have a timelock is the recovery itself. The goal of this is to allow the admin to save accounts if a proposer key (eg the relayer) is compromised.
The procedure would be the following:
AdExRecoveryDAO
that proposes the recovery and sends an email to the user that their recovery was successfully requested and they need to waitAdExRecoveryDAO
to finalize the recovery - once the tx is mined, an email will be sent to the user that their recoveyr was successful; this can be checked via cronMigrating current accounts: to allow current accounts to enable the new recovery mechanism, prompt them with a modal that would issue a TX that would call
setPrivilege
twice to add the new recovery mechanism and remove the old one.Describe alternatives you've considered Replaces https://github.com/AdExNetwork/adex-protocol-eth/issues/35, https://github.com/AdExNetwork/organization/issues/78, https://github.com/AdExNetwork/organization/issues/104, https://github.com/AdExNetwork/adex-protocol-eth/issues/87 and https://github.com/AdExNetwork/aips/issues/21
Later additions
AdExRecoveryDAO
contract, and if it identifies a pending recovery request for the current account, it should show a large warning banner and a button that allows the user to cancel it. Logic here is, if the relayer is compromised and it requests recovery of accounts, the user can cancel itAdditional context