search

paritytech / polkadot-sdk

The Parity Polkadot Blockchain SDK
https://polkadot.network/
1.86k stars 680 forks source link

Vision: Easily verifiable key-less accounts #283

Open emostov opened 2 years ago

emostov commented 2 years ago

Some use cases require creating a key-less account that can be easily verified by a DApp.

Currently, the only way to do this with a substrate FRAME pallet is to spawn an anonymous proxy account and then remove all keys from the account. To prove that an account is key-less, one would need to verify both 1) that the account was created with a proxy::Call::anonymous extrinsic and 2) that the account has no proxies in the proxy::Proxies map.

Assuming a DApp wants to exclusively rely on node RPCs (and not any indexing services), looking up historical extrinsics just to check if accounts might be keyless is unreasonably expensive. Instead, it would be helpful if a DApp could perform perform just a few lookups to prove an account is keyless.

Some possible ideas:

In either of the aforementioned ideas we should consider cleaning up key less account metadata once they are dusted. This can be done with the OnAccountDeleted hook. However one might argue that if an account is set to not have a signature, it should forever not be able to have one, and thus should not be cleaned up

xlc commented 2 years ago

2) that the account has no proxies in the proxy::Proxies map.

What's the reason of this? It will be inaccessible. There are easier way to generate an inaccessible accounts.

emostov commented 2 years ago
  1. that the account has no proxies in the proxy::Proxies map.

What's the reason of this? It will be inaccessible. There are easier way to generate an inaccessible accounts.

Yeah, the goal is to have a provably inaccessible account. What are easier ways to generate one?

xlc commented 2 years ago

Just like how all the system accounts are generated. You concatenate bunch of known bytes together.

e.g. modlpy/cfund:2000 or 13UVJyLnbVp77Z2t6rXwoAfLPiGe6FVeKuTYPC4T8zWZ8vTS https://polkadot.subscan.io/account/13UVJyLnbVp77Z2t6rXwoAfLPiGe6FVeKuTYPC4T8zWZ8vTS

If the pub key is ^modlpy\/cfund:\d{4}\0+$ then it must be a Crowdloan funding account without private key.

emostov commented 2 years ago

Ah thanks, I see what you mean. To clarify, the use cases I am targeting would be allowing an accessible account to converted to an inaccessible account. For example, if some pallet requires an admin role, one could use an account as the admin to do setup and then make the admin inaccessible.

xlc commented 2 years ago

In that case, can you just allow the admin role to be replaced? And then you can replace it with a known inaccessible account.

emostov commented 2 years ago

In that case, can you just allow the admin role to be replaced? And then you can replace it with a known inaccessible account.

Good point, not sure if I can think of a use case then.

There should still be some set of standardized ways for UIs to determine if a pub key is inaccessible. For example if we can determine system pub keys because they start with modlpy/, could we establish some other standardized prefix for user generated keys? Then any UI that detects one of these prefixes can be fairly confident an account is inaccessible.

xlc commented 2 years ago

I don't have context, but can't it just be always the same one? Why do you need to generate multiple those inaccessible accounts? I would suggest to use the all zero address for that but it is not the a good idea anymore. But I guess we can use the all one address?

bkchr commented 2 years ago

For example, if some pallet requires an admin role, one could use an account as the admin to do setup and then make the admin inaccessible.

What is the point of this? This would mean the admin role would never be usable again? If that is the case, you could also just use a admin: Option<AccountId> and if that is a None, then the admin is inaccessible.

emostov commented 2 years ago

Yeah, I agree. I don't think I have a concrete use case then for making an accessible account inaccessible