search

safe-global / safe-smart-account

Safe allows secure management of blockchain assets.
https://safe.global
GNU Lesser General Public License v3.0
1.84k stars 907 forks source link

Allow deleting queued transaction if single signature #694

Closed AlissonRS closed 11 months ago

AlissonRS commented 11 months ago

Hello!

In a multisig with multiple EOAs, let's say I propose a transaction, thus signing it myself.

If I'm the only one who signed it, and it's the last queued transaction, what is the rationale (from security and decentralization standpoint) that prevents me from just deleting this transaction from the queue?

I understand for a queued transaction that has been signed by other parties, to require everyone to reject/replace it, but I'm failing to find a good reason for the case I described: the last queued transaction and I'm the only one who signed it.

Thanks for such a great project!!!

nlordell commented 11 months ago

I think this issue might have a better home in the https://github.com/safe-global/safe-transaction-service repository, the home of the transaction service. This repo is for the on-chain contracts (so signature collection is out of scope for this repo).

That being said,

If I'm the only one who signed it, and it's the last queued transaction, what is the rationale (from security and decentralization standpoint) that prevents me from just deleting this transaction from the queue?

My personal take on this is that an ECDSA signature can't really be "deleted". From a security standpoint, once you've signed a transaction and shared your signature with the transaction service, the information is "out there". I think allowing it to be deleted from the transaction service is disingenuous to the fact that the signature is technically public information and can be used regardless of whether or not it is deleted from the transaction service and it no longer knows about it (imagine a bot scraping for signed transactions for example).

AlissonRS commented 11 months ago

@nlordell thanks for your input.

I'll post this issue on the relevant repo and close this. I only posted here because the UI made me think rejecting a transaction was an on-chain process (which I thought it was weird since when we sign we don't necessarily submit a tx to an RPC node).

I also think I didn't express myself properly, I'm not really concerned about the signature being "out there", the reason for deleting it is not to prevent it being public or anything, I was asking more in the sense of making Safe more convient for us, and I mentioned from "security" standpoint because I thought there could be some security reason I was not seeing for why Safe requires other parties to sign a tx rejection even if I was the only one who proposed/signed it.

Thanks again for your answer!

nlordell commented 11 months ago

I was asking more in the sense of making Safe more convient for us, and I mentioned from "security" standpoint because I thought there could be some security reason I was not seeing for why Safe requires other parties to sign a tx rejection even if I was the only one who proposed/signed it.

Ah, I see. The way I understand it is that the best way to make a transaction signature obsolete so that it can't be unexpectedly used would be to use up the nonce for which the signature was created. Hence the singing of the "rejection transaction" (which is just an empty transaction to invalidate the current nonce and make all existing signatures for that nonce obsolete).

I'm sorry if I'm not explaining myself super well here 🙈 - but to me there are security considerations that led to the current design.