Open d10r opened 2 years ago
observations from the latest Ricochet incident:
update after another conversation about it:
Instead of removing the jailing mechanism, it could also be redefined to work in a different way:
We only keep the Jailed event and bool, but jailing doesn't have any other effect.
Rationale:
The event makes it easy to have monitoring and alerting for failing callbacks.
The bool allows SuperApps to activate special functionality (e.g. emergency stop or recovery).
Callbacks aren't blocked, because they're try/catch-wrapped anyway and blocking them may not help (or even harm).
Rationale:
If a goal of the mechanism is to protect app users, the most effective way to do so is likely blocking creation of new agreements to a potentially misbehaving app.
Deleting existing agreements needs to always work - not so clear though if blocking the callbacks after a revert is helpful, since it can't block the transaction anyway.
The option of governance un-jailing would allow apps with non-fatal bugs to keep operating once there's reason to believe that no harm will be done. There could e.g. be cases where a simple frontend adaptation could prevent "bad" txs from happening, allowing the app to continue operation.
function terminateCallbackReverted() external returns(bool disableFutureCallbacks)
to be added to ISuperApp
) which allows the SuperApp to react, e.g. by pausing the application such that the project's governance could review the situation and handle it as they deem appropriate. Handling of this additional callback would be optional. Only if handled and returning false for disableFutureCallbacks
would the SF protocol continue to issue callbacks.
In this case we'd probably also want a mechanism for the SuperApp to re-enable callbacks after a jailing event.An important aspect was overlooked here: jailing is also about limiting the damage a SuperApp not properly returning borrowed deposits can cause.
The jailing mechanism makes it difficult to write contracts implementing the SuperApp interface which don't risk getting bricked.
Assumption:
SuperApps get jailed if reverting in order to avoid them causing harm to the protocol.
Way in which this could happen:
Rebuttals:
Suggestion:
If we find good reasons for keeping the jailing mechanism, we could also consider making it non-automated, e.g. by having a blacklist of SuperApps curated by governance.