eladmallel
commented
5 years ago @yondonfu can you please share a bit more thoughts on how designated signers should fit into staking?
Open yondonfu opened 5 years ago
eladmallel
commented
5 years ago @yondonfu can you please share a bit more thoughts on how designated signers should fit into staking?
yondonfu
commented
5 years ago O can have a master address that has the following privileges:
This master address can be secured in cold storage and only brought online when needed.
O's signer addresses can sign transcoded results that are sent to B. With the currently proposed verification flow that involves B submitting data on-chain for verification when challenging a segment, B will need to provide O's signature over the relevant segment data.
O's signer addresses could also be allowed to submit transactions that need to happen on a regular interval i.e. calling reward to mint new LPT. Alternatively, the master address could be a contract that serves as an account proxy that implements its own address authentication mechanism (see: https://forum.aragon.org/t/key-hierarchy-for-staking-accounts/78) - in this case, the signer registry in the staking contract could just used to verify signatures and the proxy contract can manage which addresses can call functions in the staking contract (a EOA would route the transaction through the proxy contract so that from the staking contract's POV it just sees a transaction from the proxy contract).
eladmallel
commented
5 years ago IIUC using the proxy approach would incur additional work on the client side to support interactions with such a proxy contract? And as mentioned in the link you shared, it also requires each user to deploy their own proxy contract?
In comparison I think it's fair to say the proxy approach can be more secure than designated signers, since in a proxy solution you could implement custom multisig and revocation policies that further mitigate the chances of account takeover and the damage of such an event.
My quick gut check says we should go with designated signers because it provides "good enough" security and simpler UX.
wdyt?
yondonfu
commented
5 years ago I think that is a good assessment of the pros/cons of the proxy contract approach. Another pro is the ability to wrap multiple function calls into a single atomic transaction i.e. wrap ERC20 approve + transferFrom.
We need the designated signers construction for the staking contract either way if we want to support signature verification from different signer addresses - we cannot securely outsource this responsibility to a proxy contract that the user defines due to the issues around signature invalidation. However, a user can use an account proxy contract if it wants to for the benefits described.
The question would be whether or not to implement logic in the staking contract to check if transaction sender is authorized to perform an action on behalf of some address (in addition to verifying signatures on behalf of some address which it already would need to do). My current preference is to let the user decide on that authorization logic i.e. if they want more complex authorization logic they should use an account proxy contract rather than an EOA. since this avoids additional complexity in the staking contract which just needs to verify signatures now.
eladmallel
commented
5 years ago (in addition to verifying signatures on behalf of some address which it already would need to do)
I'm not sure I'm following where would we verify signatures of designated signers?
I think I understand the point about BondingManager allowing msg.sender to be a signer that could perform certain financial operations (e.g. withdrawFee) on behalf of the cold wallet O account. But IIUC that's distinct from what you're saying above, so I'd love to connect to a specific example of signature verification that you have in mind?
thanks!
yondonfu
commented
5 years ago I think I understand the point about BondingManager allowing msg.sender to be a signer that could perform certain financial operations (e.g. withdrawFee) on behalf of the cold wallet O account. But IIUC that's distinct from what you're saying above, so I'd love to connect to a specific example of signature verification that you have in mind?
I'll refer to this as sender based authentication (used to determine if a sender can call a function). We also have to handle signature based authentication.
Signature authentication for O could look like:
If we have a signer registry to handle signature authentication for O, we could use that same registry for sender based authentication as well. But I am suggesting that perhaps for lowering complexity within BondingManager and maintaining separation of concerns it would be better to not do that and instead have a user deployed account proxy contract deal with sender based authentication.
Orchestrators should be able to designate different signer addresses for a few reasons:
For previous discussion on this topic:
Broadcaster designated signers is already being implemented as a part of PM (#262 #265). We can follow the same approach for enabling orchestrator designated signers.
There are a few options here to avoid logic duplication:
I'm currently inclined to use the first approach to avoid additional external contract calls and the requirement for TicketBroker and the staking contract to know about an additional contract address.